General
-
Target
78ad9e5dbc080327aa2b725b3278a9c53c85099ba86807b7943f11da1127c778
-
Size
220KB
-
Sample
230625-a3pknsdg2y
-
MD5
a780dd7a5ed788b79d157339f69bbad4
-
SHA1
7e10cd37e03420947d45c0374b05f23e058731e9
-
SHA256
78ad9e5dbc080327aa2b725b3278a9c53c85099ba86807b7943f11da1127c778
-
SHA512
e8da669acd35969e767fe475b387495122dfc6f208636a648a9213a1e7b7891d6e64ba2260d0a018f0e4f4d94f67ce126b8006795062837dff88f93a56b469dd
-
SSDEEP
3072:We8cGmnNsC8XA6K4T0MMeud1dl/E/axsfcEBwAuKvlGM5E5VJ:ycqC8XA6l+Hd1D/iLBwA1
Static task
static1
Behavioral task
behavioral1
Sample
78ad9e5dbc080327aa2b725b3278a9c53c85099ba86807b7943f11da1127c778.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
78ad9e5dbc080327aa2b725b3278a9c53c85099ba86807b7943f11da1127c778.exe
Resource
win10-20230621-en
Malware Config
Extracted
smokeloader
2022
http://serverlogs37.xyz/statweb255/
http://servblog757.xyz/statweb255/
http://dexblog45.xyz/statweb255/
http://admlogs.online/statweb255/
http://blogstat355.xyz/statweb255/
http://blogstatserv25.xyz/statweb255/
Extracted
C:\info.hta
class='mark'>[email protected]</span></div>
http://www.w3.org/TR/html4/strict.dtd'>
Targets
-
-
Target
78ad9e5dbc080327aa2b725b3278a9c53c85099ba86807b7943f11da1127c778
-
Size
220KB
-
MD5
a780dd7a5ed788b79d157339f69bbad4
-
SHA1
7e10cd37e03420947d45c0374b05f23e058731e9
-
SHA256
78ad9e5dbc080327aa2b725b3278a9c53c85099ba86807b7943f11da1127c778
-
SHA512
e8da669acd35969e767fe475b387495122dfc6f208636a648a9213a1e7b7891d6e64ba2260d0a018f0e4f4d94f67ce126b8006795062837dff88f93a56b469dd
-
SSDEEP
3072:We8cGmnNsC8XA6K4T0MMeud1dl/E/axsfcEBwAuKvlGM5E5VJ:ycqC8XA6l+Hd1D/iLBwA1
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Modifies boot configuration data using bcdedit
-
Renames multiple (451) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Suspicious use of SetThreadContext
-