General
-
Target
file
-
Size
245KB
-
Sample
240122-ly4dtadfeq
-
MD5
82802f337cfae13e680dc93fb67326fe
-
SHA1
603c64258d3882bd5eb7210a674f691892d84896
-
SHA256
c21bbf910bb1b965f4adc57205591243b1f32ea41cbf5716472ec33fb0628614
-
SHA512
b73c319f9b143b35578c131b19516415e11402d9e68647e4301c3de7d4d1ff22c3be664ca8923ae222e998734d8bf8a309f3bf76edaf2b304d78e3150eb61193
-
SSDEEP
3072:R5hh7/LwvwGXKJ/2WTZlwIBXW9bYT9r19eWGerzV1ODPtz2a5vO5AcRdZx:R5hd/LwY6KJTZqoW9WTx1OTtz5jqd
Static task
static1
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
http://gxutc2c.com/tmp/index.php
http://proekt8.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://pirateking.online/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Extracted
smokeloader
pub1
Extracted
stealc
http://185.172.128.79
-
url_path
/3886d2276�6914c4.php
Targets
-
-
Target
file
-
Size
245KB
-
MD5
82802f337cfae13e680dc93fb67326fe
-
SHA1
603c64258d3882bd5eb7210a674f691892d84896
-
SHA256
c21bbf910bb1b965f4adc57205591243b1f32ea41cbf5716472ec33fb0628614
-
SHA512
b73c319f9b143b35578c131b19516415e11402d9e68647e4301c3de7d4d1ff22c3be664ca8923ae222e998734d8bf8a309f3bf76edaf2b304d78e3150eb61193
-
SSDEEP
3072:R5hh7/LwvwGXKJ/2WTZlwIBXW9bYT9r19eWGerzV1ODPtz2a5vO5AcRdZx:R5hd/LwY6KJTZqoW9WTx1OTtz5jqd
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Socks5Systemz Payload
-
Glupteba payload
-
Modifies boot configuration data using bcdedit
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
3Disable or Modify Tools
2Modify Registry
4Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1