Overview

overview

10

Static

static

2b858c79a8...5a.exe

windows7_x64

10

2b858c79a8...5a.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2b858c79a8a7a652f8cb60059eb7a95a.exe

  • Size

    343KB

  • Sample

    211018-p8pj7aeehj

  • MD5

    2b858c79a8a7a652f8cb60059eb7a95a

  • SHA1

    e669008a553976d275388ee02e49d5c938a6c27b

  • SHA256

    991e3c5fb9946ed0490a723a541bda0f36a9b94fff8a68f6729c15e1044dd954

  • SHA512

    c893d061191282d82bb421ef587b5c0dd973a31aec371d1bba6aba83a5a48444bc1660b9aa80d0f8f1f3beceb86825de2b249a0ffb64c905588f11c4a0bae8c9

Score
10/10
servhelpersmokeloaderbackdoordiscoveryexploitpersistencesuricatatrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Extracted

Family

smokeloader

Version

2020

C2

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/
rc4.i32
rc4.i32

Targets

    • Target

      2b858c79a8a7a652f8cb60059eb7a95a.exe

    • Size

      343KB

    • MD5

      2b858c79a8a7a652f8cb60059eb7a95a

    • SHA1

      e669008a553976d275388ee02e49d5c938a6c27b

    • SHA256

      991e3c5fb9946ed0490a723a541bda0f36a9b94fff8a68f6729c15e1044dd954

    • SHA512

      c893d061191282d82bb421ef587b5c0dd973a31aec371d1bba6aba83a5a48444bc1660b9aa80d0f8f1f3beceb86825de2b249a0ffb64c905588f11c4a0bae8c9

    Score
    10/10
    servhelpersmokeloaderbackdoordiscoveryexploitpersistencesuricatatrojanupx

    • ServHelper

      ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

      trojanbackdoorservhelper

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • suricata: ET MALWARE ServHelper CnC Inital Checkin

      suricata: ET MALWARE ServHelper CnC Inital Checkin

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies RDP port number used by Windows

    • Possible privilege escalation attempt

      exploit

    • Sets DLL path for service in the registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks