Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
-
submitted
05-12-2023 07:14
General
-
Target
file.exe
-
Size
265KB
-
MD5
d7752d31728c6341a41b3aa476fa3529
-
SHA1
d243602f189bf7c5978d929ffd4a9aa321712138
-
SHA256
08a646fa562d3e3f447b7001356424cc5d7c7296873a8d1d94be35bd52a3b58d
-
SHA512
6040276c9c6206132e2dced287bd4452222c494e4f1d4191d51dbd43861e8d02d2abaf704ebe12462a8fb2eb59431eca684a0d20ee25f7f0fe76d5a2d38973c0
-
SSDEEP
3072:Q7FaQEw9YltfXFZ/yxSeLjRtrgssGbuHhmPcuddu2M93fzC7G/56YEZ4:oFHP0vFZ6xSehtzFjzAvzC
Malware Config
Extracted
smokeloader
pub4
Extracted
smokeloader
2022
http://humydrole.com/tmp/index.php
http://trunk-co.ru/tmp/index.php
http://weareelight.com/tmp/index.php
http://pirateking.online/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Signatures
-
Detect PureLogs payload 3 IoCs
-
PureLogs
PureLogs is an infostealer written in C#.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\AC75.exeC:\Users\Admin\AppData\Local\Temp\AC75.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD590c99127993e7d99197eb88ea2e82806
SHA17ff88701a269f8e4eb122cbc48e0ff515764a43d
SHA256c3ab62bb1d1ae51c68f9ab5bab2fb7bcf6eed8755ed543e23424375f0329f6f5
SHA512f9a7f6233eb7d44bd8c470a07e224ca44290635d7e8d0cd78df0801fb510ebd09e648fb5340a73cbb57f2395ae4b92e496627a4c5b23c5845a531662f81ae825
-
Filesize
2.8MB
MD590c99127993e7d99197eb88ea2e82806
SHA17ff88701a269f8e4eb122cbc48e0ff515764a43d
SHA256c3ab62bb1d1ae51c68f9ab5bab2fb7bcf6eed8755ed543e23424375f0329f6f5
SHA512f9a7f6233eb7d44bd8c470a07e224ca44290635d7e8d0cd78df0801fb510ebd09e648fb5340a73cbb57f2395ae4b92e496627a4c5b23c5845a531662f81ae825
-
Filesize
504KB
-
Filesize
504KB
-
Filesize
504KB
-
Filesize
504KB
-
Filesize
4KB
-
Filesize
504KB
-
Filesize
504KB
-
Filesize
504KB
-
Filesize
504KB
-
Filesize
504KB
-
Filesize
88KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
7.6MB
-
Filesize
7.6MB
-
Filesize
872KB
-
Filesize
304KB
-
Filesize
2.9MB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
872KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
872KB