Overview

overview

10

Static

static

7

13e73d2d88...b3.exe

windows7-x64

10

13e73d2d88...b3.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    13e73d2d887d4795826e1b67a01d85eba735fc4bb69d5149b5e94ef9ba3764b3

  • Size

    4.0MB

  • Sample

    231112-nxbcraff98

  • MD5

    b39d30d98988ced35553febddd654fa1

  • SHA1

    68e26d3ce991ce8b0047f319c50b501cf25ae1b6

  • SHA256

    13e73d2d887d4795826e1b67a01d85eba735fc4bb69d5149b5e94ef9ba3764b3

  • SHA512

    3226a7624a9cceb1fec416da8f6fcf7838a351c4bd7f5d87147ae8130e6efe19608f21918df51329755326e48a9bdee872cd10bafdb7d8f9dd186cf75e8fd3ef

  • SSDEEP

    98304:HYMeRQg6dSsn4zsZtNijfpYS7SEawe1BrTkB8:4Mq6JZtY9M1BX

Score
10/10
bitratsmokeloaderbackdoorcollectionpersistencetrojanvmprotect

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://gululugu.zzz.com.ua/

http://gululugu2.zzz.com.ua/
rc4.i32
rc4.i32

Extracted

Family

bitrat

Version

1.38

C2

185.31.111.198:25001

Attributes
  • communication_password

    d7dcd79b773dc85c89b84862cdedb6cf

  • install_dir

    temp

  • install_file

    system.exe

  • tor_process

    tor

Targets

    • Target

      13e73d2d887d4795826e1b67a01d85eba735fc4bb69d5149b5e94ef9ba3764b3

    • Size

      4.0MB

    • MD5

      b39d30d98988ced35553febddd654fa1

    • SHA1

      68e26d3ce991ce8b0047f319c50b501cf25ae1b6

    • SHA256

      13e73d2d887d4795826e1b67a01d85eba735fc4bb69d5149b5e94ef9ba3764b3

    • SHA512

      3226a7624a9cceb1fec416da8f6fcf7838a351c4bd7f5d87147ae8130e6efe19608f21918df51329755326e48a9bdee872cd10bafdb7d8f9dd186cf75e8fd3ef

    • SSDEEP

      98304:HYMeRQg6dSsn4zsZtNijfpYS7SEawe1BrTkB8:4Mq6JZtY9M1BX

    Score
    10/10
    bitratsmokeloaderbackdoorcollectionpersistencetrojanvmprotect

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks