General

  • Target

    file_release_v3.rar

  • Size

    18.1MB

  • Sample

    240214-y86yxaba8v

  • MD5

    75a69b670035a31d71932807e9ef0414

  • SHA1

    415a1f92b30a8b66a7e7a873be0c4fc30e4810bb

  • SHA256

    2cdda26cc29f1ab91873bf2de8af2627aa7fa73002cb490f2f1ab73ff824ebf8

  • SHA512

    758465ebdc88605380bade69eaeea9371518201eeb60e8c6f2eb56b28032ee143b42b37058c6ab533295dceee83c761389c5e951f8164172f0438ec3f6d2d084

  • SSDEEP

    196608:RJIHDUJpH26uvpcO/gFnVpVd9yql3BF8LHhi071vnZyhklq8vagCGMFk31XOqUc+:LgwJpHzuvp7gpVPd32T+klAg0Od3hS

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

stealc

C2

http://185.172.128.24

Attributes
  • url_path

    /f993692117a3fda2.php

Extracted

Family

smokeloader

Version

2022

C2

http://sjyey.com/tmp/index.php

http://babonwo.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32
rc4.i32

Extracted

Family

risepro

C2

193.233.132.49:50500

193.233.132.67:50500

Targets

    • Target

      ICQLiteShell.dll

    • Size

      56KB

    • MD5

      05e61539b8917fca37c03756bbdd043d

    • SHA1

      5a72e0e528260de0ea5b34badb9e5f9873cb4245

    • SHA256

      515c8e0b93f0fef15da3e2573ad92b7e7840374140e65e5d73df63d8e22cb3e8

    • SHA512

      565d57783e6044d6e7e2026c79dbd897e637c5e1d96e7930dc704ef2b6d801669b38f0c26382f00e67e26668439274941e937a0ade54666de50b5d84f6da7e97

    • SSDEEP

      768:YEGJ9blT7XZBSbHwJU+tGR0KZUyGKZ0ZgwmF1+3UVambg:YEGJ9bln5o0KZjGKZ0Z1mF1+3UVayg

    Score
    1/10
    • Target

      ICQRT.dll

    • Size

      32KB

    • MD5

      1aedcb8994d6ad63ef9dcb87016e028f

    • SHA1

      f5b891aa15c6353b681bdb7e2d96c6ac8a5f02d7

    • SHA256

      53e1f40144bab532f9700ff25ec3d5c6a39784a98e17fada583b4ee6d9dd5dbc

    • SHA512

      89c0f408797c4d78afc52335a9e162345c614e1e419f55487cb358c14f7a69ec82138a7e6250be3133233386ba3659d241e80ab63c9b972b6c8b26b0424cb0c8

    • SSDEEP

      384:+qtTeds1tkMAp4TxCW9su5UcSu93ggoXUQQIPGEANHl:FTedukelF95RjQUUPpANHl

    Score
    3/10
    • Target

      Language/WinRar.exe

    • Size

      3.2MB

    • MD5

      b66dec691784f00061bc43e62030c343

    • SHA1

      779d947d41efafc2995878e56e213411de8fb4cf

    • SHA256

      26b40c79356453c60498772423f99384a3d24dd2d0662d215506768cb9c58370

    • SHA512

      6a89bd581baf372f07e76a3378e6f6eb29cac2e4981a7f0affb4101153407cadfce9f1b6b28d5a003f7d4039577029b2ec6ebcfd58e55288e056614fb03f8ba3

    • SSDEEP

      98304:lJXOBfK92HbAw0CNB3kJElzNsy8vGUvfCo3ABH43:lJ192HbAXCvDlzNsy8vGUyo3AB8

    Score
    1/10
    • Target

      LiteRes.dll

    • Size

      735KB

    • MD5

      88962410244bc5c03482b82a7e3cb5e1

    • SHA1

      4622be2d3deda305bf0a16c0e01bc2ecf9d56fad

    • SHA256

      afa884228afc5c05f4b47e90b6de42854d5a8886ec5ed15a253faeccd5309036

    • SHA512

      c6e7667f91c1439e33ad4d9e2052b7c9fcc3ca2c7688d9e2bc0550b71a5762b76aa76427331df0217429d9bd984925997c7a8d009f25e44e2776c5ce7cc9d98c

    • SSDEEP

      6144:x9Ej/jb82/HRoXO1q2pt+Mc1/PDPicsUzM+gYESoE/wOuET8F62bH5vnGfcJvl+b:fqptG/PDPo0no2Iq8F6CHBTWqU

    Score
    1/10
    • Target

      LiteSkinUtils.dll

    • Size

      48KB

    • MD5

      059d94e8944eca4056e92d60f7044f14

    • SHA1

      46a491abbbb434b6a1a2a1b1a793d24acd1d6c4b

    • SHA256

      9fa7cacb5730faacc2b17d735c45ee1370130d863c3366d08ec013afe648bfa6

    • SHA512

      0f45fe8d5e80a8fabf9a1fd2a3f69b2c4ebb19f5ffdcfec6d17670f5577d5855378023a91988e0855c4bd85c9b2cc80375c3a0acb1d7a701aff32e9e78347902

    • SSDEEP

      768:FPGeoWyuTx6vrP/zAdWQS6Z9CSKh64crVKTl9inMUAK:tGeJxIHepSKzjVK9iMUAK

    Score
    3/10
    • Target

      Resource/Locals/x64/AdonisUI.ClassicTheme.dll

    • Size

      287KB

    • MD5

      8a1b183bca062f48402c74f2daba7b92

    • SHA1

      d9417bf78b3b37d668c08e67f3c0f21dbc6dc11e

    • SHA256

      8103f2cce6a864ceefe6c5b0c05087ac85ab04a2abf150e93bc9db90c54d9d20

    • SHA512

      0f5120fa9ed24d2a49b82cdc62113302002ccc5e1cf389cc28830f36b2915f876bdf77094fa6dfa312fc01b6f482465297fa734509511fa7e72285569ce57e87

    • SSDEEP

      6144:aMNTja9KIKf5RCs1ussMKlzI5iJQn9gu5DPOvObo:5Za9KIjs1ussMKlzI5lo

    Score
    1/10
    • Target

      Resource/Locals/x64/AdonisUI.dll

    • Size

      164KB

    • MD5

      3d4c8b6aad28ec574e56ccda22b34ef3

    • SHA1

      bc22ac7097e597fba3d7367b2fd5c61adff28941

    • SHA256

      db46b6106dc1b30041ce3f287ded91166895ff3f1928250fc79dd46c444b1e45

    • SHA512

      fc56241e65dc7bcc678a2af92f79bda017ceb3f7c4f203c7e9ce753d573da868608a6f56545c0d181a625737278b7b73223e5dcce85bf1f3c5b7b1b06e5c5739

    • SSDEEP

      3072:fuZPAdWKbu3355s555GPQKljrKxX0yAbTxin1YzqHf0llbS1sjZ73h39Iwj:GydWDrKxG3h39Iw

    Score
    1/10
    • Target

      Resource/Locals/x64/SQLite.Interop.dll

    • Size

      1.7MB

    • MD5

      56a504a34d2cfbfc7eaa2b68e34af8ad

    • SHA1

      426b48b0f3b691e3bb29f465aed9b936f29fc8cc

    • SHA256

      9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

    • SHA512

      170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

    • SSDEEP

      24576:YPUxmkgSxPgobZPRjZ22H6edtOZzWySRO3mlE0i/Yl5P+qF+8k+ao/si6:8UxXPgo8e6WYBSJZSS5P97I

    Score
    1/10
    • Target

      Resource/Locals/x86/BouncyCastle.Crypto.dll

    • Size

      3.2MB

    • MD5

      0cf454b6ed4d9e46bc40306421e4b800

    • SHA1

      9611aa929d35cbd86b87e40b628f60d5177d2411

    • SHA256

      e51721dc0647f4838b1abc592bd95fd8cb924716e8a64f83d4b947821fa1fa42

    • SHA512

      85262f1bc67a89911640f59a759b476b30ca644bd1a1d9cd3213cc8aae16d7cc6ea689815f19b146db1d26f7a75772ceb48e71e27940e3686a83eb2cf7e46048

    • SSDEEP

      49152:JIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9Y:6BbBWIgWljGxRB/LLY

    Score
    1/10
    • Target

      Resource/Locals/x86/SQLite.Interop.dll

    • Size

      1.3MB

    • MD5

      8be215abf1f36aa3d23555a671e7e3be

    • SHA1

      547d59580b7843f90aaca238012a8a0c886330e6

    • SHA256

      83f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae

    • SHA512

      38cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b

    • SSDEEP

      24576:eiDAYMz2epP8AEXn8z7qsyb8c+gntHKuvKtBLtTvD0nsrFSK96fYlYyv:1AYMza36enEuyjpTV96A2yv

    Score
    1/10
    • Target

      Resource/opengl64.dll

    • Size

      145.8MB

    • MD5

      71466589eb444bbf272c0f5c920c57f0

    • SHA1

      4fcace49ee032779d3bf7b8e03c6a9f29ed871ba

    • SHA256

      e7d625cf255360b0ea96a52ca990be6f1cef522ff7440393e45b12793ac88031

    • SHA512

      eff62450cf03d72af2594d750a70b008226fa2e46216661716287639bf5e1ff1303076fdaf4f062ca4098ef10a8e29502de55ecb3a6e04753aad7fcad01e3352

    • SSDEEP

      48:0ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZY:n

    Score
    1/10
    • Target

      setup.exe

    • Size

      728.0MB

    • MD5

      3efb89902601a691f786ab8c89b6ce12

    • SHA1

      2c9b7cea478947d7e8dbfadb28a2d2235555c767

    • SHA256

      bd109daf662c8d83ad1014c0a30c56d8810a8e7dea6b6d7fa770101e0bec578d

    • SHA512

      c5bab4ebd21fdd421b5d1a6de5f564f650cd4a0dd91082219c7e86eddc101c589e3c5510ab4b6ff07689cba7e070308049bf9af0f10aa5bb617623f24e53bd4a

    • SSDEEP

      98304:D7Rny4bP23Bv0oO+IkcpyM7Pby/mdTsuYhZQ6mc+Yt/3VYXc6nNN9GlRC333:/z2RMHN57uQTQ3QnQVf5

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect ZGRat V1

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

themida
Score
7/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
3/10

behavioral4

Score
3/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
3/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

amadeygluptebasmokeloaderstealcpub3backdoordropperevasionloaderpyinstallerspywarestealerthemidatrojanupx
Score
10/10

behavioral24

amadeygluptebariseprosmokeloaderstealczgratpub3backdoordiscoverydropperevasionloaderpersistencepyinstallerratrootkitspywarestealerthemidatrojanupx
Score
10/10