Overview

overview

10

Static

static

10

Botnets PA...t].exe

windows10-2004-x64

7

Botnets PA...er.exe

windows10-2004-x64

7

Botnets PA...vg.exe

windows10-2004-x64

1

Botnets PA...er.exe

windows10-2004-x64

7

Botnets PA...er.exe

windows10-2004-x64

7

Botnets PA...mm.exe

windows10-2004-x64

1

Botnets PA...UI.exe

windows10-2004-x64

7

Botnets PA...er.exe

windows10-2004-x64

7

Botnets PA...32.exe

windows10-2004-x64

3

Botnets PA...er.exe

windows10-2004-x64

7

Botnets PA...er.exe

windows10-2004-x64

1

Botnets PA...er.exe

windows10-2004-x64

7

Botnets PA...vc.exe

windows10-2004-x64

1

Botnets PA...t].exe

windows10-2004-x64

7

Botnets PA...er.exe

windows10-2004-x64

7

Botnets PA...ti.exe

windows10-2004-x64

1

Botnets PA...er.exe

windows10-2004-x64

7

Botnets PA...ll.exe

windows10-2004-x64

1

Botnets PA...er.exe

windows10-2004-x64

7

Botnets PA...al.exe

windows10-2004-x64

7

Botnets PA...er.exe

windows10-2004-x64

7

Botnets PA...32.exe

windows10-2004-x64

1

Botnets PA...es.exe

windows10-2004-x64

1

Botnets PA...ml.exe

windows10-2004-x64

1

Botnets PA...ib.exe

windows10-2004-x64

1

Botnets PA...nk.exe

windows10-2004-x64

1

Botnets PA...px.exe

windows10-2004-x64

7

Botnets PA...er.exe

windows10-2004-x64

7

Botnets PA...it.exe

windows10-2004-x64

7

Botnets PA...ll.exe

windows10-2004-x64

10

Botnets PA...er.exe

windows10-2004-x64

7

Botnets PA...er.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Botnets PACK.rar

  • Size

    27.5MB

  • Sample

    230623-2v8gcshc25

  • MD5

    7f67e9cf1dcc327ad7e803a3dd231240

  • SHA1

    07299577a233926f05ffe631ccc406169d61d422

  • SHA256

    7319656b4c5c0f3c42526657e96c0732322806d7824e992baa4b816a525aae98

  • SHA512

    ba8bd26f94a93e6d60e291c7fab25e86c8a06b7b9e97ed6ce4395f18023bf28019cc4e214b575098682ee03ce79e0f8779f8a1c119baecd4d0d660fd39228611

  • SSDEEP

    786432:GZEVR+Fvw+e0pq8+wlWEm0/xkpHQfkklf:/qvw5F8+wlbCokE

Score
10/10
blacknetsmokeloader[id]backdoorpersistencetrojanupx

Malware Config

Extracted

Family

blacknet

Botnet

[ID]

C2

[HOST]

Mutex

[MUTEX]

Attributes
  • antivm

    false

  • elevate_uac

    false

  • install_name

    [Install_Name]

  • splitter

    |BN|

  • start_name

    [StartupName]

  • startup

    false

  • usb_spread

    false

Extracted

Family

smokeloader

Version

2017

C2

http://dogewareservice.ru/

Targets

    • Target

      Botnets PACK/Botnets PACK/Amadey Cracked/Amadey Cracked [XakFor.Net].exe

    • Size

      190KB

    • MD5

      d180c2e26b269d60a7cb1152f69c96bf

    • SHA1

      16d0b057534d3cb3e8d64f52a8494a6aed7de8f0

    • SHA256

      e1a950457b39e3a5f3db736dfc035fbe8a14c297427c39b384877dd6dde65498

    • SHA512

      ee097c198e784960c8da9e6ae1c72ce1be92bf2487cfa2465757f77828dc398e067773488c46b761fd08faa701e73437fda55dcef594d54bf44c371dc6696548

    • SSDEEP

      1536:M4lvePmo1wWjlJ3X74/xopu/DnvjL0Cp/n0ams0T:M4lv4wWjlJ3rIxoWvj5x0ams0T

    Score
    7/10
    persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      Botnets PACK/Botnets PACK/Amadey Cracked/xpti/Launcher.exe

    • Size

      53KB

    • MD5

      c6d4c881112022eb30725978ecd7c6ec

    • SHA1

      ba4f96dc374195d873b3eebdb28b633d9a1c5bf5

    • SHA256

      0d87b9b141a592711c52e7409ec64de3ab296cddc890be761d9af57cea381b32

    • SHA512

      3bece10b65dfda69b6defbf50d067a59d1cd1db403547fdf28a4cbc87c4985a4636acfcff8300bd77fb91f2693084634d940a91517c33b5425258835ab990981

    • SSDEEP

      768:FKtnBTTQi/YqMFlVt52ftDhKeoNzZq8OujxUu5XEAb4b9yvMzUV5:qBTUgYFveDRuFEAb4b99QV5

    Score
    7/10
    persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      Botnets PACK/Botnets PACK/Amadey Cracked/xpti/svg.exe

    • Size

      2.5MB

    • MD5

      3168a31552404661098af0156860f0c0

    • SHA1

      9c10beb703314d0c8843ba7a3c988f793d55e422

    • SHA256

      2a0546c07c3831073b3b1b83866c63150d56638358e20d8a5247417de1efa4ff

    • SHA512

      3a3c93f4ccf441c7b86d2aae33ba636c975fb38ce14c62653f2c4606312a1259aba21d11a44ad5164d36fbc6ad136e12f9158971c26866568582111b95a98f6c

    • SSDEEP

      49152:p7inIOY/BoiU2oyNiAbnblJwSinj+BxpEiixfXuwlp:ATF0LDjwSkgxeXv

    Score
    1/10
    behavioral3

    • Target

      Botnets PACK/Botnets PACK/Atmos BOTNET Builder/atmos_weber.exe

    • Size

      186KB

    • MD5

      1a75f15752788e96744795be74f8714f

    • SHA1

      0d96e1ce4d84f28929561115993c4c3224099e3b

    • SHA256

      814a2d9eed0b7f6a34f278a667b93cf2f44f311e60b5c2a95a2fe0cc78145e32

    • SHA512

      2ca652f26710a7f2ca771683b28e5470e6ccf328cab5a2053b9c0ee262e19e810d6a9ecf29e91808ca653d20bb6244baa1912c2d92da362485db0c076d1332c9

    • SSDEEP

      1536:jX4l1eP8Y/e9i2WRDx39kGDkzXJEDIUlKv:jX4l1Hi63XKDIgi

    Score
    7/10
    persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      Botnets PACK/Botnets PACK/Atmos BOTNET Builder/forms/Launcher.exe

    • Size

      53KB

    • MD5

      c6d4c881112022eb30725978ecd7c6ec

    • SHA1

      ba4f96dc374195d873b3eebdb28b633d9a1c5bf5

    • SHA256

      0d87b9b141a592711c52e7409ec64de3ab296cddc890be761d9af57cea381b32

    • SHA512

      3bece10b65dfda69b6defbf50d067a59d1cd1db403547fdf28a4cbc87c4985a4636acfcff8300bd77fb91f2693084634d940a91517c33b5425258835ab990981

    • SSDEEP

      768:FKtnBTTQi/YqMFlVt52ftDhKeoNzZq8OujxUu5XEAb4b9yvMzUV5:qBTUgYFveDRuFEAb4b99QV5

    Score
    7/10
    persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      Botnets PACK/Botnets PACK/Atmos BOTNET Builder/forms/comm.exe

    • Size

      1.4MB

    • MD5

      804bd73023a433fc644ee17397a14693

    • SHA1

      d866a20f930b708816f0980caba721664769991b

    • SHA256

      0ae4e1b5a7301f7ff730ede4908a6faa8b065ead19d34633f1310c78efb2a39b

    • SHA512

      56f4f6bc4fd76da1529c34425ebef49d491ed0ed9141423c216dd2bd01bb4c84009c568d5d2ac922b4afffd667279621ca5616aaf1d584917716bb6b51d6eb5e

    • SSDEEP

      24576:os4vBHuqC+nLz4mHkHlgV0qTDTvdpXYxOnq+EKUA3H+so:oLvwynLzZIgvD7d2oqA3H+/

    Score
    1/10
    behavioral6

    • Target

      Botnets PACK/Botnets PACK/BetaBotBuilder Leaked by Bull/BetaBotBuilderGUI.exe

    • Size

      205KB

    • MD5

      8b247c25f5f7f68899a4c0b43b94df07

    • SHA1

      9600a4b143310575459af77c37ad0d4a1ed0c67f

    • SHA256

      dc7d7fbd02ffa98bfd0956d490228e8497000055407e4f2d2438329205f4170b

    • SHA512

      4e1f7dbe2eb6c0e14a3306bd7a8772d40f09c39ab6289c6424f5293252475f2dec1cfd58b4031b846890639a2441e80638e8bc378fca3eb242546662743d75a8

    • SSDEEP

      3072:74lFJeofDM5GQHebTHle2O/fLrzfqJbQKGk3:76Fsofo5VHebTHlZavfwbM

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral7

    • Target

      Botnets PACK/Botnets PACK/BetaBotBuilder Leaked by Bull/npnul32/Launcher.exe

    • Size

      53KB

    • MD5

      c6d4c881112022eb30725978ecd7c6ec

    • SHA1

      ba4f96dc374195d873b3eebdb28b633d9a1c5bf5

    • SHA256

      0d87b9b141a592711c52e7409ec64de3ab296cddc890be761d9af57cea381b32

    • SHA512

      3bece10b65dfda69b6defbf50d067a59d1cd1db403547fdf28a4cbc87c4985a4636acfcff8300bd77fb91f2693084634d940a91517c33b5425258835ab990981

    • SSDEEP

      768:FKtnBTTQi/YqMFlVt52ftDhKeoNzZq8OujxUu5XEAb4b9yvMzUV5:qBTUgYFveDRuFEAb4b99QV5

    Score
    7/10
    persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      Botnets PACK/Botnets PACK/BetaBotBuilder Leaked by Bull/npnul32/secur32.exe

    • Size

      2.1MB

    • MD5

      5cd9a43e3c6cc8f399aa315b7599c370

    • SHA1

      f2a143f0f2cb5a8a6681b42b857597f53df177bf

    • SHA256

      56436ae6f5093a83f858b3d641041cff9d1bb8ee7f2ee539b880491875f71d4e

    • SHA512

      05e1c27d3201b12cd0b0be10ebf09fff059a58ae75856bbc23fb0577db54b4a925736385db98c4e86c475fb3c01ce9ca66a008cacec2c234915b7a2a1a4f584e

    • SSDEEP

      49152:nlYeWDDNj+6l2Zq6Wl7wBfDlr1wB6h/92I52stZeDyDNmggXGYJU1YG:2eEDdll6tvOBi/8I52st8DyDNZYK+G

    Score
    3/10
    behavioral9

    • Target

      Botnets PACK/Botnets PACK/BlackNET - Compiled/BlackNET Builder.exe

    • Size

      176KB

    • MD5

      4e548a7c6eab54dd088499693ec80de0

    • SHA1

      14dc314730672cdcc0d149dbc394457a729f477d

    • SHA256

      3eef584ad9c9cee94f1e5a9950baa4b9b68d628e6d3ad9e02b2eb53e88d9293b

    • SHA512

      e0539f8a6fbdf621578c6365e87749b055c5d61a816a28cc6c77fe59bc7aaa2ceac9f86861df4c25f1c8600a408e8ae892886359b78cb15907153cdddec517a2

    • SSDEEP

      768:4ec4lj/7ePn43diJmBah5xoaJUQiVfKvMi:Y4lHePIdkmW5xomjefKvMi

    Score
    7/10
    persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral10

    • Target

      Botnets PACK/Botnets PACK/BlackNET - Compiled/Packer/Confuser.exe

    • Size

      28KB

    • MD5

      f03e1cfb8bfed0b793243a3fe5b19588

    • SHA1

      686baab670836df515af6131e1e89737b13d503d

    • SHA256

      2b3e5cb7f96589e5377700a5f7f25e9fc6a14539e85256e6ac6e85c07f769f61

    • SHA512

      a57f3807a9064288080e8585d6193d184015ae832c91d4a1ed5f89070ceaddf00fede0727869c31045cd46c1fd5fef6b7baf9da7869cb80950b08dfb141fe051

    • SSDEEP

      384:9pFyvbsul3krz2AmtZ1TltphRieCcJObGPIj8SC3sY75Y+wGIQlWqj8z9DV+V/8O:9f83k32AWH9hgbNzI5VogBji15/kHX

    Score
    1/10
    behavioral11

    • Target

      Botnets PACK/Botnets PACK/H1N1 Loader/sqlite3/Launcher.exe

    • Size

      53KB

    • MD5

      c6d4c881112022eb30725978ecd7c6ec

    • SHA1

      ba4f96dc374195d873b3eebdb28b633d9a1c5bf5

    • SHA256

      0d87b9b141a592711c52e7409ec64de3ab296cddc890be761d9af57cea381b32

    • SHA512

      3bece10b65dfda69b6defbf50d067a59d1cd1db403547fdf28a4cbc87c4985a4636acfcff8300bd77fb91f2693084634d940a91517c33b5425258835ab990981

    • SSDEEP

      768:FKtnBTTQi/YqMFlVt52ftDhKeoNzZq8OujxUu5XEAb4b9yvMzUV5:qBTUgYFveDRuFEAb4b99QV5

    Score
    7/10
    persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      Botnets PACK/Botnets PACK/H1N1 Loader/sqlite3/NcaSvc.exe

    • Size

      25KB

    • MD5

      fe0c5d88aae74a678e6c6aebf0c5bdf8

    • SHA1

      88988639e083cc3a0380c1896ca86f2151779a0a

    • SHA256

      357e6566f1d4a3d47d39919d80aa63795ba420e6336c75803dd50083d3e3e519

    • SHA512

      0015917c7c272e71c97c7ba69ab113d9a2505cf216d0193589e38919c0e53d4a1dc734e2beae5e3630d4fa398856961efcab68291b10d163ffda314b61092f5b

    • SSDEEP

      384:L/uZ7EhTk1KwXZEzt5uXytW6G3Ja7S84flOis8nWf0p/:mwTmZEzt5QeGZa3aOP8Wf0

    Score
    1/10
    behavioral13

    • Target

      Botnets PACK/Botnets PACK/L0rdix Cracked [XakFor.Net]/L0rdix Cracked [XakFor.Net].exe

    • Size

      191KB

    • MD5

      231c66c864b4fd85866aa24b631c90ab

    • SHA1

      f82d7daff7cbce66dd870cfe8df717bb676cbcaa

    • SHA256

      05ba37535b0ada20df90b204a353b8f9e20ae13a021b562770b624894ec417a6

    • SHA512

      4801728c43a10f50857de295e322ca8b85ca6c8529a97c886c7a0443c79e5b175d616e32da6a5cca8466328e5b0b545c3c2550b95de1627368132aedca259ed4

    • SSDEEP

      1536:DX4l/ePkdX4z7vaU9hFyo14eq8v3FXYUtz2piX:DX4l/P4zTaMhv14eq83FXYYk8

    Score
    7/10
    persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral14

    • Target

      Botnets PACK/Botnets PACK/L0rdix Cracked [XakFor.Net]/en-US/Launcher.exe

    • Size

      53KB

    • MD5

      c6d4c881112022eb30725978ecd7c6ec

    • SHA1

      ba4f96dc374195d873b3eebdb28b633d9a1c5bf5

    • SHA256

      0d87b9b141a592711c52e7409ec64de3ab296cddc890be761d9af57cea381b32

    • SHA512

      3bece10b65dfda69b6defbf50d067a59d1cd1db403547fdf28a4cbc87c4985a4636acfcff8300bd77fb91f2693084634d940a91517c33b5425258835ab990981

    • SSDEEP

      768:FKtnBTTQi/YqMFlVt52ftDhKeoNzZq8OujxUu5XEAb4b9yvMzUV5:qBTUgYFveDRuFEAb4b99QV5

    Score
    7/10
    persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      Botnets PACK/Botnets PACK/L0rdix Cracked [XakFor.Net]/en-US/xpti.exe

    • Size

      1.8MB

    • MD5

      cb6e00e9dcd6ec891a118435693d7c98

    • SHA1

      dd4c256ed9069531a2539c0413b1c2d148987671

    • SHA256

      af9cc303641162d0dae8c29546c508dd56a6d09486533b2503d5c6bed342d554

    • SHA512

      f39b05d9ac60d48535225cc6c28418d5a543e63ed803d7c98cfdda40c679aa5ca4ad6467beec535e75bb74f8472eb71cf57fde3d8f6e90b060cb3d85c50186e8

    • SSDEEP

      24576:oy5ug81iDtpRvvEn9X2Rc1HxRUqUAWUN7OS7MHrkbVa+UiVzDD5p3q2b4:9L8wDtp9Kwi13e41MHrGx9p3qO4

    Score
    1/10
    behavioral16

    • Target

      Botnets PACK/Botnets PACK/LiteHTTP-master/LiteDB/Launcher.exe

    • Size

      53KB

    • MD5

      c6d4c881112022eb30725978ecd7c6ec

    • SHA1

      ba4f96dc374195d873b3eebdb28b633d9a1c5bf5

    • SHA256

      0d87b9b141a592711c52e7409ec64de3ab296cddc890be761d9af57cea381b32

    • SHA512

      3bece10b65dfda69b6defbf50d067a59d1cd1db403547fdf28a4cbc87c4985a4636acfcff8300bd77fb91f2693084634d940a91517c33b5425258835ab990981

    • SSDEEP

      768:FKtnBTTQi/YqMFlVt52ftDhKeoNzZq8OujxUu5XEAb4b9yvMzUV5:qBTUgYFveDRuFEAb4b99QV5

    Score
    7/10
    persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      Botnets PACK/Botnets PACK/LiteHTTP-master/LiteDB/all.exe

    • Size

      170KB

    • MD5

      8db57eec2e0cb634cbfc6f643ee1d693

    • SHA1

      38fb68dfb148efd0b828686aea8400c5aeb62577

    • SHA256

      79661f2f96121583b79ba44493ced3b41149500ba771bb63d4d4a6c7aba66be1

    • SHA512

      8ac68226ac9caefcea986a51d196d928381607bcd4f1e67531a12347f54d7aa33c21d4a17843e0e5d5b531242fd781e6f8e1cebd2966861e3cd2e667b4e95728

    • SSDEEP

      1536:L3flQG8DsiioG4E68IREQrC4zCHyjL8yFkpB8FXVTFd8NoPN:LPmG8D5G4E68cEQW4GSjL1qERca

    Score
    1/10
    behavioral18

    • Target

      Botnets PACK/Botnets PACK/LiteHTTP-master/LiteHTTP Builder.exe

    • Size

      184KB

    • MD5

      039d5d845ab2faf39bb61438f90ac301

    • SHA1

      f617245cfa2963202d8e0a149a9c1fb0b44cf9c8

    • SHA256

      51cbc22e761555c9e7b6c2b084426bf623eb6cface7a8fa290d02c9496a3c014

    • SHA512

      6b83e5236a321151f2bbf3617cbef38c4494af67c7e3be04cb66117c37d9b73dbd87e1c1d75688d7257e33ec99c4c13b92990fe2ccc2d42290a8006e921d69ee

    • SSDEEP

      1536:VX4ljePwoq2q6Imfteo4DNfc5JTWVHyU:VX4ljmq2q6IOkN05JCSU

    Score
    7/10
    persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral19

    • Target

      Botnets PACK/Botnets PACK/Loki 1.8/Loki_original.exe

    • Size

      189KB

    • MD5

      d339ccf5c7dcbdc3033ec9596ac58d6e

    • SHA1

      616f9e8cf047422498952b7aeef166fcce1431b6

    • SHA256

      909a79e7eb7dcafcdef4b43b245394930d0835e6671b2d1dfae9c31f85174ae0

    • SHA512

      92aa4ecd93de69927bb3938e43d6a382deb6e6047dd09dbfa4f58a54b3bcc1aac51dbb88d5c79fd344f75f5623fdff21996fbcd4f10c9f25e439ad67e67c3ff7

    • SSDEEP

      1536:y4l/ePF1khsCNjWCL2+XiX9kHyY3cnwCuJeOv1yrGjEqp18d3RWjZ:y4l/2kZNqw2+Xq6XU3+dEK1u0

    Score
    7/10
    persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral20

    • Target

      Botnets PACK/Botnets PACK/Pony 1.9/PonyBuilder.exe

    • Size

      190KB

    • MD5

      cf00a88af886bbbbbf6ab31e9e62b8fb

    • SHA1

      c1f745b6bd6ca4da050be5012bfe79476ecced09

    • SHA256

      34e320edbee6ac5513c520b799d86403679f324eab4ca8e00f313d6b61a6e715

    • SHA512

      a0c74f2ca95164372ca51ee84e9189a2494f17adb79015505be3d33245d103605b03e4896b00930a64d51d4444db73658a57ef88bfee4e0010c5b308f72ce775

    • SSDEEP

      1536:c4lUeP7cfgAYqCo/RyERnyDzhS7RP2F3t9CIs6gXkCocYn:c4lUgDaRyEGSArcqcK

    Score
    7/10
    persistenceupx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral21

    • Target

      Botnets PACK/Botnets PACK/Pony 1.9/masm32/bin/brcc32.exe

    • Size

      74KB

    • MD5

      084dfadc4c72bdd2900112665ee5af13

    • SHA1

      67c6fd7d191686eb3d7cb121b9893462e85b7f52

    • SHA256

      f049cf781ff73c5586cd81da7269477ebdee614ad2c1dc57346437e6557b2737

    • SHA512

      b15f4b6e9e967d89d610bf912956a19a46e1b6e2f4c4cea6e23b0f545a142a9732495e2cfc38f917ce20e91b17644195c60390dd4cd87a47b6729d070f3fc8a2

    • SSDEEP

      1536:P3kI1EXCxSwonJH/SGkv8BdwsTCkED2JU4MU7NAygtdOZ:fr1EXCxSwonJfVkM0hftU7NDgtdO

    Score
    1/10
    behavioral22

    • Target

      Botnets PACK/Botnets PACK/Pony 1.9/masm32/bin/cvtres.exe

    • Size

      15KB

    • MD5

      df46eef3aef83b226e309dede91a57f2

    • SHA1

      fa3c0f07035d814b11f1d461f695d31f8f1568a3

    • SHA256

      83b602ed8e69e979fc9557f482a4a4c6c9a97b4ad67b879aedeacd2b09e5b20b

    • SHA512

      bf962e0850035cd7060fe9b9908496ae81c1c60d9c52c19d243dfe80d61d9ebd65ce71317ecfbd2fd591093df6cb99f463c326e7680868ca526ecfc7ae1a65df

    • SSDEEP

      384:YatLpMnVHhbRzHSHxlMWGuARGO0WcdrWO:/SVH9RLSRlMWDARzq7

    Score
    1/10
    behavioral23

    • Target

      Botnets PACK/Botnets PACK/Pony 1.9/masm32/bin/ml.exe

    • Size

      364KB

    • MD5

      b54b173761ac671cea635672e214a8de

    • SHA1

      ff0c1052feaefb646dffc9aff24ae467f9d97137

    • SHA256

      0767b9b855b21265a78c090d556229ea3e894c415e557900aca3c81f52ac1425

    • SHA512

      d4436011b282f585433d2325c27d6ee46e39b946972cf773b2cf068b038e649320a1735531ee9013f63816d19b5f89f6947e6e86f895200b1614c20f3151db68

    • SSDEEP

      3072:zGovvi9kg0Lij83q0G6UA7GFdRb/8Bp0+BxeMYRGi5Ipv/Pl2hQx13MBO8G6bXT9:yRjbElxp1358t/2A3u/Dh3/MMd2z

    Score
    1/10
    behavioral24

    • Target

      Botnets PACK/Botnets PACK/Pony 1.9/masm32/bin/polib.exe

    • Size

      86KB

    • MD5

      ddd130d4a068d9c967d2fcd8ea3b35a6

    • SHA1

      544143fdc10269ae17c326f8f3209bab3839ddcf

    • SHA256

      071898d32301b0df9140cb89821fe593ea57f5c39cd8404ce85830c9ad07dd18

    • SHA512

      2a2a01f05b8f9ae3191f0099611e735993d41efc4d823b25408bb5b3f1aa496f93d7af77cf312e05d28afa71a408259b3cfbb31c6b8cc1e2f712662a4bf37f5e

    • SSDEEP

      1536:JCU0mP41+JtBZZKpdjbRiCvr1pyPplm/wxRw+vUX7MMTadouH98W5SmKx:4Qq+JXyLVH0m4xRWFedouH98V

    Score
    1/10
    behavioral25

    • Target

      Botnets PACK/Botnets PACK/Pony 1.9/masm32/bin/polink.exe

    • Size

      169KB

    • MD5

      c9a4469d1f6dbf34f444e5e33bc03b1e

    • SHA1

      039d4db8e00073360d1855e2c72f5e03e2e46274

    • SHA256

      2ad63f569d430a74143cc43c2d0e48b32866c3a3812334a8fb276790db5acf04

    • SHA512

      10aa0350b25fc292def5f2d6be4a49a7e604634074e94ec8143422e56d382615f18c4750a238cd8983e7d1c1dac50cb5e816fdf62483e368eeaf7edba849a95e

    • SSDEEP

      3072:WdU4MSSgdQ4wmbUvQPrpCecPz5dxMuOz0JfAr2bg9O3GfIVJeqONpTf0fy/II19g:Wq4MSzdlwmbUvQzpCecP1dxgifz3GI

    Score
    1/10
    behavioral26

    • Target

      Botnets PACK/Botnets PACK/Pony 1.9/masm32/bin/upx.exe

    • Size

      283KB

    • MD5

      308f709a8f01371a6dd088a793e65a5f

    • SHA1

      a07c073d807ab0119b090821ee29edaae481e530

    • SHA256

      c0f9faffdf14ab2c853880457be19a237b10f8986755f184ecfe21670076cb35

    • SHA512

      c107f1af768d533d02fb82ae2ed5c126c63b53b11a2e5a5bbf45e396cb7796ca4e7984ce969b487ad38d817f4d4366e7953fb555b279aa019ffb5d1bbba57e28

    • SSDEEP

      6144:EBgzKMDrn1MUQ8Kr4eNyJf2EycBqABfpV6xSyQy9CZ07Yf+1+ujToS:v5rn6JfXCjUafpVeDQyUXfW+u/oS

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral27

    • Target

      Botnets PACK/Botnets PACK/Pony 1.9/sys/Launcher.exe

    • Size

      53KB

    • MD5

      c6d4c881112022eb30725978ecd7c6ec

    • SHA1

      ba4f96dc374195d873b3eebdb28b633d9a1c5bf5

    • SHA256

      0d87b9b141a592711c52e7409ec64de3ab296cddc890be761d9af57cea381b32

    • SHA512

      3bece10b65dfda69b6defbf50d067a59d1cd1db403547fdf28a4cbc87c4985a4636acfcff8300bd77fb91f2693084634d940a91517c33b5425258835ab990981

    • SSDEEP

      768:FKtnBTTQi/YqMFlVt52ftDhKeoNzZq8OujxUu5XEAb4b9yvMzUV5:qBTUgYFveDRuFEAb4b99QV5

    Score
    7/10
    persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral28

    • Target

      Botnets PACK/Botnets PACK/Pony 1.9/sys/WPFToolkit.exe

    • Size

      2.1MB

    • MD5

      14723ffeebf824bb4f909558c6d4172e

    • SHA1

      0a2df5ec2ab106af7c4b71e14bdc8892f0b8bd22

    • SHA256

      f20b1ced29f3cf81aa561423363691b2cfc0c48903e0ea2689b230e65b175833

    • SHA512

      31b654b4bdb564752866e090f40371b531279f20591a77b99b83d66023a64001a5fe2989a71d61d392ad2a0f59c29d48c4487d79fa4192573fc44a014fb0b51e

    • SSDEEP

      49152:ZKsJDwJmBjoPetuYojTuL7QlxaxunCt7gGGOta8Cj1C1LTx1RSuemVlS+U0cj9:ZxJ8JmePceTuvQPauCuGGO1wC1TZSpmH

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral29

    • Target

      Botnets PACK/Botnets PACK/Smoke Loader Original Stub/nssdbm3/CoreShell.exe

    • Size

      13KB

    • MD5

      75f6bb5d297c4ffbdff65cc5bbbdfb37

    • SHA1

      0aa7c2e75f63c685d8d085fbafca3a91d297b683

    • SHA256

      5eb4e7d954ad12e89c9c500f9894b76d08b7e53eb0f3f0b0e681d3bf11c4db51

    • SHA512

      fdb38133304714e3e553b02df7a7bb62b9127c9c832390ffb1553f3523cdffd00611b29a4916f00bd6b79209fef5b0ca4e4c28192e5522880bbde231c00ca7df

    • SSDEEP

      192:vBAlEMZWAY5nCtCY61l40CMvPSohzWLz5xWfgOQ/muu/d5THm4OtgO:JAnLAXNy/m3/bTKgO

    Score
    10/10
    smokeloaderbackdoortrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral30

    • Target

      Botnets PACK/Botnets PACK/Smoke Loader Original Stub/nssdbm3/Launcher.exe

    • Size

      53KB

    • MD5

      c6d4c881112022eb30725978ecd7c6ec

    • SHA1

      ba4f96dc374195d873b3eebdb28b633d9a1c5bf5

    • SHA256

      0d87b9b141a592711c52e7409ec64de3ab296cddc890be761d9af57cea381b32

    • SHA512

      3bece10b65dfda69b6defbf50d067a59d1cd1db403547fdf28a4cbc87c4985a4636acfcff8300bd77fb91f2693084634d940a91517c33b5425258835ab990981

    • SSDEEP

      768:FKtnBTTQi/YqMFlVt52ftDhKeoNzZq8OujxUu5XEAb4b9yvMzUV5:qBTUgYFveDRuFEAb4b99QV5

    Score
    7/10
    persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral31

    • Target

      Botnets PACK/Botnets PACK/Smoke Loader Original Stub/smokeloader.exe

    • Size

      227KB

    • MD5

      c5eef97b1208860a67749d997ef6ee4e

    • SHA1

      612a551d0500188646727ab0c449a8886a6bb540

    • SHA256

      aeaf5634f6749e646b02d37d4fc1e5ad6cdae2cb26799cb46779917a17e41dc6

    • SHA512

      f7674eacb5a65160036a0302842515ad17d377b2f8ca7a7cf75b75fcb79442ff79161f13b13364b75a78a45555d0172c736d11763586903ff57f12c06403bd70

    • SSDEEP

      3072:14lcCQgZEKJtkmt6SjiK29hxbn0yd0bmxlM:16cCQg+4yXJK2h1bBx

    Score
    10/10
    smokeloaderbackdoorpersistencetrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

16
T1060

Privilege Escalation

Defense Evasion

Modify Registry

16
T1112

Credential Access

Discovery

Query Registry

19
T1012

System Information Discovery

37
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

[id]upxblacknet
Score
10/10

behavioral1

persistence
Score
7/10

behavioral2

persistence
Score
7/10

behavioral3

Score
1/10

behavioral4

persistence
Score
7/10

behavioral5

persistence
Score
7/10

behavioral6

Score
1/10

behavioral7

Score
7/10

behavioral8

persistence
Score
7/10

behavioral9

Score
3/10

behavioral10

persistence
Score
7/10

behavioral11

Score
1/10

behavioral12

persistence
Score
7/10

behavioral13

Score
1/10

behavioral14

persistence
Score
7/10

behavioral15

persistence
Score
7/10

behavioral16

Score
1/10

behavioral17

persistence
Score
7/10

behavioral18

Score
1/10

behavioral19

persistence
Score
7/10

behavioral20

persistence
Score
7/10

behavioral21

persistenceupx
Score
7/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

upx
Score
7/10

behavioral28

persistence
Score
7/10

behavioral29

upx
Score
7/10

behavioral30

smokeloaderbackdoortrojan
Score
10/10

behavioral31

persistence
Score
7/10

behavioral32

smokeloaderbackdoorpersistencetrojan
Score
10/10