General
-
Target
cf4c097ad6021d69482076fe305c914d4636781d91bb652dfbc34ffb946b070d
-
Size
245KB
-
Sample
230218-zawwqadd78
-
MD5
e46053b5c24461d596948f0454e73b58
-
SHA1
6fc4218945520dfd5f3ad851bd0be6928817152a
-
SHA256
cf4c097ad6021d69482076fe305c914d4636781d91bb652dfbc34ffb946b070d
-
SHA512
ac23285029ac7e0b35bdf169ebc9f08a31fb75f413c64848a4b5a54037444ee2a6f7e995fbd2fd0e16f70d2b24b3f5d0e60f9d16c2d5555ac571c51cd5cc7184
-
SSDEEP
3072:nF2VYvjLKUnOnFh4d81cOtI7IwPNOShYPewvYi/IhxSVUtwh:FkMjLKUQh/lwVO24vp/Ij
Malware Config
Targets
-
-
Target
cf4c097ad6021d69482076fe305c914d4636781d91bb652dfbc34ffb946b070d
-
Size
245KB
-
MD5
e46053b5c24461d596948f0454e73b58
-
SHA1
6fc4218945520dfd5f3ad851bd0be6928817152a
-
SHA256
cf4c097ad6021d69482076fe305c914d4636781d91bb652dfbc34ffb946b070d
-
SHA512
ac23285029ac7e0b35bdf169ebc9f08a31fb75f413c64848a4b5a54037444ee2a6f7e995fbd2fd0e16f70d2b24b3f5d0e60f9d16c2d5555ac571c51cd5cc7184
-
SSDEEP
3072:nF2VYvjLKUnOnFh4d81cOtI7IwPNOShYPewvYi/IhxSVUtwh:FkMjLKUQh/lwVO24vp/Ij
Score10/10-
Detects Smokeloader packer
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Detected potential entity reuse from brand microsoft.
-
Suspicious use of SetThreadContext
-