General
-
Target
5aad31095b0b9a429fed8773a233eb872868467d33f52b9d6f6e7fa078092011
-
Size
4.3MB
-
Sample
230624-p4mj2acd41
-
MD5
75736d164f6f4ae0bb6f856d8dc01db4
-
SHA1
a280cc0281045dca631a09978a9132ba9d58a2a8
-
SHA256
5aad31095b0b9a429fed8773a233eb872868467d33f52b9d6f6e7fa078092011
-
SHA512
94ac3b246673394104b368767e73e937068841f5dbcd01462bd710ba06dc10af2b33473fd84e3cbe67301c1db443bfc00907d3ce7b88a78e329014714ccea18c
-
SSDEEP
98304:0Wo3BduYaE+I9noizGfIYVcfa9n06bTpHWOTez/M6bsUn5v:0X3BgHETKHqa9nhpxezhv
Static task
static1
Behavioral task
behavioral1
Sample
5aad31095b0b9a429fed8773a233eb872868467d33f52b9d6f6e7fa078092011.exe
Resource
win10v2004-20230621-en
Malware Config
Extracted
amadey
3.83
5.42.65.80/8bmeVwqx/index.php
Extracted
smokeloader
up3
Extracted
gcleaner
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Targets
-
-
Target
5aad31095b0b9a429fed8773a233eb872868467d33f52b9d6f6e7fa078092011
-
Size
4.3MB
-
MD5
75736d164f6f4ae0bb6f856d8dc01db4
-
SHA1
a280cc0281045dca631a09978a9132ba9d58a2a8
-
SHA256
5aad31095b0b9a429fed8773a233eb872868467d33f52b9d6f6e7fa078092011
-
SHA512
94ac3b246673394104b368767e73e937068841f5dbcd01462bd710ba06dc10af2b33473fd84e3cbe67301c1db443bfc00907d3ce7b88a78e329014714ccea18c
-
SSDEEP
98304:0Wo3BduYaE+I9noizGfIYVcfa9n06bTpHWOTez/M6bsUn5v:0X3BgHETKHqa9nhpxezhv
-
Detect Fabookie payload
-
Glupteba payload
-
Modifies security service
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
XMRig Miner payload
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-