General
-
Target
bd7adc4a910dd1433eef94e8660718759ce60887d5540f0733e0b5179c1460fb
-
Size
198KB
-
Sample
230411-l1t8xsdd7s
-
MD5
7b160ddabf10aaaf6a5533b519ea64c8
-
SHA1
89db6e0dca5bce8e22e82be4dbb7ed3ab2f7bfee
-
SHA256
bd7adc4a910dd1433eef94e8660718759ce60887d5540f0733e0b5179c1460fb
-
SHA512
3602930295116e011e9184e4d0c9f8a66501bb884b50fc574ea728cfce1ce940c81fd11ff8f964eee0f5d081fbaab977a9da1d2979fffd78386af073dd748bce
-
SSDEEP
3072:IHRRsAKdinlM6bbMQOg9MrKZOY1qAndSPCCTAajbj537flXBjx:+CcnlZPMUyesgbndSPCCTAajl7ffjx
Static task
static1
Behavioral task
behavioral1
Sample
bd7adc4a910dd1433eef94e8660718759ce60887d5540f0733e0b5179c1460fb.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
smokeloader
sprg
Extracted
smokeloader
2022
http://hoh0aeghwugh2gie.com/
http://hie7doodohpae4na.com/
http://aek0aicifaloh1yo.com/
http://yic0oosaeiy7ahng.com/
http://wa5zu7sekai8xeih.com/
Extracted
laplas
http://45.159.189.105
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Extracted
vidar
3.4
e749025c61b2caca10aa829a9e1a65a1
https://steamcommunity.com/profiles/76561199494593681
https://t.me/auftriebs
-
profile_id_v2
e749025c61b2caca10aa829a9e1a65a1
-
user_agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Extracted
laplas
http://185.106.92.74
-
api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396
Targets
-
-
Target
bd7adc4a910dd1433eef94e8660718759ce60887d5540f0733e0b5179c1460fb
-
Size
198KB
-
MD5
7b160ddabf10aaaf6a5533b519ea64c8
-
SHA1
89db6e0dca5bce8e22e82be4dbb7ed3ab2f7bfee
-
SHA256
bd7adc4a910dd1433eef94e8660718759ce60887d5540f0733e0b5179c1460fb
-
SHA512
3602930295116e011e9184e4d0c9f8a66501bb884b50fc574ea728cfce1ce940c81fd11ff8f964eee0f5d081fbaab977a9da1d2979fffd78386af073dd748bce
-
SSDEEP
3072:IHRRsAKdinlM6bbMQOg9MrKZOY1qAndSPCCTAajbj537flXBjx:+CcnlZPMUyesgbndSPCCTAajl7ffjx
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-