dharma | 7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91 | Triage

Submit
Reports

Overview

overview

Static

static

7c9eba57cb...91.exe

windows7_x64

7c9eba57cb...91.exe

windows10_x64

Resubmissions

27-08-2020 15:47

200827-m1jren2nas 10

Sharing

General

Target

7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe
Size

181KB
Sample

200827-m1jren2nas
MD5

80d3605d4b180cdd2fef6cb6312942bd
SHA1

12386eee0db55c3c612c92b7912d6f5eceaaffdc
SHA256

7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91
SHA512

cfb0f5785978586aeaec6a832f0dfae13039c07f977f0afb63fcdbb27981b7bc95ecaf202c7a5ddfec9b47bbf1c5c00c2cfdbc471035311b2458dec6a2e65fd9

Score

10^/10

dharma smokeloader backdoor persistence ransomware trojan

Static task

static1

Behavioral task

behavioral1

Sample

7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe

Resource

win7v200722

ransomware trojan backdoor smokeloader dharma persistence

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe

Resource

win10

trojan backdoor smokeloader ransomware dharma persistence

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://rexstat35x.xyz/statweb955/

http://dexspot2x.xyz/statweb955/

http://atxspot20x.xyz/statweb955/

http://rexspot7x.xyz/statweb955/

http://fdmail85.club/statweb955/

http://servicem977x.xyz/statweb955/

http://advertxman7x.xyz/statweb955/

http://starxpush7x.xyz/statweb955/

rc4.i32

rc4.i32

Targets

- Target
  
  7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe
- Size
  
  181KB
- MD5
  
  80d3605d4b180cdd2fef6cb6312942bd
- SHA1
  
  12386eee0db55c3c612c92b7912d6f5eceaaffdc
- SHA256
  
  7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91
- SHA512
  
  cfb0f5785978586aeaec6a832f0dfae13039c07f977f0afb63fcdbb27981b7bc95ecaf202c7a5ddfec9b47bbf1c5c00c2cfdbc471035311b2458dec6a2e65fd9
Score

10^/10

ransomware trojan backdoor smokeloader dharma persistence
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Deletes itself
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

ransomwaretrojanbackdoorsmokeloaderdharmapersistence

behavioral2

trojanbackdoorsmokeloaderransomwaredharmapersistence

© 2018-2024

Terms | Privacy