General
-
Target
basic.exe
-
Size
253KB
-
Sample
240204-1yp9hsdgcn
-
MD5
9a8b143fffb681bc102a279c5ce95c9f
-
SHA1
928d90aa435e7b16bbad8dc37afc5bda23053519
-
SHA256
f095ee1a9fd422f9a5800748836d9ed5fc41cd821e3e2e3b578f88c4ef6d1c8c
-
SHA512
818df38fda0d85353123a4cdf5ec1abf2a282a2008b6dcdb53c9db4982c9bbc89ea315a673250bd5f986263ddb3f9ed0950aa42cd8d9b2db64c3830974221c02
-
SSDEEP
3072:0GU27+ec+fm/+tdkbN0s8xph0LR/hSMXlk4ZqKFya5XB67TTlHAqv7:fm+fm/c88ph0lhSMXlBXBWnlHAqv
Static task
static1
Behavioral task
behavioral1
Sample
basic.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
basic.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
smokeloader
pub1
Extracted
amadey
4.14
http://anfesq.com
http://cbinr.com
http://rimakc.ru
-
install_dir
68fd3d7ade
-
install_file
Utsysc.exe
-
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
-
url_paths
/forum/index.php
Targets
-
-
Target
basic.exe
-
Size
253KB
-
MD5
9a8b143fffb681bc102a279c5ce95c9f
-
SHA1
928d90aa435e7b16bbad8dc37afc5bda23053519
-
SHA256
f095ee1a9fd422f9a5800748836d9ed5fc41cd821e3e2e3b578f88c4ef6d1c8c
-
SHA512
818df38fda0d85353123a4cdf5ec1abf2a282a2008b6dcdb53c9db4982c9bbc89ea315a673250bd5f986263ddb3f9ed0950aa42cd8d9b2db64c3830974221c02
-
SSDEEP
3072:0GU27+ec+fm/+tdkbN0s8xph0LR/hSMXlk4ZqKFya5XB67TTlHAqv7:fm+fm/c88ph0lhSMXlBXBWnlHAqv
-
Detect Fabookie payload
-
Detect ZGRat V1
-
Creates new service(s)
-
Downloads MZ/PE file
-
Sets service image path in registry
-
Stops running service(s)
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1