General
-
Target
eef4b9da665969c538717fecd8ae1c0ae2948e09ab86745f2b847aedf1b3fee8
-
Size
184KB
-
Sample
230217-rbrz6afg22
-
MD5
349971557e88ced0c1c06877525daa27
-
SHA1
88c74c2b2dc0226a6e2a8f734c85ded9e2af47f8
-
SHA256
eef4b9da665969c538717fecd8ae1c0ae2948e09ab86745f2b847aedf1b3fee8
-
SHA512
87102f7d9d2cddf490e411ffbc00247cd0edae307b3bddbfb09f3a3fd4d93913b14376af642ee31ae1d80f2e5e61a677d572fc3d35233a9609f52ba5fd983bae
-
SSDEEP
3072:x/BgPvTmL4bjsuPJqZGmtKG1g1OZ6PWvXI6b/VkTYY49ID9pCtDm:x/+NXsuhMREG+1VII6bVpcD9Q
Malware Config
Targets
-
-
Target
eef4b9da665969c538717fecd8ae1c0ae2948e09ab86745f2b847aedf1b3fee8
-
Size
184KB
-
MD5
349971557e88ced0c1c06877525daa27
-
SHA1
88c74c2b2dc0226a6e2a8f734c85ded9e2af47f8
-
SHA256
eef4b9da665969c538717fecd8ae1c0ae2948e09ab86745f2b847aedf1b3fee8
-
SHA512
87102f7d9d2cddf490e411ffbc00247cd0edae307b3bddbfb09f3a3fd4d93913b14376af642ee31ae1d80f2e5e61a677d572fc3d35233a9609f52ba5fd983bae
-
SSDEEP
3072:x/BgPvTmL4bjsuPJqZGmtKG1g1OZ6PWvXI6b/VkTYY49ID9pCtDm:x/+NXsuhMREG+1VII6bVpcD9Q
Score10/10-
Detects Smokeloader packer
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Detected potential entity reuse from brand microsoft.
-
Suspicious use of SetThreadContext
-