General
-
Target
e0059c4ad73116bf0ea29d575ea2c175.exe
-
Size
162KB
-
Sample
210329-grqc5qt2g2
-
MD5
e0059c4ad73116bf0ea29d575ea2c175
-
SHA1
a1316534bb8a3b52ec4f14d8c3172e49f6c5760f
-
SHA256
fb2e2174a3ec526861932043c1aa5b5e62e3abed0bb73e88e495eab66635e758
-
SHA512
b8a06dd6de28e6d29ebafe58bb6262412add147f01f3d3367dd7da95d083d92656e92a7bfce6a13179dc27b6ee346f5bcf98b0f067be2286a9cc741babd06de4
Static task
static1
Behavioral task
behavioral1
Sample
e0059c4ad73116bf0ea29d575ea2c175.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
e0059c4ad73116bf0ea29d575ea2c175.exe
Resource
win10v20201028
Malware Config
Extracted
smokeloader
2020
http://xsss99.icu/upload/
http://bingooodsg.icu/upload/
http://junntd.xyz/upload/
http://ginessa11.xyz/upload/
http://overplayninsx.xyz/upload/
http://bananinze.com/upload/
http://daunimlas.com/upload/
Targets
-
-
Target
e0059c4ad73116bf0ea29d575ea2c175.exe
-
Size
162KB
-
MD5
e0059c4ad73116bf0ea29d575ea2c175
-
SHA1
a1316534bb8a3b52ec4f14d8c3172e49f6c5760f
-
SHA256
fb2e2174a3ec526861932043c1aa5b5e62e3abed0bb73e88e495eab66635e758
-
SHA512
b8a06dd6de28e6d29ebafe58bb6262412add147f01f3d3367dd7da95d083d92656e92a7bfce6a13179dc27b6ee346f5bcf98b0f067be2286a9cc741babd06de4
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
New Service
1Modify Existing Service
1Registry Run Keys / Startup Folder
2Bootkit
1Defense Evasion
Virtualization/Sandbox Evasion
1Modify Registry
3File Permissions Modification
1Install Root Certificate
1