Overview

overview

10

Static

static

3

WEXTRACT.exe

windows7-x64

10

WEXTRACT.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    WEXTRACT.exe

  • Size

    427KB

  • Sample

    240104-24h8tsecc5

  • MD5

    be982f88b4dc59376512980069e223e6

  • SHA1

    0e410efd5f98f96ae5cea91ea60a827db48bdb11

  • SHA256

    17c7cc079465da191a8ed1512b8088b869415f5bc5bccf3eb72b0820b7f35619

  • SHA512

    b763f0235689765d1aceefc76925cc6b714630e1760b6e221b378263e9019e18f5f2002bcbb242ce1016efbc0ff79d7645c3025e7b7a6f27daba02552377a197

  • SSDEEP

    6144:K2y+bnr+Bp0yN90QEF6VvTOaAJL63hsjz+7Ha3th4oIrfwXxp3DMgZtyXs2bBub9:+MrZy90KdIJLUxstfWfwXxpzMg+RQ9

Score
10/10
mysticsmokeloaderbackdoorpersistencestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Targets

    • Target

      WEXTRACT.exe

    • Size

      427KB

    • MD5

      be982f88b4dc59376512980069e223e6

    • SHA1

      0e410efd5f98f96ae5cea91ea60a827db48bdb11

    • SHA256

      17c7cc079465da191a8ed1512b8088b869415f5bc5bccf3eb72b0820b7f35619

    • SHA512

      b763f0235689765d1aceefc76925cc6b714630e1760b6e221b378263e9019e18f5f2002bcbb242ce1016efbc0ff79d7645c3025e7b7a6f27daba02552377a197

    • SSDEEP

      6144:K2y+bnr+Bp0yN90QEF6VvTOaAJL63hsjz+7Ha3th4oIrfwXxp3DMgZtyXs2bBub9:+MrZy90KdIJLUxstfWfwXxpzMg+RQ9

    Score
    10/10
    smokeloaderbackdoorpersistencetrojanmysticstealer

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

      stealermystic

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks