Analysis
-
max time kernel
161s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
-
submitted
30-06-2023 12:23
General
-
Target
20b4ea1f84a5e558f9665e34dde6f63139f0d71308d7175b2b19f7d7a27415b6.exe
-
Size
302KB
-
MD5
788bcefc172f4791f5e2be99c89c46b6
-
SHA1
4b7d3afd67739698137752e48d5155a45e466b76
-
SHA256
20b4ea1f84a5e558f9665e34dde6f63139f0d71308d7175b2b19f7d7a27415b6
-
SHA512
0ec74fceb28eb80b38088ffa1168fc59d44f36c84c1cef3807c7eb76159d3d0402d764b74335d0dda464fd8b2b5817b3d43a50ebc92a081fdd0756f36639a839
-
SSDEEP
6144:2+y6QL07GszPe06qLv0gnZJA8XD3cAyjEvJE:SQ7vN680gnTDMAyo
Malware Config
Extracted
smokeloader
2023
Extracted
smokeloader
2022
http://c3g6gx853u6j.xyz/
http://04yh16065cdi.xyz/
http://33qd2w560vnx.xyz/
http://neriir0f76gr.com/
http://b4y08hrp3jdb.com/
http://swp6fbywla09.com/
http://7iqt53dr345u.com/
http://mj4aj8r55mho.com/
http://ne4ym7bjn1ts.com/
Extracted
laplas
http://45.159.189.105
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Extracted
laplas
http://45.159.189.105
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Signatures
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\20b4ea1f84a5e558f9665e34dde6f63139f0d71308d7175b2b19f7d7a27415b6.exe"C:\Users\Admin\AppData\Local\Temp\20b4ea1f84a5e558f9665e34dde6f63139f0d71308d7175b2b19f7d7a27415b6.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\E4D2.exeC:\Users\Admin\AppData\Local\Temp\E4D2.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5b109489b8bb8ca8d3c5381dd2969ddaf
SHA1d9579ddc7520d109cb04eb79e47effafb842134a
SHA256379b9ee5c7de68fe8174c3f6668b2629ef40df26dfbb472deee14dbb79cc8fa9
SHA512f967b83e22831b814f8ac92c5438af1c47b34321feda3b779ab65e70d8e8192ece86e4482d870b6fb37734fa689f10652ff57ab71388988f71a15290772557ac
-
Filesize
1.9MB
MD5b109489b8bb8ca8d3c5381dd2969ddaf
SHA1d9579ddc7520d109cb04eb79e47effafb842134a
SHA256379b9ee5c7de68fe8174c3f6668b2629ef40df26dfbb472deee14dbb79cc8fa9
SHA512f967b83e22831b814f8ac92c5438af1c47b34321feda3b779ab65e70d8e8192ece86e4482d870b6fb37734fa689f10652ff57ab71388988f71a15290772557ac
-
Filesize
312.4MB
MD5779160cce9311076c11f09a028154ee5
SHA1a3d9e600943bd43a9174b3df92a2979316508784
SHA25694f0b14fbb6c0e12477fb07250dc0b5c221cd7fc8d155e3d4ff7086033328b2a
SHA512a717439ab16ab477564c33f2005fe2c954d14e0103153c41a671c0faf81a1b9d3e89dce83d2181c9636ea77f0bce4a5b9437bb4d966ebed05af8b632ccbe27a5
-
Filesize
303.5MB
MD589b446fbfb96c7e7b1559204f575d737
SHA1cfc2019d4c47039cccc674d8eb8decf22aec111c
SHA256d3da099e4a636885bced9376484e2322368d2c54bf3ecea5e4e95e76064100a3
SHA512cfce5e8fc9d1fb3adb441d47bfaedcc266e54f8e339d3362336027d0c5c16f04c02f4dd8bd1d79312bab79b2515dad033c396a570dd7db210bb7b0f04609a464
-
Filesize
52KB
-
Filesize
48KB
-
Filesize
52KB
-
Filesize
48KB
-
Filesize
24.9MB
-
Filesize
24.9MB
-
Filesize
3.8MB
-
Filesize
24.9MB
-
Filesize
24.9MB
-
Filesize
24.9MB
-
Filesize
24.9MB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
48KB
-
Filesize
60KB
-
Filesize
60KB
-
Filesize
48KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
156KB
-
Filesize
136KB
-
Filesize
156KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
3.8MB
-
Filesize
60KB
-
Filesize
60KB
-
Filesize
3.8MB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
24.9MB
-
Filesize
24.9MB
-
Filesize
24.9MB
-
Filesize
24.9MB
-
Filesize
24.9MB
-
Filesize
24.9MB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
40.2MB
-
Filesize
40.2MB
-
Filesize
32KB
-
Filesize
44KB
-
Filesize
44KB