General
-
Target
29DEA0BA258723098A514297F4C4D0B7.exe
-
Size
9.1MB
-
Sample
210404-crv38zggmj
-
MD5
29dea0ba258723098a514297f4c4d0b7
-
SHA1
7e6320fa26dd41b212ed9fac3cf3c61919af5325
-
SHA256
cf1a8304da78b6286a412d33ef3e0390949eb83e5b08ad63c006ed578d5d4c95
-
SHA512
918dcf85de3ca63869d9771d440d0dfd31447b8433842af8395b987f1cd761b5d5589a7e4fd2e01301c9831db39f105ae8ee9b46b58fa32d3a21ec1d78c28cbd
Static task
static1
Behavioral task
behavioral1
Sample
29DEA0BA258723098A514297F4C4D0B7.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
29DEA0BA258723098A514297F4C4D0B7.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
29DEA0BA258723098A514297F4C4D0B7.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
29DEA0BA258723098A514297F4C4D0B7.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
29DEA0BA258723098A514297F4C4D0B7.exe
Resource
win7v20201028
Malware Config
Extracted
metasploit
windows/single_exec
Extracted
smokeloader
2020
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
Extracted
http://labsclub.com/welcome
Extracted
raccoon
9420f36ff86e78bbb8ce4073fa910f921ce2bebf
-
url4cnc
https://tttttt.me/hobamantfr1
Extracted
raccoon
afefd33a49c7cbd55d417545269920f24c85aa37
-
url4cnc
https://telete.in/jagressor_kz
Extracted
dridex
10111
210.65.244.183:8443
216.10.251.121:6601
Targets
-
-
Target
29DEA0BA258723098A514297F4C4D0B7.exe
-
Size
9.1MB
-
MD5
29dea0ba258723098a514297f4c4d0b7
-
SHA1
7e6320fa26dd41b212ed9fac3cf3c61919af5325
-
SHA256
cf1a8304da78b6286a412d33ef3e0390949eb83e5b08ad63c006ed578d5d4c95
-
SHA512
918dcf85de3ca63869d9771d440d0dfd31447b8433842af8395b987f1cd761b5d5589a7e4fd2e01301c9831db39f105ae8ee9b46b58fa32d3a21ec1d78c28cbd
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
XMRig Miner Payload
-
Blocklisted process makes network request
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Registry Run Keys / Startup Folder
1Scheduled Task
1Hidden Files and Directories
1Defense Evasion
Modify Registry
4Install Root Certificate
1Hidden Files and Directories
1