Overview

overview

10

Static

static

3

e142f4e8eb...38.exe

windows7-x64

10

e142f4e8eb...38.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e142f4e8eb3fb4323fb377138.exe

  • Size

    281KB

  • Sample

    230625-mffepseg21

  • MD5

    9769c181ecef69544bbb2f974b8c0e10

  • SHA1

    5d0f447f4ccc89d7d79c0565372195240cdfa25f

  • SHA256

    e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0

  • SHA512

    b3da8fea6ee5d6b67f55a4043f18d7325f1700c9f3dcb0e7cbf21f49ebdbb56b5a10a2d03153d0dfb1e8dc34db20cdea0236c448f2c361fadbabf9a6f59b4c7a

  • SSDEEP

    3072:Z5SXIMALRKEttgCWAbi1D1fJmxIV0BN3omE9MA5yXsztcJe9:GIMpEtCCWAbiBRmE9o6

Score
10/10
phobossmokeloadersystembcagilenetbackdoorcollectionevasionpersistenceransomwarespywarestealerthemidatrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://serverlogs37.xyz/statweb255/

http://servblog757.xyz/statweb255/

http://dexblog45.xyz/statweb255/

http://admlogs.online/statweb255/

http://blogstat355.xyz/statweb255/

http://blogstatserv25.xyz/statweb255/
rc4.i32
rc4.i32

Targets

    • Target

      e142f4e8eb3fb4323fb377138.exe

    • Size

      281KB

    • MD5

      9769c181ecef69544bbb2f974b8c0e10

    • SHA1

      5d0f447f4ccc89d7d79c0565372195240cdfa25f

    • SHA256

      e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0

    • SHA512

      b3da8fea6ee5d6b67f55a4043f18d7325f1700c9f3dcb0e7cbf21f49ebdbb56b5a10a2d03153d0dfb1e8dc34db20cdea0236c448f2c361fadbabf9a6f59b4c7a

    • SSDEEP

      3072:Z5SXIMALRKEttgCWAbi1D1fJmxIV0BN3omE9MA5yXsztcJe9:GIMpEtCCWAbiBRmE9o6

    Score
    10/10
    smokeloaderbackdoortrojanphobossystembcagilenetcollectionevasionpersistenceransomwarespywarestealerthemida

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • SystemBC

      SystemBC is a proxy and remote administration tool first seen in 2019.

      trojansystembc

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (407) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Blocklisted process makes network request

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks