Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
-
submitted
07-08-2023 02:29
General
-
Target
eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771.exe
-
Size
164KB
-
MD5
1b94e6504da7365a7ac9e5f1c37ea714
-
SHA1
b2c784470f5400680f275943aacfcbef6cda5c88
-
SHA256
eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771
-
SHA512
6b86bdea9ed18fc11e32c0ce7e6883677fa5e3dfad053200e6757a51cc4b11a5adf0757853c9b4421796e7789d75af17c686ca513a9d442a7a0fa093920d012e
-
SSDEEP
3072:sSGL9TvjYP99HQjQQeTXE61nB1KpyehJqCFQUDjp5AJ:IL9jjYlaQ9E6B2yeHPOJ
Malware Config
Extracted
smokeloader
summ
Extracted
smokeloader
2022
http://stalagmijesarl.com/
http://ukdantist-sarl.com/
http://cpcorprotationltd.com/
Extracted
systembc
discordcdn8839248.com:4327
chinabar821994.com:4327
Signatures
-
Detect rhadamanthys stealer shellcode 9 IoCs
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771.exe"C:\Users\Admin\AppData\Local\Temp\eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\1CC2.exeC:\Users\Admin\AppData\Local\Temp\1CC2.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 963⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\8066.exeC:\Users\Admin\AppData\Local\Temp\8066.exe2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
-
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {DE798640-7C44-4034-BA61-75A0EC77F857} S-1-5-21-1024678951-1535676557-2778719785-1000:KDGGTDCU\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ujbhvdjC:\Users\Admin\AppData\Roaming\ujbhvdj2⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Microsoft\OyjjrgD4.exe"C:\Users\Admin\AppData\Local\Microsoft\OyjjrgD4.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344B
MD5c5a5ef7183867a8b2ee983f79063ecac
SHA1abbfdc8edea5c57cced1b41a064597767e4c3c1c
SHA256f1d3a356b8d7090c2b4ff09837a6120734bb9c10cb87a4d634dca990ec10b253
SHA512c3af7385f25b57914d9449216e824d0c074f77e5dfaa107ba6e1d19a7eda5f4c2f8cec5aa204997c0e315d4e5af55dc8da4b8a68a6b1633f87f7b5edcf211147
-
Filesize
274KB
MD50ec87a33cee1594c1808267bc677d827
SHA11e078fb607d12ccdd11da03f9503ca64cb9fde32
SHA256111cc14cd4d6e43d11cd1bef261e75313c9f7f9528abf6dc0f98878cc14b189a
SHA51203613e2615d47701893e784f39a82fdcb8d30f563d65f3f890d73e0ccfd07a38cbcd2e8976cabc64478880b03cf3c334e4712f6c20ed25f2c562ea942abf4551
-
Filesize
2.9MB
MD554631210ad8202513b794956c59e67a7
SHA1dccb8282ba756c270ef7d1f0f2a034f164ec123b
SHA2561decacd4ba1021711f1a1ff1d14a2453965e211bee8e50533c4d6a2997ace6d4
SHA512c1086de1ef79d3e4f7f35f18ea678546bd2e7cc2d5dde0e17d63eaee4ae6a0be9796d61bcad125b974b5372286ee08fe284faeca71296859892756b8cbdf91c3
-
Filesize
2.9MB
MD554631210ad8202513b794956c59e67a7
SHA1dccb8282ba756c270ef7d1f0f2a034f164ec123b
SHA2561decacd4ba1021711f1a1ff1d14a2453965e211bee8e50533c4d6a2997ace6d4
SHA512c1086de1ef79d3e4f7f35f18ea678546bd2e7cc2d5dde0e17d63eaee4ae6a0be9796d61bcad125b974b5372286ee08fe284faeca71296859892756b8cbdf91c3
-
Filesize
495KB
MD54c224ad23e402d58bbd23023bf883dc0
SHA167cbaf4b24ccf90ca845626d1ed97831ef0dd55b
SHA25674a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983
SHA5125aad2b848d6098c8cdbf58ce115ac832826e82f803aaaca5625197c445d3849f6cb256aaeeebed4bd3a5b0db92f0f957ee5de79312f4fc4b9769f8deae0b5766
-
Filesize
495KB
MD54c224ad23e402d58bbd23023bf883dc0
SHA167cbaf4b24ccf90ca845626d1ed97831ef0dd55b
SHA25674a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983
SHA5125aad2b848d6098c8cdbf58ce115ac832826e82f803aaaca5625197c445d3849f6cb256aaeeebed4bd3a5b0db92f0f957ee5de79312f4fc4b9769f8deae0b5766
-
Filesize
495KB
MD54c224ad23e402d58bbd23023bf883dc0
SHA167cbaf4b24ccf90ca845626d1ed97831ef0dd55b
SHA25674a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983
SHA5125aad2b848d6098c8cdbf58ce115ac832826e82f803aaaca5625197c445d3849f6cb256aaeeebed4bd3a5b0db92f0f957ee5de79312f4fc4b9769f8deae0b5766
-
Filesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
Filesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27
-
Filesize
164KB
MD51b94e6504da7365a7ac9e5f1c37ea714
SHA1b2c784470f5400680f275943aacfcbef6cda5c88
SHA256eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771
SHA5126b86bdea9ed18fc11e32c0ce7e6883677fa5e3dfad053200e6757a51cc4b11a5adf0757853c9b4421796e7789d75af17c686ca513a9d442a7a0fa093920d012e
-
Filesize
164KB
MD51b94e6504da7365a7ac9e5f1c37ea714
SHA1b2c784470f5400680f275943aacfcbef6cda5c88
SHA256eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771
SHA5126b86bdea9ed18fc11e32c0ce7e6883677fa5e3dfad053200e6757a51cc4b11a5adf0757853c9b4421796e7789d75af17c686ca513a9d442a7a0fa093920d012e
-
Filesize
2.9MB
MD554631210ad8202513b794956c59e67a7
SHA1dccb8282ba756c270ef7d1f0f2a034f164ec123b
SHA2561decacd4ba1021711f1a1ff1d14a2453965e211bee8e50533c4d6a2997ace6d4
SHA512c1086de1ef79d3e4f7f35f18ea678546bd2e7cc2d5dde0e17d63eaee4ae6a0be9796d61bcad125b974b5372286ee08fe284faeca71296859892756b8cbdf91c3
-
Filesize
2.9MB
MD554631210ad8202513b794956c59e67a7
SHA1dccb8282ba756c270ef7d1f0f2a034f164ec123b
SHA2561decacd4ba1021711f1a1ff1d14a2453965e211bee8e50533c4d6a2997ace6d4
SHA512c1086de1ef79d3e4f7f35f18ea678546bd2e7cc2d5dde0e17d63eaee4ae6a0be9796d61bcad125b974b5372286ee08fe284faeca71296859892756b8cbdf91c3
-
Filesize
2.9MB
MD554631210ad8202513b794956c59e67a7
SHA1dccb8282ba756c270ef7d1f0f2a034f164ec123b
SHA2561decacd4ba1021711f1a1ff1d14a2453965e211bee8e50533c4d6a2997ace6d4
SHA512c1086de1ef79d3e4f7f35f18ea678546bd2e7cc2d5dde0e17d63eaee4ae6a0be9796d61bcad125b974b5372286ee08fe284faeca71296859892756b8cbdf91c3
-
Filesize
36KB
-
Filesize
156KB
-
Filesize
36KB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
40KB
-
Filesize
88KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
40KB
-
Filesize
88KB
-
Filesize
52KB
-
Filesize
28KB
-
Filesize
52KB
-
Filesize
32KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
32KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
136KB
-
Filesize
156KB
-
Filesize
136KB
-
Filesize
156KB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
31.1MB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
1024KB
-
Filesize
448KB
-
Filesize
31.1MB
-
Filesize
28KB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
1024KB
-
Filesize
31.1MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
30.9MB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
908KB
-
Filesize
908KB
-
Filesize
36KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
908KB
-
Filesize
908KB
-
Filesize
1024KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
12KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.7MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
28KB
-
Filesize
1.7MB
-
Filesize
12KB
-
Filesize
1.7MB
-
Filesize
8KB
-
Filesize
44KB
-
Filesize
44KB