General

  • Target

    54a0857ef1b0d0833d4f8d907b6586a7.bin

  • Size

    271KB

  • Sample

    230127-qekvkscf8s

  • MD5

    f5522814b9a3a4e44a5dc1b1a16bd5e0

  • SHA1

    00864b45969cec73902905c7f5576116044923a3

  • SHA256

    efe2d9e7b7ea24297926c267b5021b9d14ba5c9c19114f782c6ee55742269809

  • SHA512

    d4bd4760d09457d8848262cfab6ff2eafb423d1fe12ca8e1d2b1438c928ddd2dd8f158b42b091bb759139483e939742f30b4a4fcf2b35bfe0031c5d0b03679c5

  • SSDEEP

    6144:hV/n6aoDevCo4ENdAVmlZwpkP9j3QNNfzPASEzn4ZnNe8bO45u:zxoDnvENdA8aq0OnVQhu

Malware Config

Targets

    • Target

      10ff7959558189167db85dd91f6741befe3b5505c6caddfd259c4e3e864c1056.xls

    • Size

      468KB

    • MD5

      54a0857ef1b0d0833d4f8d907b6586a7

    • SHA1

      b7133b4c386b415ecc3897eff44f424d9f079575

    • SHA256

      10ff7959558189167db85dd91f6741befe3b5505c6caddfd259c4e3e864c1056

    • SHA512

      89981ba0e4f410e1ac63117be255b6490c518304d0fd9c93c1ef25048c545d32e5dd3e420f5c18de84a5d70f7b86def4c41fffe3f98809469080f8852ac659c5

    • SSDEEP

      6144:uh0k5eq1h0k5eqnh0k5eO6h0k5eq7UZ+RwPONXoRjDhIcp0fDlavx+W26nA4W6r6:uykdykvykeykf4MYyqk5q8

    • Detect PureCrypter injector

    • Detects Smokeloader packer

    • PureCrypter

      PureCrypter is a .NET malware loader first seen in early 2021.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Scripting

1
T1064

Modify Registry

2
T1112

Discovery

System Information Discovery

4
T1082

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

Tasks