Overview

overview

10

Static

static

3

2feee675a2...6b.exe

windows7-x64

10

2feee675a2...6b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9a2073e7fd9e73b17ab239c32ea2c2852c9d958abf3a7501cbca8ac4b03e188c

  • Size

    107KB

  • Sample

    240417-qh82ksha39

  • MD5

    d1b1025866b6487e5dc946427f8addfa

  • SHA1

    245d66172edd4c0f1717735486e5c5693e480fe3

  • SHA256

    9a2073e7fd9e73b17ab239c32ea2c2852c9d958abf3a7501cbca8ac4b03e188c

  • SHA512

    c7dac2e26a43066e0f5ddd5d9aa5ad48912eb448c5e6223db00c492af4749b4b8f5b951c01bf2c61bb4d272470488b97d331f749af83c701e16f12980b80a3b1

  • SSDEEP

    3072:7ldz4JW6PG9G+yACSizY0JD8ShbeRz40Jx/C96WEwdq:zN9lQFdDfhbeR7a9nE1

Score
10/10
lummaredlinesmokeloaderlogsdiller cloud (telegram: @logsdillabot)pub1backdoorinfostealerpersistencestealertrojanvmprotect

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LogsDiller Cloud (Telegram: @logsdillabot)

C2

5.42.65.50:33080

Extracted

Family

lumma

C2

https://greetclassifytalk.shop/api

https://entitlementappwo.shop/api

https://economicscreateojsu.shop/api

https://pushjellysingeywus.shop/api

https://absentconvicsjawun.shop/api

https://suitcaseacanehalk.shop/api

https://bordersoarmanusjuw.shop/api

https://mealplayerpreceodsju.shop/api

https://wifeplasterbakewis.shop/api

Targets

    • Target

      2feee675a296f24476606968e2669d0efda3c14b2c56e8507bc22efbbb54ce6b.exe

    • Size

      186KB

    • MD5

      0343235b3014134cd1f9c4f8f14bf327

    • SHA1

      7df22fd8a194031121a4e4eba53d98c1a7f55bb8

    • SHA256

      2feee675a296f24476606968e2669d0efda3c14b2c56e8507bc22efbbb54ce6b

    • SHA512

      1cefcccde826acf72f57d4a66f2cc22132773259aad246778a1fad3f059ec978a0d83b65eb3b447793d76629e0e20b6c4320d28ba42cf5c8acd70b102e3a7571

    • SSDEEP

      3072:0vHATbTxwuWJy949xuZsG/t7GJ9JA4UJykW/JqZvoh:wYbTGuWC4HAVGJ98

    Score
    10/10
    smokeloaderpub1backdoorpersistencetrojanvmprotectlummaredlinelogsdiller cloud (telegram: @logsdillabot)infostealerstealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Modifies Installed Components in the registry

      persistence

    • Deletes itself

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks