General
-
Target
2217c2970bbab77a72cbfbd579e95a008d90e4a9461f709f68d155e357563274
-
Size
1.1MB
-
Sample
220612-g6jbdseah3
-
MD5
5c06a131964b2fc93b39ea152c6f15a2
-
SHA1
29e16fc86bcd8f51330097ef39efd007d8b9a9f0
-
SHA256
2217c2970bbab77a72cbfbd579e95a008d90e4a9461f709f68d155e357563274
-
SHA512
94a99425389168aa6f7d23e683871692652053e90fcc8bebb7ed2572ac06eb86751c4503da617f58f045209477a453aef0a8962e1cfee28ed202ed2d7c543a0b
Static task
static1
Behavioral task
behavioral1
Sample
2217c2970bbab77a72cbfbd579e95a008d90e4a9461f709f68d155e357563274.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2217c2970bbab77a72cbfbd579e95a008d90e4a9461f709f68d155e357563274.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
smokeloader
2018
http://ktngb33.pw/zb/
Targets
-
-
Target
2217c2970bbab77a72cbfbd579e95a008d90e4a9461f709f68d155e357563274
-
Size
1.1MB
-
MD5
5c06a131964b2fc93b39ea152c6f15a2
-
SHA1
29e16fc86bcd8f51330097ef39efd007d8b9a9f0
-
SHA256
2217c2970bbab77a72cbfbd579e95a008d90e4a9461f709f68d155e357563274
-
SHA512
94a99425389168aa6f7d23e683871692652053e90fcc8bebb7ed2572ac06eb86751c4503da617f58f045209477a453aef0a8962e1cfee28ed202ed2d7c543a0b
Score10/10-
Disables Task Manager via registry modification
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-