General
-
Target
3c2111e827e5cf00dd7984f708be0fcf0c0a39cad5eb041305822f516bc310f8
-
Size
185KB
-
Sample
230217-skmx8sga66
-
MD5
e4603be20f92b7c48490d337b3ae9a11
-
SHA1
381a23e57277d6c31951f67b1e6244c22e4d6d76
-
SHA256
3c2111e827e5cf00dd7984f708be0fcf0c0a39cad5eb041305822f516bc310f8
-
SHA512
8009c40a2fc2f26f9a84a92cd9a73c0fe0eda9d81848dfe54f01031a15ae759278d2844bd81c52e26b40e42610d16913498e0538568900fd75adc213b35b062f
-
SSDEEP
3072:MOy5Yf2HyYkTkwlGYZZH80OibZH/9gqqGtzRMEuoPSZN2BIwacI8EjN5gD:aecIkwYccyZVgqqGKZNUi35g
Malware Config
Targets
-
-
Target
3c2111e827e5cf00dd7984f708be0fcf0c0a39cad5eb041305822f516bc310f8
-
Size
185KB
-
MD5
e4603be20f92b7c48490d337b3ae9a11
-
SHA1
381a23e57277d6c31951f67b1e6244c22e4d6d76
-
SHA256
3c2111e827e5cf00dd7984f708be0fcf0c0a39cad5eb041305822f516bc310f8
-
SHA512
8009c40a2fc2f26f9a84a92cd9a73c0fe0eda9d81848dfe54f01031a15ae759278d2844bd81c52e26b40e42610d16913498e0538568900fd75adc213b35b062f
-
SSDEEP
3072:MOy5Yf2HyYkTkwlGYZZH80OibZH/9gqqGtzRMEuoPSZN2BIwacI8EjN5gD:aecIkwYccyZVgqqGKZNUi35g
Score10/10-
Detects Smokeloader packer
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Detected potential entity reuse from brand microsoft.
-
Suspicious use of SetThreadContext
-