Overview

overview

10

Static

static

3

abc5152266...76.exe

windows7-x64

10

abc5152266...76.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1905ad8d3e218e39d45ce88778dd7a141a93ec18ebd3944871847498730c6a5e

  • Size

    162KB

  • Sample

    240417-qc774aab6x

  • MD5

    fab24922fc94f75c898e8d4b23b1022b

  • SHA1

    7b28c3d4501338c510f6dd5ebfbc1df2a6c913ab

  • SHA256

    1905ad8d3e218e39d45ce88778dd7a141a93ec18ebd3944871847498730c6a5e

  • SHA512

    2398954b46c2cb769cc985f502b9c3874e0ee5714c228b3c0afb1a31e3460067751e317d6f70f5c85063b2156f6397b2dba61d1344a10d4715eb1676359e1415

  • SSDEEP

    3072:wx4NjDrgHlY0V4TdM6MP5IE85OXE13qBeDZGm67pmjdfDT3lt1oJn8CF1I5:w6NjDEBp6NzqeZGLAdfXVt1OnNK

Score
10/10
lummaredlinesmokeloaderlogsdiller cloud (telegram: @logsdillabot)pub1backdoorinfostealerpersistencestealertrojanvmprotect

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LogsDiller Cloud (Telegram: @logsdillabot)

C2

5.42.65.50:33080

Extracted

Family

lumma

C2

https://greetclassifytalk.shop/api

https://entitlementappwo.shop/api

https://economicscreateojsu.shop/api

https://pushjellysingeywus.shop/api

https://absentconvicsjawun.shop/api

https://suitcaseacanehalk.shop/api

https://bordersoarmanusjuw.shop/api

https://mealplayerpreceodsju.shop/api

https://wifeplasterbakewis.shop/api

Targets

    • Target

      abc5152266564f883ab915f2a1eec762cd98920e5e315974c926632942e31976.exe

    • Size

      313KB

    • MD5

      49c1a7094df766b5e5868811f298b529

    • SHA1

      c48fc045b5ee06e02d558f3c3551a463199725b9

    • SHA256

      abc5152266564f883ab915f2a1eec762cd98920e5e315974c926632942e31976

    • SHA512

      c34cf47f715fffb4c4b9ec4ba587ea0c455d3baf7192408114b9f7260dbb1ee6b28c794157cfdd12c6048e99e9140220d77232bd9355cb96db7df9e566ba9490

    • SSDEEP

      3072:9gw3B7c4wkQMR+BYYeEX+qP4XTkedBoRv0XgGlf+N9XF6kVQvVYKAG:zxd/RmFMkeAv0ltKXF6k2NvJ

    Score
    10/10
    smokeloaderpub1backdoorpersistencetrojanvmprotectlummaredlinelogsdiller cloud (telegram: @logsdillabot)infostealerstealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Modifies Installed Components in the registry

      persistence

    • Deletes itself

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks