Overview

overview

10

Static

static

3

6610e3f433...20.exe

windows7-x64

10

6610e3f433...20.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3ab35ce7186e6dbda54259073b75bb61a37050f1b202ad859a02ee4a04a2da83

  • Size

    159KB

  • Sample

    240417-qjl87sae8v

  • MD5

    7fed981dc50c69ccb57c821df3ef7c6e

  • SHA1

    7479ad52493faa7883710f032bc104d8da73d6fc

  • SHA256

    3ab35ce7186e6dbda54259073b75bb61a37050f1b202ad859a02ee4a04a2da83

  • SHA512

    afa2f6eea1193a6aa71676fd4e86dfc39dc3bf8cac4704e01570d234f8972b80bfa7262d73c9029f9be2d459ade3a0794db45ab0e5ec5e680900f3cc8321fee3

  • SSDEEP

    3072:NAbZvl8WisUN9ZyZQpr+HfDUbRS+izzS2ZDZmwcCwbKDRvmJU09hTfnW/Ykb:c8WiscqQgHf/++S2sCwWDRcpfWAkb

Score
10/10
lummaredlinesmokeloaderlogsdiller cloud (telegram: @logsdillabot)pub1backdoorinfostealerpersistencestealertrojanvmprotect

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LogsDiller Cloud (Telegram: @logsdillabot)

C2

5.42.65.50:33080

Extracted

Family

lumma

C2

https://greetclassifytalk.shop/api

https://entitlementappwo.shop/api

https://economicscreateojsu.shop/api

https://pushjellysingeywus.shop/api

https://absentconvicsjawun.shop/api

https://suitcaseacanehalk.shop/api

https://bordersoarmanusjuw.shop/api

https://mealplayerpreceodsju.shop/api

https://wifeplasterbakewis.shop/api

Targets

    • Target

      6610e3f433a1a54fff1dcb16ca8d08137481d19cd706d1cd73e75030be8ff720.exe

    • Size

      300KB

    • MD5

      62e5fd85ce51c117efe2b5d7878666a5

    • SHA1

      51abc31105ddf829ebae52360fd4ae18a45a9bd1

    • SHA256

      6610e3f433a1a54fff1dcb16ca8d08137481d19cd706d1cd73e75030be8ff720

    • SHA512

      5cb9f5d419643703093ee2e2db45d017307edd3adb881e5db646fa0e4ab7f98dc0fa1787a2c94e9f597442f65796a9b0d8838abb34dafa9fcdc3663e9a943d34

    • SSDEEP

      3072:ZZ4GK2h1ohdN1S8HF2b+BMiXTHEOXSawHt+IbJEs6LePU3dxf/eDLD8M:Znhzsk8HF2bSj1aHlisQePUtReDMM

    Score
    10/10
    smokeloaderpub1backdoorpersistencetrojanvmprotectlummaredlinelogsdiller cloud (telegram: @logsdillabot)infostealerstealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Modifies Installed Components in the registry

      persistence

    • Deletes itself

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks