Overview
overview
10Static
static
10Botnets PA...t].exe
windows10-2004-x64
7Botnets PA...er.exe
windows10-2004-x64
7Botnets PA...vg.exe
windows10-2004-x64
1Botnets PA...er.exe
windows10-2004-x64
7Botnets PA...er.exe
windows10-2004-x64
7Botnets PA...mm.exe
windows10-2004-x64
1Botnets PA...UI.exe
windows10-2004-x64
7Botnets PA...er.exe
windows10-2004-x64
7Botnets PA...32.exe
windows10-2004-x64
3Botnets PA...er.exe
windows10-2004-x64
7Botnets PA...er.exe
windows10-2004-x64
1Botnets PA...er.exe
windows10-2004-x64
7Botnets PA...vc.exe
windows10-2004-x64
1Botnets PA...t].exe
windows10-2004-x64
7Botnets PA...er.exe
windows10-2004-x64
7Botnets PA...ti.exe
windows10-2004-x64
1Botnets PA...er.exe
windows10-2004-x64
7Botnets PA...ll.exe
windows10-2004-x64
1Botnets PA...er.exe
windows10-2004-x64
7Botnets PA...al.exe
windows10-2004-x64
7Botnets PA...er.exe
windows10-2004-x64
7Botnets PA...32.exe
windows10-2004-x64
1Botnets PA...es.exe
windows10-2004-x64
1Botnets PA...ml.exe
windows10-2004-x64
1Botnets PA...ib.exe
windows10-2004-x64
1Botnets PA...nk.exe
windows10-2004-x64
1Botnets PA...px.exe
windows10-2004-x64
7Botnets PA...er.exe
windows10-2004-x64
7Botnets PA...it.exe
windows10-2004-x64
7Botnets PA...ll.exe
windows10-2004-x64
10Botnets PA...er.exe
windows10-2004-x64
7Botnets PA...er.exe
windows10-2004-x64
10Analysis
-
max time kernel
44s -
max time network
67s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2023 22:55
Behavioral task
behavioral1
Sample
Botnets PACK/Botnets PACK/Amadey Cracked/Amadey Cracked [XakFor.Net].exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
Botnets PACK/Botnets PACK/Amadey Cracked/xpti/Launcher.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Botnets PACK/Botnets PACK/Amadey Cracked/xpti/svg.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
Botnets PACK/Botnets PACK/Atmos BOTNET Builder/atmos_weber.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Botnets PACK/Botnets PACK/Atmos BOTNET Builder/forms/Launcher.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
Botnets PACK/Botnets PACK/Atmos BOTNET Builder/forms/comm.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Botnets PACK/Botnets PACK/BetaBotBuilder Leaked by Bull/BetaBotBuilderGUI.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
Botnets PACK/Botnets PACK/BetaBotBuilder Leaked by Bull/npnul32/Launcher.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Botnets PACK/Botnets PACK/BetaBotBuilder Leaked by Bull/npnul32/secur32.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
Botnets PACK/Botnets PACK/BlackNET - Compiled/BlackNET Builder.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Botnets PACK/Botnets PACK/BlackNET - Compiled/Packer/Confuser.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
Botnets PACK/Botnets PACK/H1N1 Loader/sqlite3/Launcher.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Botnets PACK/Botnets PACK/H1N1 Loader/sqlite3/NcaSvc.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
Botnets PACK/Botnets PACK/L0rdix Cracked [XakFor.Net]/L0rdix Cracked [XakFor.Net].exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Botnets PACK/Botnets PACK/L0rdix Cracked [XakFor.Net]/en-US/Launcher.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
Botnets PACK/Botnets PACK/L0rdix Cracked [XakFor.Net]/en-US/xpti.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Botnets PACK/Botnets PACK/LiteHTTP-master/LiteDB/Launcher.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
Botnets PACK/Botnets PACK/LiteHTTP-master/LiteDB/all.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Botnets PACK/Botnets PACK/LiteHTTP-master/LiteHTTP Builder.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
Botnets PACK/Botnets PACK/Loki 1.8/Loki_original.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Botnets PACK/Botnets PACK/Pony 1.9/PonyBuilder.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
Botnets PACK/Botnets PACK/Pony 1.9/masm32/bin/brcc32.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Botnets PACK/Botnets PACK/Pony 1.9/masm32/bin/cvtres.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
Botnets PACK/Botnets PACK/Pony 1.9/masm32/bin/ml.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Botnets PACK/Botnets PACK/Pony 1.9/masm32/bin/polib.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
Botnets PACK/Botnets PACK/Pony 1.9/masm32/bin/polink.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Botnets PACK/Botnets PACK/Pony 1.9/masm32/bin/upx.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
Botnets PACK/Botnets PACK/Pony 1.9/sys/Launcher.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
Botnets PACK/Botnets PACK/Pony 1.9/sys/WPFToolkit.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
Botnets PACK/Botnets PACK/Smoke Loader Original Stub/nssdbm3/CoreShell.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
Botnets PACK/Botnets PACK/Smoke Loader Original Stub/nssdbm3/Launcher.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
Botnets PACK/Botnets PACK/Smoke Loader Original Stub/smokeloader.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
General
-
Target
Botnets PACK/Botnets PACK/Smoke Loader Original Stub/nssdbm3/CoreShell.exe
-
Size
13KB
-
MD5
75f6bb5d297c4ffbdff65cc5bbbdfb37
-
SHA1
0aa7c2e75f63c685d8d085fbafca3a91d297b683
-
SHA256
5eb4e7d954ad12e89c9c500f9894b76d08b7e53eb0f3f0b0e681d3bf11c4db51
-
SHA512
fdb38133304714e3e553b02df7a7bb62b9127c9c832390ffb1553f3523cdffd00611b29a4916f00bd6b79209fef5b0ca4e4c28192e5522880bbde231c00ca7df
-
SSDEEP
192:vBAlEMZWAY5nCtCY61l40CMvPSohzWLz5xWfgOQ/muu/d5THm4OtgO:JAnLAXNy/m3/bTKgO
Malware Config
Extracted
smokeloader
2017
http://dogewareservice.ru/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum CoreShell.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 CoreShell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe 548 CoreShell.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 548 CoreShell.exe 548 CoreShell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 548 wrote to memory of 348 548 CoreShell.exe 83 PID 548 wrote to memory of 348 548 CoreShell.exe 83 PID 548 wrote to memory of 348 548 CoreShell.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\Botnets PACK\Botnets PACK\Smoke Loader Original Stub\nssdbm3\CoreShell.exe"C:\Users\Admin\AppData\Local\Temp\Botnets PACK\Botnets PACK\Smoke Loader Original Stub\nssdbm3\CoreShell.exe"1⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:348
-