General
-
Target
e3f3cfbad999fe929fd7462cef614726ce36c9e521087ce2a9197b75ae0cfcf2
-
Size
248KB
-
Sample
230218-wbg76sch84
-
MD5
0a3a99a1c9bac5d5940b812fa8348098
-
SHA1
e86fa21a95d677eedca0b8eaafbfe8291e754c79
-
SHA256
e3f3cfbad999fe929fd7462cef614726ce36c9e521087ce2a9197b75ae0cfcf2
-
SHA512
ed94fc8e59ff77366ea14247071ad41cb0de1130c579c99bd3fee4c943610480d5070a91974b670d5bc787568c825c134727ab2f995d71abe8f00c6b6dc78f1f
-
SSDEEP
3072:Fl24EZnLAUVOnB1Ud81yvgTQ2iAioGlCYBVUzs6fGLkYVVUa2Yj75:bdSnLAU61LyoT+ZHcYBjwGLt72u
Malware Config
Targets
-
-
Target
e3f3cfbad999fe929fd7462cef614726ce36c9e521087ce2a9197b75ae0cfcf2
-
Size
248KB
-
MD5
0a3a99a1c9bac5d5940b812fa8348098
-
SHA1
e86fa21a95d677eedca0b8eaafbfe8291e754c79
-
SHA256
e3f3cfbad999fe929fd7462cef614726ce36c9e521087ce2a9197b75ae0cfcf2
-
SHA512
ed94fc8e59ff77366ea14247071ad41cb0de1130c579c99bd3fee4c943610480d5070a91974b670d5bc787568c825c134727ab2f995d71abe8f00c6b6dc78f1f
-
SSDEEP
3072:Fl24EZnLAUVOnB1Ud81yvgTQ2iAioGlCYBVUzs6fGLkYVVUa2Yj75:bdSnLAU61LyoT+ZHcYBjwGLt72u
Score10/10-
Detects Smokeloader packer
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Detected potential entity reuse from brand microsoft.
-
Suspicious use of SetThreadContext
-