General
-
Target
8a06751312436a705c6404180c8b1519.bin
-
Size
737KB
-
Sample
230613-bxqffseh6s
-
MD5
907aa3a5410bb171443defcd8c2dd0aa
-
SHA1
61a19b504b61b2eb33c47a8bb2c89c6536bc8f46
-
SHA256
9a61a69843876216b142da28473021de6fdb5b386d5713998e8e0bf4499e79d3
-
SHA512
c9cd491a247153e4cb99e52030078ba279edd3d83c4b07f84974510822e986acb7cf68e97c5f325f6dd50c39ed48358bdcfbb64b1784dd2957d0831479af097a
-
SSDEEP
12288:Otdhr6fSvTOwhcL14T8xvLSzT2G+pQ6XwuLm3AfligJeYwz/htxSSfwwoCeqVW:OtrrWSBh+4T8xO/6BmQf0gJeYS/htx/W
Static task
static1
Behavioral task
behavioral1
Sample
0875f2085b2f40b96db96d317cfdd1d870541182d4200de33fae9cbefaf07797.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
0875f2085b2f40b96db96d317cfdd1d870541182d4200de33fae9cbefaf07797.exe
Resource
win10v2004-20230221-en
Malware Config
Extracted
amadey
3.83
45.9.74.80/0bjdn2Z/index.php
Extracted
smokeloader
pub5
Extracted
smokeloader
2022
http://aapu.at/tmp/
http://poudineh.com/tmp/
http://firsttrusteedrx.ru/tmp/
http://kingpirate.ru/tmp/
Extracted
gcleaner
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Targets
-
-
Target
0875f2085b2f40b96db96d317cfdd1d870541182d4200de33fae9cbefaf07797.exe
-
Size
1.0MB
-
MD5
8a06751312436a705c6404180c8b1519
-
SHA1
2d1d3a9731159943463257ee2e94a070e39c3b36
-
SHA256
0875f2085b2f40b96db96d317cfdd1d870541182d4200de33fae9cbefaf07797
-
SHA512
f1a5b5fe6fe2a1d770dd0586f115b09f5d59d6a17ecf12b2a789a653c14542e35b1de5226264e6e2de09eb00f5530d01c6a90fc09df1615594d51c50b72b8a8c
-
SSDEEP
12288:aV8Jo5Xb+qCPuwvko4WzuqimH8ISEW4Wq4/OS7oS/8lTkJKaG0BHDKnn2yoSXkHN:aV84dM1DyqRrJ55KU882tMkHWiP
-
Detect Fabookie payload
-
Glupteba payload
-
Modifies boot configuration data using bcdedit
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
2Modify Registry
4Impair Defenses
1Install Root Certificate
1