General
-
Target
8a7bd81348d196411870662f20f8070ebc068ee21de4cbae342ea44da41da0bc
-
Size
277KB
-
Sample
230324-1ggaaabf6z
-
MD5
0ae23cd6bb94954011e39d65cd859740
-
SHA1
53b9b06b65c708eff41deb34d221563ac77453fa
-
SHA256
8a7bd81348d196411870662f20f8070ebc068ee21de4cbae342ea44da41da0bc
-
SHA512
e913898913e49cb170fde0cbee257fd2af0fb9d931daeeb3d8902b44b14e7ab6ee30d8dc118ff95e5bc2f8f6e827fa0abb94a8d351c3b075c5f1431f268083a8
-
SSDEEP
3072:exlPvo2dcvcCN75ABlfTynGydZxALCyFI1VENsRyWf8Ml7sWYu0ZWnMWN8aeeL:e9gVZaTynKCGI0HWf8SYWY6Mva
Static task
static1
Behavioral task
behavioral1
Sample
8a7bd81348d196411870662f20f8070ebc068ee21de4cbae342ea44da41da0bc.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
smokeloader
sprg
Extracted
smokeloader
2022
http://hoh0aeghwugh2gie.com/
http://hie7doodohpae4na.com/
http://aek0aicifaloh1yo.com/
http://yic0oosaeiy7ahng.com/
http://wa5zu7sekai8xeih.com/
Extracted
raccoon
b68788975ed4f9b62a22d17711a68c8f
http://185.106.92.151
http://185.106.92.27
Targets
-
-
Target
8a7bd81348d196411870662f20f8070ebc068ee21de4cbae342ea44da41da0bc
-
Size
277KB
-
MD5
0ae23cd6bb94954011e39d65cd859740
-
SHA1
53b9b06b65c708eff41deb34d221563ac77453fa
-
SHA256
8a7bd81348d196411870662f20f8070ebc068ee21de4cbae342ea44da41da0bc
-
SHA512
e913898913e49cb170fde0cbee257fd2af0fb9d931daeeb3d8902b44b14e7ab6ee30d8dc118ff95e5bc2f8f6e827fa0abb94a8d351c3b075c5f1431f268083a8
-
SSDEEP
3072:exlPvo2dcvcCN75ABlfTynGydZxALCyFI1VENsRyWf8Ml7sWYu0ZWnMWN8aeeL:e9gVZaTynKCGI0HWf8SYWY6Mva
-
Detects Echelon Stealer payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-