General
-
Target
obins.exe
-
Size
1.0MB
-
Sample
230612-lywc7sbc64
-
MD5
8a06751312436a705c6404180c8b1519
-
SHA1
2d1d3a9731159943463257ee2e94a070e39c3b36
-
SHA256
0875f2085b2f40b96db96d317cfdd1d870541182d4200de33fae9cbefaf07797
-
SHA512
f1a5b5fe6fe2a1d770dd0586f115b09f5d59d6a17ecf12b2a789a653c14542e35b1de5226264e6e2de09eb00f5530d01c6a90fc09df1615594d51c50b72b8a8c
-
SSDEEP
12288:aV8Jo5Xb+qCPuwvko4WzuqimH8ISEW4Wq4/OS7oS/8lTkJKaG0BHDKnn2yoSXkHN:aV84dM1DyqRrJ55KU882tMkHWiP
Static task
static1
Malware Config
Extracted
amadey
3.83
45.9.74.80/0bjdn2Z/index.php
Extracted
smokeloader
pub5
Extracted
smokeloader
2022
http://aapu.at/tmp/
http://poudineh.com/tmp/
http://firsttrusteedrx.ru/tmp/
http://kingpirate.ru/tmp/
Extracted
smokeloader
up3
Extracted
gcleaner
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Targets
-
-
Target
obins.exe
-
Size
1.0MB
-
MD5
8a06751312436a705c6404180c8b1519
-
SHA1
2d1d3a9731159943463257ee2e94a070e39c3b36
-
SHA256
0875f2085b2f40b96db96d317cfdd1d870541182d4200de33fae9cbefaf07797
-
SHA512
f1a5b5fe6fe2a1d770dd0586f115b09f5d59d6a17ecf12b2a789a653c14542e35b1de5226264e6e2de09eb00f5530d01c6a90fc09df1615594d51c50b72b8a8c
-
SSDEEP
12288:aV8Jo5Xb+qCPuwvko4WzuqimH8ISEW4Wq4/OS7oS/8lTkJKaG0BHDKnn2yoSXkHN:aV84dM1DyqRrJ55KU882tMkHWiP
-
Detect Fabookie payload
-
Glupteba payload
-
Modifies boot configuration data using bcdedit
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
2Modify Registry
4Impair Defenses
1Install Root Certificate
1