General
-
Target
file.exe
-
Size
283KB
-
Sample
231205-24kfwsgf95
-
MD5
8134af8d8e50aef172ef56ac8858a6fa
-
SHA1
085ba62d0ab4c37a5bc976c4a1059ece260c9973
-
SHA256
54d47e722a046f32bbe88bbae4896282f71110917fa70a5159f6ef47e9d8fa04
-
SHA512
374f90aca6dc4fd1231544f54881c2b0c28fa9c13f0ea233593fda21330b5bf832ba692984a8ce76254c4c65d6aa7ed8a5674bdbce774ad5bbea32bd6db1a704
-
SSDEEP
3072:2hmea8dj5OyxaEx/d3TbMNKnv1nmo0U1SRLeUb/9Jrp81qZazZd38Ws:p1Kjvx/VTbMckj++hXreHZd
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20231130-en
Malware Config
Extracted
smokeloader
2022
http://onualituyrs.org/
http://sumagulituyo.org/
http://snukerukeutit.org/
http://lightseinsteniki.org/
http://liuliuoumumy.org/
http://stualialuyastrelia.net/
http://kumbuyartyty.net/
http://criogetikfenbut.org/
http://tonimiuyaytre.org/
http://tyiuiunuewqy.org/
Targets
-
-
Target
file.exe
-
Size
283KB
-
MD5
8134af8d8e50aef172ef56ac8858a6fa
-
SHA1
085ba62d0ab4c37a5bc976c4a1059ece260c9973
-
SHA256
54d47e722a046f32bbe88bbae4896282f71110917fa70a5159f6ef47e9d8fa04
-
SHA512
374f90aca6dc4fd1231544f54881c2b0c28fa9c13f0ea233593fda21330b5bf832ba692984a8ce76254c4c65d6aa7ed8a5674bdbce774ad5bbea32bd6db1a704
-
SSDEEP
3072:2hmea8dj5OyxaEx/d3TbMNKnv1nmo0U1SRLeUb/9Jrp81qZazZd38Ws:p1Kjvx/VTbMckj++hXreHZd
-
Glupteba payload
-
Raccoon Stealer V2 payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Modifies boot configuration data using bcdedit
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
3Disable or Modify Tools
2Modify Registry
4Virtualization/Sandbox Evasion
1Subvert Trust Controls
1Install Root Certificate
1