Resubmissions

05-02-2024 05:32

240205-f8c2qadfhk 10

04-02-2024 03:50

240204-edz3bsbcam 10

General

  • Target

    9298d3856adedc2446c2990e40d059cf3d8cfddf661b345602635b1c4a147567

  • Size

    2.2MB

  • Sample

    240205-f8c2qadfhk

  • MD5

    bc1b98218bb2b8f9afa4af3094956492

  • SHA1

    658477cd931352f7ab671ae53624b0dae44aa0e0

  • SHA256

    9298d3856adedc2446c2990e40d059cf3d8cfddf661b345602635b1c4a147567

  • SHA512

    c548d5ce42ea2ebb3c1f2788485cea2c992aeeba0d836c8afe89419a44704ef0063ee5649c1d6e9737b5609aa89e97b9510907b101f05a00fab7f7ba0ba5fb15

  • SSDEEP

    49152:B5weH+NQxaCO0wCd3rQRdCm8KVb7r9+UuO4LQw3M8g/5IxUpn0dN:ResaCO4d4om8KVL9+Ut4v8T5IxUp0H

Malware Config

Extracted

Family

risepro

C2

194.49.94.152

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Extracted

Family

smokeloader

Version

2022

C2

http://194.49.94.210/fks/index.php

rc4.i32
rc4.i32

Targets

    • Target

      9298d3856adedc2446c2990e40d059cf3d8cfddf661b345602635b1c4a147567

    • Size

      2.2MB

    • MD5

      bc1b98218bb2b8f9afa4af3094956492

    • SHA1

      658477cd931352f7ab671ae53624b0dae44aa0e0

    • SHA256

      9298d3856adedc2446c2990e40d059cf3d8cfddf661b345602635b1c4a147567

    • SHA512

      c548d5ce42ea2ebb3c1f2788485cea2c992aeeba0d836c8afe89419a44704ef0063ee5649c1d6e9737b5609aa89e97b9510907b101f05a00fab7f7ba0ba5fb15

    • SSDEEP

      49152:B5weH+NQxaCO0wCd3rQRdCm8KVb7r9+UuO4LQw3M8g/5IxUpn0dN:ResaCO4d4om8KVL9+Ut4v8T5IxUp0H

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks