General
-
Target
Microsoft_Toolkit.exe
-
Size
4.9MB
-
Sample
210117-2wt25r9nnj
-
MD5
ee287c2e51854fee07881638379c6f38
-
SHA1
1dccecc235b6d702a8fea3350c72b9c52c05c7be
-
SHA256
c3193806a082fa6c5c4b755e343c01dcf9169487acbf9150ab169d3972a8c6e8
-
SHA512
02a1e9874f994e958489be409e3a6efcce642c57b9f5e50de0a2072ad15769cdb717744ed37436b0f9d94104572a79d39e6114938ba3e5a6670d6c05e780aafa
Static task
static1
Behavioral task
behavioral1
Sample
Microsoft_Toolkit.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Microsoft_Toolkit.exe
Resource
win10v20201028
Malware Config
Extracted
smokeloader
2020
http://oversun.monster/upload/
http://oversun.net/upload/
http://dingobossin.com/upload/
http://duda1.monster/upload/
http�//vinder55.monster/upload/
http://jamb2.monster/upload/
Targets
-
-
Target
Microsoft_Toolkit.exe
-
Size
4.9MB
-
MD5
ee287c2e51854fee07881638379c6f38
-
SHA1
1dccecc235b6d702a8fea3350c72b9c52c05c7be
-
SHA256
c3193806a082fa6c5c4b755e343c01dcf9169487acbf9150ab169d3972a8c6e8
-
SHA512
02a1e9874f994e958489be409e3a6efcce642c57b9f5e50de0a2072ad15769cdb717744ed37436b0f9d94104572a79d39e6114938ba3e5a6670d6c05e780aafa
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
JavaScript code in executable
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-