General
-
Target
file.exe
-
Size
1.1MB
-
Sample
230616-a6cehscb33
-
MD5
052e5edfe0cb0c180a2c62859d24590a
-
SHA1
67e6c1dad03ee038f52aeee3141bb4389185c75b
-
SHA256
778c94dcddd3ab8ec8ea417f79fca412da2a555c96ac140be4a7bce9a0b406ba
-
SHA512
1c453da9ae665bdb5da66d66924457f0550d74eeefe5e30e0330b59eec0ab1e9ed2e595f6371e43b337c0ec085d1e8e382347be065f0937b94e587901ac4dc2d
-
SSDEEP
24576:kHTHGDFS3Ud358XGF96Gjp3RcUPi+65N:kzWgu58WFNpBfq
Static task
static1
Malware Config
Extracted
amadey
3.83
45.9.74.80/0bjdn2Z/index.php
Extracted
smokeloader
pub5
Extracted
smokeloader
2022
http://aapu.at/tmp/
http://poudineh.com/tmp/
http://firsttrusteedrx.ru/tmp/
http://kingpirate.ru/tmp/
Extracted
gcleaner
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Targets
-
-
Target
file.exe
-
Size
1.1MB
-
MD5
052e5edfe0cb0c180a2c62859d24590a
-
SHA1
67e6c1dad03ee038f52aeee3141bb4389185c75b
-
SHA256
778c94dcddd3ab8ec8ea417f79fca412da2a555c96ac140be4a7bce9a0b406ba
-
SHA512
1c453da9ae665bdb5da66d66924457f0550d74eeefe5e30e0330b59eec0ab1e9ed2e595f6371e43b337c0ec085d1e8e382347be065f0937b94e587901ac4dc2d
-
SSDEEP
24576:kHTHGDFS3Ud358XGF96Gjp3RcUPi+65N:kzWgu58WFNpBfq
-
Detect Fabookie payload
-
Glupteba payload
-
Modifies security service
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Modifies boot configuration data using bcdedit
-
XMRig Miner payload
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
3Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
5Disabling Security Tools
2Impair Defenses
2Install Root Certificate
1