General

  • Target

    beb0d0b717d39474cdc522eea925e437dc02c260626b43db1d235640a5d568e0

  • Size

    307KB

  • Sample

    240428-t5x5dacb9w

  • MD5

    cf3c1c8bf8cb2a7c77f976c30bb1db06

  • SHA1

    96660806f005a84bdac81a649a3118ac0f9605fc

  • SHA256

    beb0d0b717d39474cdc522eea925e437dc02c260626b43db1d235640a5d568e0

  • SHA512

    2fd14931d640159ffadc236482e8d36b5b16663b935d7bef273c149ddfd008fb9a5c280a2992a1b2f5c294ed4ce3e15101d7b7a9e05a5095b1362920033819a4

  • SSDEEP

    3072:Y5a5vdqPp0ekxe4H0+3bLjP4wdRNpmsLP+p2uYPrBUeSoYI6iHEXiEI7I8NU:b+Ce8QQXvRNpmP8pBUe2I6mEXiEMNU

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32
rc4.i32

Extracted

Family

lumma

C2

https://accountasifkwosov.shop/api

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Targets

    • Target

      beb0d0b717d39474cdc522eea925e437dc02c260626b43db1d235640a5d568e0

    • Size

      307KB

    • MD5

      cf3c1c8bf8cb2a7c77f976c30bb1db06

    • SHA1

      96660806f005a84bdac81a649a3118ac0f9605fc

    • SHA256

      beb0d0b717d39474cdc522eea925e437dc02c260626b43db1d235640a5d568e0

    • SHA512

      2fd14931d640159ffadc236482e8d36b5b16663b935d7bef273c149ddfd008fb9a5c280a2992a1b2f5c294ed4ce3e15101d7b7a9e05a5095b1362920033819a4

    • SSDEEP

      3072:Y5a5vdqPp0ekxe4H0+3bLjP4wdRNpmsLP+p2uYPrBUeSoYI6iHEXiEI7I8NU:b+Ce8QQXvRNpmP8pBUe2I6mEXiEMNU

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Modifies Installed Components in the registry

    • Deletes itself

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

MITRE ATT&CK Enterprise v15

Tasks