Resubmissions

26-01-2024 14:28

240126-rs4ehsffg2 10

31-12-2023 13:20

231231-qlft7sabhn 10

General

  • Target

    ab59e6fbbb2bf296da4b96f6ff46c39a71a7829e3c1e9400ab7d3e6ffe7834e9.exe

  • Size

    2.5MB

  • Sample

    240126-rs4ehsffg2

  • MD5

    ddc7c729f452701a0277384511d76d0b

  • SHA1

    6f59a368a1938a9bd276e6335995f02e440f69af

  • SHA256

    ab59e6fbbb2bf296da4b96f6ff46c39a71a7829e3c1e9400ab7d3e6ffe7834e9

  • SHA512

    e3888e573b7d3109a3f3a69e966e4c03688fa2119f2bb0177ffe51d7d91fa7571c73f00ad7d2441d414b10c32d6de8578ab87586d780595a1f2a92d165698e59

  • SSDEEP

    49152:/4MWBFF6yZ2i8f+j62RfXlrEgCz9uO1WGKKKoNYy8L5F5tPminltUyTpfnT+:WL6yH96WVrEgCzkOmZcQ3XnsyThy

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://185.215.113.68/fks/index.php

rc4.i32
rc4.i32

Targets

    • Target

      ab59e6fbbb2bf296da4b96f6ff46c39a71a7829e3c1e9400ab7d3e6ffe7834e9.exe

    • Size

      2.5MB

    • MD5

      ddc7c729f452701a0277384511d76d0b

    • SHA1

      6f59a368a1938a9bd276e6335995f02e440f69af

    • SHA256

      ab59e6fbbb2bf296da4b96f6ff46c39a71a7829e3c1e9400ab7d3e6ffe7834e9

    • SHA512

      e3888e573b7d3109a3f3a69e966e4c03688fa2119f2bb0177ffe51d7d91fa7571c73f00ad7d2441d414b10c32d6de8578ab87586d780595a1f2a92d165698e59

    • SSDEEP

      49152:/4MWBFF6yZ2i8f+j62RfXlrEgCz9uO1WGKKKoNYy8L5F5tPminltUyTpfnT+:WL6yH96WVrEgCzkOmZcQ3XnsyThy

    • Detect Lumma Stealer payload V4

    • Detected google phishing page

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Modifies Windows Defender Real-time Protection settings

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks