Overview

overview

10

Static

static

e0059c4ad7...75.exe

windows7_x64

10

e0059c4ad7...75.exe

windows10_x64

Resubmissions

29-03-2021 07:15

210329-ckntpd3l26 10

29-03-2021 07:06

210329-grqc5qt2g2 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e0059c4ad73116bf0ea29d575ea2c175.exe

  • Size

    162KB

  • Sample

    210329-grqc5qt2g2

  • MD5

    e0059c4ad73116bf0ea29d575ea2c175

  • SHA1

    a1316534bb8a3b52ec4f14d8c3172e49f6c5760f

  • SHA256

    fb2e2174a3ec526861932043c1aa5b5e62e3abed0bb73e88e495eab66635e758

  • SHA512

    b8a06dd6de28e6d29ebafe58bb6262412add147f01f3d3367dd7da95d083d92656e92a7bfce6a13179dc27b6ee346f5bcf98b0f067be2286a9cc741babd06de4

Score
10/10
smokeloadertaurus_stealertofseebackdoorbootkitdiscoveryevasionpersistencespywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://xsss99.icu/upload/

http://bingooodsg.icu/upload/

http://junntd.xyz/upload/

http://ginessa11.xyz/upload/

http://overplayninsx.xyz/upload/

http://bananinze.com/upload/

http://daunimlas.com/upload/
rc4.i32
rc4.i32

Targets

    • Target

      e0059c4ad73116bf0ea29d575ea2c175.exe

    • Size

      162KB

    • MD5

      e0059c4ad73116bf0ea29d575ea2c175

    • SHA1

      a1316534bb8a3b52ec4f14d8c3172e49f6c5760f

    • SHA256

      fb2e2174a3ec526861932043c1aa5b5e62e3abed0bb73e88e495eab66635e758

    • SHA512

      b8a06dd6de28e6d29ebafe58bb6262412add147f01f3d3367dd7da95d083d92656e92a7bfce6a13179dc27b6ee346f5bcf98b0f067be2286a9cc741babd06de4

    Score
    10/10
    smokeloadertaurus_stealerbackdoordiscoverypersistencespywarestealertrojantofseebootkitevasion

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Taurus Stealer

      Taurus is an infostealer first seen in June 2020.

      trojanstealertaurus_stealer

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Creates new service(s)

      persistence

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

2
T1060

Bootkit

1
T1067

Privilege Escalation

New Service

1
T1050

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

3
T1112

File Permissions Modification

1
T1222

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks