General
-
Target
6Js1_JC.bin
-
Size
618KB
-
Sample
230907-tqkwhabe98
-
MD5
3f6d5376b6d40c82644287c7621dfc5b
-
SHA1
f54b9ed42b60eb6793cd55ed25e6f2bd6120218f
-
SHA256
94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e
-
SHA512
3ea3e7c045c015e8c455ed9f550784d7af75c2cba263913ffaa210652f74ed036a6541b71f95d11663ee6dd062059cbcad94c1148243852d01722dd8780d010c
-
SSDEEP
12288:vbNq3U22k24PnuBvJTvfIVcmaBhIaQBanLFHL4UhnPtJHKFm5fto1XGTI:zI24PuvJTEYHLzhnPwU1cL
Static task
static1
Behavioral task
behavioral1
Sample
6Js1_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
6Js1_JC.exe
Resource
win10v2004-20230831-en
Malware Config
Extracted
smokeloader
2022
http://serverxlogs21.xyz/statweb255/
http://servxblog79.xyz/statweb255/
http://demblog289.xyz/statweb255/
http://admlogs77x.online/statweb255/
http://blogxstat38.xyz/statweb255/
http://blogxstat25.xyz/statweb255/
Targets
-
-
Target
6Js1_JC.bin
-
Size
618KB
-
MD5
3f6d5376b6d40c82644287c7621dfc5b
-
SHA1
f54b9ed42b60eb6793cd55ed25e6f2bd6120218f
-
SHA256
94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e
-
SHA512
3ea3e7c045c015e8c455ed9f550784d7af75c2cba263913ffaa210652f74ed036a6541b71f95d11663ee6dd062059cbcad94c1148243852d01722dd8780d010c
-
SSDEEP
12288:vbNq3U22k24PnuBvJTvfIVcmaBhIaQBanLFHL4UhnPtJHKFm5fto1XGTI:zI24PuvJTEYHLzhnPwU1cL
-
AmmyyAdmin payload
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-