General

  • Target

    daefa1992110b9e7aadbf7364e36e621e389a3b92ea9f6b4f3c4debe9f7cc7d8

  • Size

    284KB

  • Sample

    230203-j5j8eada74

  • MD5

    a57f8d835e4ee44ece456f153afea53e

  • SHA1

    ce249eb9807503c011b88871edb19f9a31dca673

  • SHA256

    daefa1992110b9e7aadbf7364e36e621e389a3b92ea9f6b4f3c4debe9f7cc7d8

  • SHA512

    6e8ef4495eee6cbb3d67cb22e5c9a7b113e36d28164004ca34be58e8e4cb241c0a4fd90669607440e42f58ced5abf3c118222816fb2d38a7ad025cf1852df4ec

  • SSDEEP

    3072:j7vXDy9uQr23hL/pD+JW+ge5rcfvfr+A9QZrqLy3KT15thsK0Kl+qC6TZw:j7vXxL/pD+Jzgt/6/q2aTx3tli6dw

Malware Config

Extracted

Family

systembc

C2

144.76.223.74:443

Targets

    • Target

      daefa1992110b9e7aadbf7364e36e621e389a3b92ea9f6b4f3c4debe9f7cc7d8

    • Size

      284KB

    • MD5

      a57f8d835e4ee44ece456f153afea53e

    • SHA1

      ce249eb9807503c011b88871edb19f9a31dca673

    • SHA256

      daefa1992110b9e7aadbf7364e36e621e389a3b92ea9f6b4f3c4debe9f7cc7d8

    • SHA512

      6e8ef4495eee6cbb3d67cb22e5c9a7b113e36d28164004ca34be58e8e4cb241c0a4fd90669607440e42f58ced5abf3c118222816fb2d38a7ad025cf1852df4ec

    • SSDEEP

      3072:j7vXDy9uQr23hL/pD+JW+ge5rcfvfr+A9QZrqLy3KT15thsK0Kl+qC6TZw:j7vXxL/pD+Jzgt/6/q2aTx3tli6dw

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • SystemBC

      SystemBC is a proxy and remote administration tool first seen in 2019.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

Tasks