General

  • Target

    dik.rar

  • Size

    14.0MB

  • Sample

    240229-szpelsdc2w

  • MD5

    1745beb096fa778edaa4af460963f6f1

  • SHA1

    be8ce59abd516c8e20c9b7f48bbf6bf37ae9bd92

  • SHA256

    6c36e5d456335dd880fd2e168289af1a4af14d44df540ab55a3083eaa8dbf786

  • SHA512

    d26857952e6bba78b80df44e1e3836e0031de8b7daa6ffe1327db85a1a8f50ace7ae8273811b825c6885e8a349d2391e0e8c0153b3b0688064f48aefbe73c681

  • SSDEEP

    393216:SIerHUFihoO/zvu76vng32jewXDTdgBqyReTDeAZQ:Snr0QoKzvLvnlmBhe3hQ

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Extracted

Family

smokeloader

Version

2022

C2

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

rc4.i32
rc4.i32

Extracted

Family

risepro

C2

193.233.132.62

Extracted

Family

smokeloader

Botnet

pub3

Targets

    • Target

      dik.rar

    • Size

      14.0MB

    • MD5

      1745beb096fa778edaa4af460963f6f1

    • SHA1

      be8ce59abd516c8e20c9b7f48bbf6bf37ae9bd92

    • SHA256

      6c36e5d456335dd880fd2e168289af1a4af14d44df540ab55a3083eaa8dbf786

    • SHA512

      d26857952e6bba78b80df44e1e3836e0031de8b7daa6ffe1327db85a1a8f50ace7ae8273811b825c6885e8a349d2391e0e8c0153b3b0688064f48aefbe73c681

    • SSDEEP

      393216:SIerHUFihoO/zvu76vng32jewXDTdgBqyReTDeAZQ:Snr0QoKzvLvnlmBhe3hQ

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks