General
-
Target
1bc50846578de2c0d2a18bee4b1f828d293d652664458c862d363f3c562c2eda
-
Size
332KB
-
Sample
220117-tg6fvabae3
-
MD5
397dd91bf6524e005ffa060dc1503f65
-
SHA1
35bba2a4b482f659e1bf0aa6423d609c554c5e12
-
SHA256
1bc50846578de2c0d2a18bee4b1f828d293d652664458c862d363f3c562c2eda
-
SHA512
4cbc6aafd4b5a8d720f147ef752d136def4d249e385841de7c595b7cf662e611155aca2aaa947d8cdd2f980908d700b371f564e124f08d2b376bf4dd28308d11
Static task
static1
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
Extracted
tofsee
patmushta.info
parubey.info
Extracted
raccoon
1.8.5
628dbe616eb46c5e66398ea6a12fa931e1f38eaf
-
url4cnc
http://185.163.204.22/capibar
http://178.62.113.205/capibar
https://t.me/capibar
Extracted
arkei
Default
http://file-file-host4.com/tratata.php
Targets
-
-
Target
1bc50846578de2c0d2a18bee4b1f828d293d652664458c862d363f3c562c2eda
-
Size
332KB
-
MD5
397dd91bf6524e005ffa060dc1503f65
-
SHA1
35bba2a4b482f659e1bf0aa6423d609c554c5e12
-
SHA256
1bc50846578de2c0d2a18bee4b1f828d293d652664458c862d363f3c562c2eda
-
SHA512
4cbc6aafd4b5a8d720f147ef752d136def4d249e385841de7c595b7cf662e611155aca2aaa947d8cdd2f980908d700b371f564e124f08d2b376bf4dd28308d11
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Arkei Stealer Payload
-
XMRig Miner Payload
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix
Collection
Data from Local System
2Command and Control
Credential Access
Credentials in Files
2Discovery
Query Registry
5System Information Discovery
5Peripheral Device Discovery
1Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Modify Existing Service
1New Service
1Scheduled Task
1Registry Run Keys / Startup Folder
1Privilege Escalation