Overview

overview

10

Static

static

3

0457b012cd...03.exe

windows7-x64

10

0457b012cd...03.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    945e00ee877d6fd589c02c71e0786448bffd53ed2d473fee3ff3806551254a9e

  • Size

    144KB

  • Sample

    240417-r3297scf23

  • MD5

    be819bac0f30f3cc8b7f268d9997f608

  • SHA1

    61751b26855ac15d727d437c3b0f157e1a7a03d7

  • SHA256

    945e00ee877d6fd589c02c71e0786448bffd53ed2d473fee3ff3806551254a9e

  • SHA512

    d3a602fbb90476f9add5baff35b513458ad6d65ffb5ff491e14a49ed84309d992f641b47f5713f6a6647cfd88ee824f3d64778ae30c4bd0728b41425e5a85bde

  • SSDEEP

    3072:jNZEyxGLmUL3+qv+LJet3YpYJVUGaVbVll9U2AU31skWaXuHx:jNKyxGSUL3mLJW4imG+9U2bWaXuR

Score
10/10
lummaredlinesmokeloaderlogsdiller cloud (telegram: @logsdillabot)pub1backdoorinfostealerpersistencestealertrojanvmprotect

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LogsDiller Cloud (Telegram: @logsdillabot)

C2

5.42.65.50:33080

Extracted

Family

lumma

C2

https://greetclassifytalk.shop/api

https://entitlementappwo.shop/api

https://economicscreateojsu.shop/api

https://pushjellysingeywus.shop/api

https://absentconvicsjawun.shop/api

https://suitcaseacanehalk.shop/api

https://bordersoarmanusjuw.shop/api

https://mealplayerpreceodsju.shop/api

https://wifeplasterbakewis.shop/api

Targets

    • Target

      0457b012cd995bb807ddba8cca13f5fca914cc05a4466725028dd184776d7b03.exe

    • Size

      231KB

    • MD5

      3ab03116a1d5dea017a632acfe5d56fb

    • SHA1

      d38ba4572555498c08a9c3e7e1826cf337c318e9

    • SHA256

      0457b012cd995bb807ddba8cca13f5fca914cc05a4466725028dd184776d7b03

    • SHA512

      c8c3c7145d01b4c2c94451c964e7bdf1344520be45ceaeea166e9a4ff1b3b18db41ca29ea9680aca92b08da895e1ee377e14684b1eb6748a6097c7d26d12d139

    • SSDEEP

      3072:1nf/yLH4vqqRFbyoa1dWbWGWIpe3G5kZiVSHloV552I4:1f/yLYJFbyorbWGxpP5kZoz4

    Score
    10/10
    smokeloaderpub1backdoorpersistencetrojanvmprotectlummaredlinelogsdiller cloud (telegram: @logsdillabot)infostealerstealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Modifies Installed Components in the registry

      persistence

    • Deletes itself

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks