Overview

overview

10

Static

static

3

ee0695e88b...bf.exe

windows7-x64

10

ee0695e88b...bf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    199s
  • max time network
    224s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-05-2023 19:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee0695e88b2430ef59373e6638c505a0ad298306e0989c25ea15d4735e90c4bf.exe

  • Size

    326KB

  • MD5

    a32c9253643c7ceb577c01c553c9855e

  • SHA1

    a8e9b863779e156726694ec0a338c408fcb63ea2

  • SHA256

    ee0695e88b2430ef59373e6638c505a0ad298306e0989c25ea15d4735e90c4bf

  • SHA512

    6c08e969ab0d3339c7f06a8f32ad1679cdc827325a249add23e0d7785fdbce6b975acad7329e12b6ab1606c96ef5728411ac674ac52e2532ecb210a8b8af0134

  • SSDEEP

    6144:fauRRJZdymVP+xWeXDxO92kKqj8wa71lz:yujLdymVPWWSD08kKqjMlz

Score
10/10
smokeloadervidar1616034f091df9fd0229bc38dd17597fpub1backdoorstealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

vidar

Version

3.6

Botnet

1616034f091df9fd0229bc38dd17597f

C2

https://steamcommunity.com/profiles/76561199499188534

https://t.me/nutalse
Attributes
  • profile_id_v2

    1616034f091df9fd0229bc38dd17597f

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36

Extracted

Family

smokeloader

Botnet

pub1

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee0695e88b2430ef59373e6638c505a0ad298306e0989c25ea15d4735e90c4bf.exe
    "C:\Users\Admin\AppData\Local\Temp\ee0695e88b2430ef59373e6638c505a0ad298306e0989c25ea15d4735e90c4bf.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1620
  • C:\Users\Admin\AppData\Roaming\fftjhfh
    C:\Users\Admin\AppData\Roaming\fftjhfh
    1⤵
    • Executes dropped EXE
    • Checks SCSI registry key(s)
    • Suspicious behavior: MapViewOfSection
    PID:556
  • C:\Users\Admin\AppData\Local\Temp\6C6C.exe
    C:\Users\Admin\AppData\Local\Temp\6C6C.exe
    1⤵
    • Executes dropped EXE
    PID:3112
  • C:\Users\Admin\AppData\Local\Temp\A80F.exe
    C:\Users\Admin\AppData\Local\Temp\A80F.exe
    1⤵
    • Executes dropped EXE
    • Checks SCSI registry key(s)
    • Suspicious behavior: MapViewOfSection
    PID:4960
  • C:\Users\Admin\AppData\Local\Temp\B04D.exe
    C:\Users\Admin\AppData\Local\Temp\B04D.exe
    1⤵
    • Executes dropped EXE
    PID:2320
  • C:\Users\Admin\AppData\Local\Temp\C2DC.exe
    C:\Users\Admin\AppData\Local\Temp\C2DC.exe
    1⤵
    • Executes dropped EXE
    • Checks SCSI registry key(s)
    • Suspicious behavior: MapViewOfSection
    PID:4864

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\6C6C.exe
    Filesize

    465KB

    MD5

    75c244e85bf8d76db3937fa629375bad

    SHA1

    2c954e838b870ebb1996747ccebc577efa34a7e9

    SHA256

    38ce7804dfdc1596c2a26d83a6097a837e6c7787b88de3ed781aae12e07f52d7

    SHA512

    f0da9a192ed89073b54489a49cd4f8b2fb6447bc63190108551b68cc982dcd85b4afa2f3ac6a107c897fae39f22195e6e677b1888e3e2b2bd8c06e8dbb35a5d1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\6C6C.exe
    Filesize

    465KB

    MD5

    75c244e85bf8d76db3937fa629375bad

    SHA1

    2c954e838b870ebb1996747ccebc577efa34a7e9

    SHA256

    38ce7804dfdc1596c2a26d83a6097a837e6c7787b88de3ed781aae12e07f52d7

    SHA512

    f0da9a192ed89073b54489a49cd4f8b2fb6447bc63190108551b68cc982dcd85b4afa2f3ac6a107c897fae39f22195e6e677b1888e3e2b2bd8c06e8dbb35a5d1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A80F.exe
    Filesize

    302KB

    MD5

    d58dfbdbe93d7f560ee6380e69e8b7e5

    SHA1

    e1799582e614a844b32424ca2660a20a0a84ccba

    SHA256

    fac94fa8922c5efe57ca98c4a0b78de5541ec4ef0084f33b3e9e19550d2b05ea

    SHA512

    d364b93d33d53210e2abd6ab7c0c1f8fcf588b8ff2f94f0285564a8eb8b26c6ca8da7e135f876ba1cb5f6b9eb08f3ea6c40b169ea2909f0a2eb5f4d7684b793f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A80F.exe
    Filesize

    302KB

    MD5

    d58dfbdbe93d7f560ee6380e69e8b7e5

    SHA1

    e1799582e614a844b32424ca2660a20a0a84ccba

    SHA256

    fac94fa8922c5efe57ca98c4a0b78de5541ec4ef0084f33b3e9e19550d2b05ea

    SHA512

    d364b93d33d53210e2abd6ab7c0c1f8fcf588b8ff2f94f0285564a8eb8b26c6ca8da7e135f876ba1cb5f6b9eb08f3ea6c40b169ea2909f0a2eb5f4d7684b793f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\B04D.exe
    Filesize

    4.3MB

    MD5

    8baba9f71070bcdfd468a74b7f7eafc1

    SHA1

    274bd5c3c32b447d020e287f7e875e3d03db8090

    SHA256

    5c3fac8232556a1019977e05b02665b342ad523a9f11882468b9de6207bd241f

    SHA512

    71bbd0d3df063e3ecce13754f9b283afde43e23fa6efec343cf5f0368d2e3e673e6b9d813da76e27ce39d1353af6815b72916e27c1ccc03e9d6572d28501154a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\B04D.exe
    Filesize

    4.3MB

    MD5

    8baba9f71070bcdfd468a74b7f7eafc1

    SHA1

    274bd5c3c32b447d020e287f7e875e3d03db8090

    SHA256

    5c3fac8232556a1019977e05b02665b342ad523a9f11882468b9de6207bd241f

    SHA512

    71bbd0d3df063e3ecce13754f9b283afde43e23fa6efec343cf5f0368d2e3e673e6b9d813da76e27ce39d1353af6815b72916e27c1ccc03e9d6572d28501154a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\C2DC.exe
    Filesize

    302KB

    MD5

    d58dfbdbe93d7f560ee6380e69e8b7e5

    SHA1

    e1799582e614a844b32424ca2660a20a0a84ccba

    SHA256

    fac94fa8922c5efe57ca98c4a0b78de5541ec4ef0084f33b3e9e19550d2b05ea

    SHA512

    d364b93d33d53210e2abd6ab7c0c1f8fcf588b8ff2f94f0285564a8eb8b26c6ca8da7e135f876ba1cb5f6b9eb08f3ea6c40b169ea2909f0a2eb5f4d7684b793f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\C2DC.exe
    Filesize

    302KB

    MD5

    d58dfbdbe93d7f560ee6380e69e8b7e5

    SHA1

    e1799582e614a844b32424ca2660a20a0a84ccba

    SHA256

    fac94fa8922c5efe57ca98c4a0b78de5541ec4ef0084f33b3e9e19550d2b05ea

    SHA512

    d364b93d33d53210e2abd6ab7c0c1f8fcf588b8ff2f94f0285564a8eb8b26c6ca8da7e135f876ba1cb5f6b9eb08f3ea6c40b169ea2909f0a2eb5f4d7684b793f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\fftjhfh
    Filesize

    326KB

    MD5

    a32c9253643c7ceb577c01c553c9855e

    SHA1

    a8e9b863779e156726694ec0a338c408fcb63ea2

    SHA256

    ee0695e88b2430ef59373e6638c505a0ad298306e0989c25ea15d4735e90c4bf

    SHA512

    6c08e969ab0d3339c7f06a8f32ad1679cdc827325a249add23e0d7785fdbce6b975acad7329e12b6ab1606c96ef5728411ac674ac52e2532ecb210a8b8af0134

    Download Submit

  • C:\Users\Admin\AppData\Roaming\fftjhfh
    Filesize

    326KB

    MD5

    a32c9253643c7ceb577c01c553c9855e

    SHA1

    a8e9b863779e156726694ec0a338c408fcb63ea2

    SHA256

    ee0695e88b2430ef59373e6638c505a0ad298306e0989c25ea15d4735e90c4bf

    SHA512

    6c08e969ab0d3339c7f06a8f32ad1679cdc827325a249add23e0d7785fdbce6b975acad7329e12b6ab1606c96ef5728411ac674ac52e2532ecb210a8b8af0134

    Download Submit

  • memory/556-148-0x0000000000400000-0x00000000007F6000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/760-147-0x0000000002830000-0x0000000002846000-memory.dmp

    Filesize

    88KB

    Download

  • memory/760-137-0x0000000000850000-0x0000000000866000-memory.dmp

    Filesize

    88KB

    Download

  • memory/760-183-0x00000000078F0000-0x0000000007906000-memory.dmp

    Filesize

    88KB

    Download

  • memory/760-173-0x0000000007430000-0x0000000007446000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1620-138-0x0000000000400000-0x00000000007F6000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1620-136-0x0000000000400000-0x00000000007F6000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1620-134-0x0000000002530000-0x0000000002539000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1620-135-0x0000000000400000-0x00000000007F6000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2320-180-0x0000000000250000-0x000000000069A000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/3112-158-0x0000000000400000-0x0000000000819000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/3112-170-0x0000000000400000-0x0000000000819000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/3112-178-0x0000000002450000-0x00000000024AD000-memory.dmp

    Filesize

    372KB

    Download

  • memory/3112-182-0x0000000000400000-0x0000000000819000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/3112-156-0x0000000002450000-0x00000000024AD000-memory.dmp

    Filesize

    372KB

    Download

  • memory/4864-184-0x0000000000400000-0x0000000000A5C000-memory.dmp

    Filesize

    6.4MB

    Download

  • memory/4960-169-0x0000000002510000-0x0000000002519000-memory.dmp

    Filesize

    36KB

    Download

  • memory/4960-174-0x0000000000400000-0x0000000000A5C000-memory.dmp

    Filesize

    6.4MB

    Download