General
-
Target
011f2b76b3dcb347377f73b2c94b80ab.exe
-
Size
9.5MB
-
Sample
220401-gnk29sfah8
-
MD5
011f2b76b3dcb347377f73b2c94b80ab
-
SHA1
7fdb58e73995bc7852fd34ee2c56933c090282f5
-
SHA256
a5072c297cd80acffd9da5124dd8ff867da5abd6effc2dabea853fd93a8cccdc
-
SHA512
d3904e0b8cc51d1e3c1bee71ef9032a54bb53ffaa9235957e91979c6ad009051f88a0ca3e3f1132bbc25ae17c08a60c6e190872da2563556fcec1c6be8f46e74
Static task
static1
Behavioral task
behavioral1
Sample
011f2b76b3dcb347377f73b2c94b80ab.exe
Resource
win7-20220331-en
Behavioral task
behavioral2
Sample
011f2b76b3dcb347377f73b2c94b80ab.exe
Resource
win10v2004-20220331-en
Malware Config
Extracted
socelars
https://sa-us-bucket.s3.us-east-2.amazonaws.com/jhvre24/
Extracted
smokeloader
2020
http://gerer.at/upload/
http://pass-finger.com/upload/
http://meet-ru.ru/upload/
http://elroisolutions.com/upload/
http://gebzetuning.com/upload/
http://les-pub.com/upload/
http://mordo.ru/upload/
http://pkodev.net/upload/
http://autocarsjames.com/upload/
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Targets
-
-
Target
011f2b76b3dcb347377f73b2c94b80ab.exe
-
Size
9.5MB
-
MD5
011f2b76b3dcb347377f73b2c94b80ab
-
SHA1
7fdb58e73995bc7852fd34ee2c56933c090282f5
-
SHA256
a5072c297cd80acffd9da5124dd8ff867da5abd6effc2dabea853fd93a8cccdc
-
SHA512
d3904e0b8cc51d1e3c1bee71ef9032a54bb53ffaa9235957e91979c6ad009051f88a0ca3e3f1132bbc25ae17c08a60c6e190872da2563556fcec1c6be8f46e74
-
Socelars Payload
-
OnlyLogger Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-