Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
09-04-2023 03:56
General
-
Target
7b8d6a8df92cb4e46355a013eba0a790c96c0d1f1366ef1279e58b68c7df5005.exe
-
Size
202KB
-
MD5
7072b3960f8077bf1a56980120ce8e28
-
SHA1
5f502587805cd7e3466bfac487b982bbce4d59f5
-
SHA256
7b8d6a8df92cb4e46355a013eba0a790c96c0d1f1366ef1279e58b68c7df5005
-
SHA512
ac8b5edb2d38b65031139c2a73827f3a80fede284cbaf696eaa6ee3a86aff29c63ffad164a498f461b48209cf1ec23b71028f06fe03816fb4c5f8d83c0859377
-
SSDEEP
3072:E8QHeJugd3YrI0JcFNQcyuzIF4F4YI+fMC5OvIsX:/eb9I0JcFNUGzI+fWvX
Malware Config
Extracted
smokeloader
sprg
Extracted
smokeloader
2022
http://hoh0aeghwugh2gie.com/
http://hie7doodohpae4na.com/
http://aek0aicifaloh1yo.com/
http://yic0oosaeiy7ahng.com/
http://wa5zu7sekai8xeih.com/
Extracted
vidar
3.3
8eb820ddf1aebfd9fcdae0b7decef98a
https://steamcommunity.com/profiles/76561199492257783
https://t.me/justsometg
-
profile_id_v2
8eb820ddf1aebfd9fcdae0b7decef98a
-
user_agent
Mozilla/5.0 (X11; Linux 3.5.4-1-ARCH i686; es) KHTML/4.9.1 (like Gecko) Konqueror/4.9
Extracted
amadey
3.70
focustopbreed78d.com/ve83dkas2m/index.php
todaysingchina456.com/ve83dkas2m/index.php
chinataiw39e9i9ds.com/ve83dkas2m/index.php
Extracted
laplas
http://185.106.92.74
-
api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Stealc stealer 1 IoCs
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Stealc
Stealc is an infostealer written in C++.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
.NET Reactor proctector 10 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 9 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 30 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b8d6a8df92cb4e46355a013eba0a790c96c0d1f1366ef1279e58b68c7df5005.exe"C:\Users\Admin\AppData\Local\Temp\7b8d6a8df92cb4e46355a013eba0a790c96c0d1f1366ef1279e58b68c7df5005.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\F820.exeC:\Users\Admin\AppData\Local\Temp\F820.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\45091069334565828803.exe"C:\ProgramData\45091069334565828803.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\45091069334565828803.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 04⤵
-
-
-
-
C:\ProgramData\45427037533273523422.exe"C:\ProgramData\45427037533273523422.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\45427037533273523422.exe"C:\ProgramData\45427037533273523422.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"5⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\F820.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\FB4E.exeC:\Users\Admin\AppData\Local\Temp\FB4E.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 5482⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 6242⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 7162⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 7722⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 8082⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 8082⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 10322⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 10682⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 10962⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\90A.exeC:\Users\Admin\AppData\Local\Temp\90A.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.3MB
MD5c4ab3149ef02a36d663699a8c541933e
SHA167088f5eff9ec575775b711c9e3650d12d7f4d5c
SHA2560a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce
SHA51288b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4
-
Filesize
4.3MB
MD5c4ab3149ef02a36d663699a8c541933e
SHA167088f5eff9ec575775b711c9e3650d12d7f4d5c
SHA2560a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce
SHA51288b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4
-
Filesize
6.5MB
MD516df503a8f0da68ea293647521a0f3b2
SHA1ff6a8f795d86f891ce030eb7c11ef11e4e6fd363
SHA25620f64a2a0264eeaffd4a844cc4cae2e1ac8beb4c2c1cdbbe4c7d440ee6ca2789
SHA5123821b0c34967cca04201946f041e1131a480c77966ce4342e02cc08fd73c53f53aa4d5ce99b7f4b08df5579b2af4896cfb56598d545250aff8957d63dac9032f
-
Filesize
6.5MB
MD516df503a8f0da68ea293647521a0f3b2
SHA1ff6a8f795d86f891ce030eb7c11ef11e4e6fd363
SHA25620f64a2a0264eeaffd4a844cc4cae2e1ac8beb4c2c1cdbbe4c7d440ee6ca2789
SHA5123821b0c34967cca04201946f041e1131a480c77966ce4342e02cc08fd73c53f53aa4d5ce99b7f4b08df5579b2af4896cfb56598d545250aff8957d63dac9032f
-
Filesize
6.5MB
MD516df503a8f0da68ea293647521a0f3b2
SHA1ff6a8f795d86f891ce030eb7c11ef11e4e6fd363
SHA25620f64a2a0264eeaffd4a844cc4cae2e1ac8beb4c2c1cdbbe4c7d440ee6ca2789
SHA5123821b0c34967cca04201946f041e1131a480c77966ce4342e02cc08fd73c53f53aa4d5ce99b7f4b08df5579b2af4896cfb56598d545250aff8957d63dac9032f
-
Filesize
92KB
MD5e93f499f52c3bc7e456a1b5978fc05d5
SHA17deaa85ec9fb9401f2010bb0a893635d9a7e02bd
SHA2568405cf0dbae6930f4add6b7354f71d815919211f8be724292f26e028253e94d2
SHA5122aa3d1573cc52a1107a9b31fdce074e325130a64e5faa282c7c6b2ca88646013106e39d357710deb90c253e885479ea512d04b2e162a936c58c1e40812af9b31
-
Filesize
2KB
MD5d75a4288dd7c1830943144efc22ada96
SHA1ad511f65e8ba26972da764571d8a74f6accf0004
SHA256ea6c7b31d79e3b448ac77f2a7849d616d7f9f61b629c7949315564ff515021cd
SHA512d7b69aa2084a2eb1227b71c13325d81e2922c6d74667646942b575c6627584bf44c88663fffee10c29553542c1992f95055062c567bf2e4fa03118158d0c417e
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
4KB
MD55ea4919025090d4f0347abd7b1177163
SHA1d1f0b69d5b6e2c675ade8a87545b47c270023f7b
SHA256ab8d315c3faf73e26f55924541e8439022d76f3629853b028d9bddef9cd709cd
SHA5121d3eeedb1722ba552d1994a2beaa8742a628fac7fc9b496ec07df2667ff135efb58e71291e71b35aab1520fcf2b2fb68e49af3d4799f7bb35339c2de14945477
-
Filesize
251KB
MD54e52d739c324db8225bd9ab2695f262f
SHA171c3da43dc5a0d2a1941e874a6d015a071783889
SHA25674ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA5122d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6
-
Filesize
78KB
MD5a37ee36b536409056a86f50e67777dd7
SHA11cafa159292aa736fc595fc04e16325b27cd6750
SHA2568934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA5123a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
5.1MB
MD5c48f04fe12229436e154ea34e56c594e
SHA1192eca761173f93364bbefc7ab7f0d4f29aeaf05
SHA2563a93ea1ba99bf336e9439cefc72d74f70d22efae25de85a0852a0e73bf7aae46
SHA5129be0b6b13617b95e3c1b17bdc830383a5e6e11c508140f629f6861d01791289f5106af8bd4019678d22f791097a19fa70e30b0c5632332b4087430d975c538ac
-
Filesize
5.1MB
MD5c48f04fe12229436e154ea34e56c594e
SHA1192eca761173f93364bbefc7ab7f0d4f29aeaf05
SHA2563a93ea1ba99bf336e9439cefc72d74f70d22efae25de85a0852a0e73bf7aae46
SHA5129be0b6b13617b95e3c1b17bdc830383a5e6e11c508140f629f6861d01791289f5106af8bd4019678d22f791097a19fa70e30b0c5632332b4087430d975c538ac
-
Filesize
311KB
MD5d7d0ea8c823cebe6267f9a96a3255d78
SHA15974286c6db909e9b01fa8c0274815387e53c963
SHA256a24baae5051ba611fccc9aa14fedca0ba602edb049a5d65ea21632d1a7798e88
SHA512389e66d7ea25674f756779b12381329980ebdb2f1b47c305684ef21e5d5f7fa7909f17eec4f6db43c9c246124a70eaa069ec58727665c2707d89e3539e19cc24
-
Filesize
311KB
MD5d7d0ea8c823cebe6267f9a96a3255d78
SHA15974286c6db909e9b01fa8c0274815387e53c963
SHA256a24baae5051ba611fccc9aa14fedca0ba602edb049a5d65ea21632d1a7798e88
SHA512389e66d7ea25674f756779b12381329980ebdb2f1b47c305684ef21e5d5f7fa7909f17eec4f6db43c9c246124a70eaa069ec58727665c2707d89e3539e19cc24
-
Filesize
228KB
MD56809ca52cdc1bfffe3496efd3e2409b5
SHA144134800f629ede1e7152aaceb1789fa43fe24fa
SHA25636102822cb63b04fe1ae8268519a7a854a4bd8e763c93fe17908d56838944f4a
SHA512e741868568f65396ce33e429133e519c84877952842e274b9cf2272540893698a311a950ef1a179a6adf67e68a8d589782a1874449171af2a3dcd451cffca7a0
-
Filesize
228KB
MD56809ca52cdc1bfffe3496efd3e2409b5
SHA144134800f629ede1e7152aaceb1789fa43fe24fa
SHA25636102822cb63b04fe1ae8268519a7a854a4bd8e763c93fe17908d56838944f4a
SHA512e741868568f65396ce33e429133e519c84877952842e274b9cf2272540893698a311a950ef1a179a6adf67e68a8d589782a1874449171af2a3dcd451cffca7a0
-
Filesize
299.1MB
MD52a42c6e8e30982193160b8f77d00ed75
SHA183b087208af671d7b8be92331ce8aa654ee741f5
SHA2569b4f43846aa1544037b323af7e4dcbf7925edc477757a1a5d535c973f5a884b0
SHA5123ebeba6b6a6d953ccedb935dab19afa8dd649c4a7164577b3de3ab1f02ad0977f5c430c6c3dc1e15ebaea8295b04d0395a6adca2403cd5d96b5d68cea4725b23
-
Filesize
148.1MB
MD50f48ebd93a2624015402cf8db055f2b0
SHA167f7408acaf7a44fcbee5e32d7e63e2285180bc7
SHA256dfc45a78e12e9e15e56bb7498e3154ed6e6dcf4f97fdefb3564659b1fbf1a6d3
SHA512a3450332cdae883c02496a1b3b796aee19eddaf6eea66a478c70419669530340231161214a5d154c83b8698555bffeb85ce74d950f88d70d49ba7e60975088b1
-
Filesize
190.6MB
MD50473b52c9ceef3e5835e9d1ba5a25fee
SHA1f53372164051a8d75d14266c65d0e34df14aeb9d
SHA256df704c12683ef2e9b6dcb3bf73307c75e45b714592b46d9b98dbacca8d547b6d
SHA512a39d4c5d2567b16d0961364bd2aeeb1eaad60fb359ece43d1ac9bb9fa6e5e8f9e143b24fc10a9a27f029b27cfc458e3a85fb5d76f20647f2786edff176027720
-
Filesize
100.6MB
MD56e4aac1e594acdcc1745aeadb2023956
SHA18998a85ffb711469a13ea9ca6016ff9fbedccbf9
SHA256acb0988dd389cb55026b40e8dceb6d5ea30a1fa75033ed994b189c9589ddcb1f
SHA512f5ccffb8f9d20f3e6a2006cbfdb3b037e02cca6fcd004d4d5bec08c3eb1ad027654fe27ca7139cb816e03d3e2b3d63293f08b7afa6d012744708f3895ae0b91a
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
52KB
-
Filesize
44KB
-
Filesize
52KB
-
Filesize
44KB
-
Filesize
640KB
-
Filesize
36KB
-
Filesize
256KB
-
Filesize
14.4MB
-
Filesize
14.4MB
-
Filesize
748KB
-
Filesize
972KB
-
Filesize
348KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
568KB
-
Filesize
6.5MB
-
Filesize
5.0MB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
36KB
-
Filesize
48KB
-
Filesize
36KB
-
Filesize
48KB
-
Filesize
244KB
-
Filesize
668KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
60KB
-
Filesize
60KB
-
Filesize
48KB
-
Filesize
156KB
-
Filesize
48KB
-
Filesize
156KB
-
Filesize
244KB
-
Filesize
44KB
-
Filesize
244KB
-
Filesize
44KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
52KB
-
Filesize
44KB
-
Filesize
52KB
-
Filesize
44KB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
2.2MB
-
Filesize
4.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
156KB
-
Filesize
156KB