General

  • Target

    83f87484754b4f4301e2b9cf06e5400d232e14129f86384ad192e42eb4b0d2af

  • Size

    2.6MB

  • Sample

    240131-knlwcagee6

  • MD5

    3c826d96e2a023ce6c252a2dc11decc4

  • SHA1

    e5c79ebce8684e9140bf35a86097d618c529d9ae

  • SHA256

    83f87484754b4f4301e2b9cf06e5400d232e14129f86384ad192e42eb4b0d2af

  • SHA512

    7fc1753a36db227533e726307af2535ca2ebc30b9224fb5664508a99e44b409d9a6027774a5dcd7ac85fddf7a7cb71d436bf0512a1d0630a474567682aa2d557

  • SSDEEP

    49152:NN/3WNiIXRciOEOuPLneQOjTwzop33Face4nMdOLFFqEwuahA1CnRta6PcYqRN8I:r/NIXRvOEOuPLneBTwkaZjdMFMJ7aDYi

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://185.215.113.68/fks/index.php

rc4.i32
rc4.i32

Targets

    • Target

      83f87484754b4f4301e2b9cf06e5400d232e14129f86384ad192e42eb4b0d2af

    • Size

      2.6MB

    • MD5

      3c826d96e2a023ce6c252a2dc11decc4

    • SHA1

      e5c79ebce8684e9140bf35a86097d618c529d9ae

    • SHA256

      83f87484754b4f4301e2b9cf06e5400d232e14129f86384ad192e42eb4b0d2af

    • SHA512

      7fc1753a36db227533e726307af2535ca2ebc30b9224fb5664508a99e44b409d9a6027774a5dcd7ac85fddf7a7cb71d436bf0512a1d0630a474567682aa2d557

    • SSDEEP

      49152:NN/3WNiIXRciOEOuPLneQOjTwzop33Face4nMdOLFFqEwuahA1CnRta6PcYqRN8I:r/NIXRvOEOuPLneBTwkaZjdMFMJ7aDYi

    • Detect Lumma Stealer payload V4

    • Detected google phishing page

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Modifies Windows Defender Real-time Protection settings

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks