General
-
Target
06858351cc907e62cfc275f69256d288.exe
-
Size
4.3MB
-
Sample
230620-hmhfesbg3v
-
MD5
06858351cc907e62cfc275f69256d288
-
SHA1
e7289ed8dfdc207ac0ca69d7c00ec52af1c987c5
-
SHA256
0bc3689575acffde20abb2ff8db97b9698b07fc0e2f64a04ef10dea26fe64d87
-
SHA512
5f6b74b1ec2bb05a50d3e0bb982da343f0448650f774f2eb773a95a7d8a50361117b048f81c427020e3c78da8570148e5513f2c11ba3ace3d787a1279194a673
-
SSDEEP
98304:3IcB4UYTkq4tLHZyxogYXKfyKoPSnucrUQ31mXe9:4kPvtFyxPW2oqucrUQlMe
Static task
static1
Malware Config
Extracted
amadey
3.83
5.42.65.80/8bmeVwqx/index.php
Extracted
gcleaner
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Targets
-
-
Target
06858351cc907e62cfc275f69256d288.exe
-
Size
4.3MB
-
MD5
06858351cc907e62cfc275f69256d288
-
SHA1
e7289ed8dfdc207ac0ca69d7c00ec52af1c987c5
-
SHA256
0bc3689575acffde20abb2ff8db97b9698b07fc0e2f64a04ef10dea26fe64d87
-
SHA512
5f6b74b1ec2bb05a50d3e0bb982da343f0448650f774f2eb773a95a7d8a50361117b048f81c427020e3c78da8570148e5513f2c11ba3ace3d787a1279194a673
-
SSDEEP
98304:3IcB4UYTkq4tLHZyxogYXKfyKoPSnucrUQ31mXe9:4kPvtFyxPW2oqucrUQlMe
-
Detect Fabookie payload
-
Glupteba payload
-
Modifies security service
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Modifies boot configuration data using bcdedit
-
XMRig Miner payload
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
3Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
5Disabling Security Tools
2Impair Defenses
2Install Root Certificate
1