General
-
Target
65c3f5b8b95e801fe1c98058d48435629207adfa3fcec656364398c7501adc12
-
Size
299KB
-
Sample
230607-jxc45ahg6v
-
MD5
8d4a5356bee36cef76a8405df8a122f1
-
SHA1
f8f02f087c428b8875ad52cb95541396bafe036a
-
SHA256
65c3f5b8b95e801fe1c98058d48435629207adfa3fcec656364398c7501adc12
-
SHA512
f521962c0c8a9f492a771afc7b8f487abb328c9c4edbebcb32dda27a88c9865f12d973072aa7f1a20cb3b667ab8ed4edd1514ae58cca10a50d6ca66b83b72bc1
-
SSDEEP
3072:JFV81fCVSezIAani6/RIBDD1chXbKt2aZnW8PwfNA5cRkMCPNsMPd+mS9J/5tl+F:CC4nF/RkVchXbKt2rN1tuNsMls3lYw
Static task
static1
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
http://toobussy.com/tmp/
http://wuc11.com/tmp/
http://ladogatur.ru/tmp/
http://kingpirate.ru/tmp/
Extracted
smokeloader
pub1
Extracted
amadey
3.67
45.9.74.80/0bjdn2Z/index.php
Targets
-
-
Target
65c3f5b8b95e801fe1c98058d48435629207adfa3fcec656364398c7501adc12
-
Size
299KB
-
MD5
8d4a5356bee36cef76a8405df8a122f1
-
SHA1
f8f02f087c428b8875ad52cb95541396bafe036a
-
SHA256
65c3f5b8b95e801fe1c98058d48435629207adfa3fcec656364398c7501adc12
-
SHA512
f521962c0c8a9f492a771afc7b8f487abb328c9c4edbebcb32dda27a88c9865f12d973072aa7f1a20cb3b667ab8ed4edd1514ae58cca10a50d6ca66b83b72bc1
-
SSDEEP
3072:JFV81fCVSezIAani6/RIBDD1chXbKt2aZnW8PwfNA5cRkMCPNsMPd+mS9J/5tl+F:CC4nF/RkVchXbKt2rN1tuNsMls3lYw
-
Detect Fabookie payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-