General
-
Target
cb3c83da32f0b4243c341c37e9865ddaaa0a612b333f372671e3610fb8b8f586
-
Size
246KB
-
Sample
230218-2szrfadb51
-
MD5
c3930d1f11425f93631557cb762e32fd
-
SHA1
498320119f85c455cc5dca8f2aa60aa9290de90f
-
SHA256
cb3c83da32f0b4243c341c37e9865ddaaa0a612b333f372671e3610fb8b8f586
-
SHA512
d4c62aa173ce314c91104db30d6032c5e6c501cb4094aa761edb1e55e66c7b645b3e834db590da2d5c3e7550865cdfd191f4282588e262211d5dce3445babfa5
-
SSDEEP
3072:mZ2xVf/LeleqnDDRpRF/k0OjIJA6bKIXYOU8R0c2M2ZdnVUkF:sEx/LelZDbdiiZoO1R0c2M2Zd
Malware Config
Targets
-
-
Target
cb3c83da32f0b4243c341c37e9865ddaaa0a612b333f372671e3610fb8b8f586
-
Size
246KB
-
MD5
c3930d1f11425f93631557cb762e32fd
-
SHA1
498320119f85c455cc5dca8f2aa60aa9290de90f
-
SHA256
cb3c83da32f0b4243c341c37e9865ddaaa0a612b333f372671e3610fb8b8f586
-
SHA512
d4c62aa173ce314c91104db30d6032c5e6c501cb4094aa761edb1e55e66c7b645b3e834db590da2d5c3e7550865cdfd191f4282588e262211d5dce3445babfa5
-
SSDEEP
3072:mZ2xVf/LeleqnDDRpRF/k0OjIJA6bKIXYOU8R0c2M2ZdnVUkF:sEx/LelZDbdiiZoO1R0c2M2Zd
Score10/10-
Detects Smokeloader packer
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Uses the VBS compiler for execution
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-