Overview

overview

10

Static

static

3

1f435b3a62...22.exe

windows7-x64

10

1f435b3a62...22.exe

windows10-2004-x64

10

Resubmissions

08-02-2024 19:00

240208-xnla2ahe7z 10

08-02-2024 07:34

240208-jd5p2aefen 10

08-02-2024 04:47

240208-fevdxabb9y 10

Analysis

  • max time kernel
    60s
  • max time network
    79s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-02-2024 07:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe

  • Size

    5.5MB

  • MD5

    c4580e8db0c3dbc88891842fd8a31158

  • SHA1

    744f03fcf10db1459d3f40beaea2bfe1b000582b

  • SHA256

    1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922

  • SHA512

    cefd412e0d5aba56d6603fdc46a056474ce387dbb220b32a9317dca0822bef9320515afacc2ab2086db46f9e01b3456c87a0dc83bd99c246550d87efd3606945

  • SSDEEP

    98304:Fs9EI6sZJrf04Hr3VvPkrcRizJ6krK4JLQaEHlXU+vG9G1jMaZQRrkp:W+I6sU4HjZkwkVJo1+G1jMaZQpk

Score
10/10
gluptebasmokeloaderpub1backdoordropperevasionloadertrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php
rc4.i32
rc4.i32

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 7 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Drops file in System32 directory 2 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe
    "C:\Users\Admin\AppData\Local\Temp\1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe"
      2⤵
      • Executes dropped EXE
      PID:2160
    • C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
      "C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5072
      • C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
        "C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
        3⤵
        • Executes dropped EXE
        • Checks for VirtualBox DLLs, possible anti-VM trick
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:3952
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          PID:3168
        • C:\Windows\system32\cmd.exe
          C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4656
          • C:\Windows\system32\netsh.exe
            netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
            5⤵
            • Modifies Windows Firewall
            PID:3044
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          PID:1544
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
            PID:2824
          • C:\Windows\rss\csrss.exe
            C:\Windows\rss\csrss.exe
            4⤵
              PID:2348
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                5⤵
                  PID:5112
          • C:\Users\Admin\AppData\Local\Temp\rty25.exe
            "C:\Users\Admin\AppData\Local\Temp\rty25.exe"
            2⤵
            • Executes dropped EXE
            PID:3724
          • C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
            "C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
            2⤵
            • Executes dropped EXE
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            PID:1360

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe
          Filesize

          419KB

          MD5

          654abe1db0f972272b5b012914d9e5d6

          SHA1

          1ac7b42167369dcfa528837f13a2c80de7bcc161

          SHA256

          5f2bdf7f83ab075f7dafaf7493cbf4ab08d2e79b95cd3382621acfe73ba96094

          SHA512

          18823ab8a9a160ac169052ec210e6adb356190dc0644c8b5fd6f5ccbc8de2666c5e9d44ef90c954d5b6e948c81ef2666900c0fe40b7d5e4b644a39e8b93c1a12

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yzfvxshl.yz0.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
          Filesize

          4.2MB

          MD5

          66560a15081c9dee9fed498d5f0a25a9

          SHA1

          fbd7626525777262423fb9beea1e5b7e50fda2b5

          SHA256

          11e2cfb1fb58a3f69826d5bc36e88fde44c53def20891739ea7054eaabf24551

          SHA512

          dbd84583c6248db88452ef12074aa668ee982a9fe18484611a1b6d67a7233f9f3fca466bc843dfbc227099a5fd67af24c98f2d5408b26f8cf9fd635f7c70ba07

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\rty25.exe
          Filesize

          715KB

          MD5

          8dc1f88ae1fcedeb3983c5f5c3d486b0

          SHA1

          d40e67ba5558d90cb11eeca04d213322159336fc

          SHA256

          4a15d91920a4da9a64935248c126fb60e8302198df8e5759da8129ac1841beca

          SHA512

          0b2263fe049e280af1178fd396a06a04e6b99f7c971839207ae225161257ed9d9b7eaa8d0ceb1f14d3aa2094b53ce91dd045ebc169102e707ea7285f91432ac1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
          Filesize

          238KB

          MD5

          8c20d9745afb54a1b59131314c15d61c

          SHA1

          1975f997e2db1e487c1caf570263a6a3ba135958

          SHA256

          a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1

          SHA512

          580021850dfc90647854dd9f8124418abffbe261e3d7f2e1d355dd3a40f31be24f1b9df77ad52f7fa63503a5ee857e270c156e5575e3a32387335018296128d7

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          3d086a433708053f9bf9523e1d87a4e8

          SHA1

          b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

          SHA256

          6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

          SHA512

          931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          94713883544abd47b5f3ccdb11ca3a3b

          SHA1

          0a0c64cfdf29eeee76d973d8961ed7c954cd471e

          SHA256

          cfd48c251c0b32f40bd2850266209bb2a433fb74956cab810adcc911bb5e465b

          SHA512

          1eedf695d5f2584803920ec821ece0169eb8070a1839b985b4d885915981f879a6bd09354f7d848975a60153ad82b3499f9b6e69c752996e0ebf5e428e5c8129

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          34e1d89da1f0025aacd92a97d9a21cfe

          SHA1

          60c6983afd37374aae53d41fcee2e82c41fb80ce

          SHA256

          f4401a367ad89a535a009891cd88677b2554138c79249b9aec0d47fe953d6d19

          SHA512

          2f1c8628d4198efff9ec7c83e6b320570a880989202572d8277e8ee1b26eb7cabe2e1b145cb369a16f88e86d9b3905a9319e9c04b643d64c0c45a9d0e1ecb89a

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          fc187427cb17370c6756aae527eef337

          SHA1

          60410e6b3d6b10cdc786d395313ee245351679b7

          SHA256

          057793a915d2244b46512316fd988adceebf5aece45169d67782f8ae43309f0f

          SHA512

          b74c36ac34fd82d8903dbad97c0e620ef7442d5dc89eb439086f4c4de666e099d3df6a77ec034d3098bf07cc9da4c74c23289777350d9380a8745155008784c9

          Download Submit

        • memory/1200-86-0x0000000002930000-0x0000000002D29000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/1200-50-0x0000000002930000-0x0000000002D29000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/1200-124-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/1200-67-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/1200-56-0x0000000002E30000-0x000000000371B000-memory.dmp

          Filesize

          8.9MB

          Download

        • memory/1200-57-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/1360-52-0x0000000000510000-0x0000000000610000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/1360-53-0x00000000004E0000-0x00000000004EB000-memory.dmp

          Filesize

          44KB

          Download

        • memory/1360-54-0x0000000000400000-0x000000000044A000-memory.dmp

          Filesize

          296KB

          Download

        • memory/1360-59-0x0000000000400000-0x000000000044A000-memory.dmp

          Filesize

          296KB

          Download

        • memory/1544-177-0x0000000070AE0000-0x0000000070B2C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1544-176-0x00000000027B0000-0x00000000027C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1544-162-0x0000000074C40000-0x00000000753F0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1544-163-0x00000000027B0000-0x00000000027C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1544-164-0x00000000027B0000-0x00000000027C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1544-174-0x0000000005CF0000-0x0000000006044000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2160-51-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/2160-123-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/2160-49-0x00000000004D0000-0x00000000005D0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2160-190-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/2160-83-0x00000000004D0000-0x00000000005D0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2160-55-0x00000000020F0000-0x0000000002157000-memory.dmp

          Filesize

          412KB

          Download

        • memory/2976-0-0x0000000075240000-0x00000000759F0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2976-48-0x0000000075240000-0x00000000759F0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2976-1-0x0000000000B60000-0x00000000010F0000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/3168-154-0x0000000007790000-0x00000000077A4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/3168-140-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3168-127-0x0000000074C40000-0x00000000753F0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3168-157-0x0000000074C40000-0x00000000753F0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3168-128-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3168-153-0x0000000007740000-0x0000000007751000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3168-152-0x0000000007440000-0x00000000074E3000-memory.dmp

          Filesize

          652KB

          Download

        • memory/3168-142-0x0000000071280000-0x00000000715D4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/3168-141-0x0000000070AE0000-0x0000000070B2C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/3168-129-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3168-139-0x0000000005CC0000-0x0000000006014000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/3380-58-0x0000000002C20000-0x0000000002C36000-memory.dmp

          Filesize

          88KB

          Download

        • memory/3724-37-0x00007FF7A30E0000-0x00007FF7A3197000-memory.dmp

          Filesize

          732KB

          Download

        • memory/3952-161-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/3952-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/3952-126-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/3952-125-0x00000000028D0000-0x0000000002CD1000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/5072-63-0x0000000074C40000-0x00000000753F0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/5072-120-0x0000000074C40000-0x00000000753F0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/5072-117-0x0000000007430000-0x0000000007438000-memory.dmp

          Filesize

          32KB

          Download

        • memory/5072-116-0x0000000007450000-0x000000000746A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/5072-115-0x00000000072C0000-0x00000000072D4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/5072-114-0x00000000072B0000-0x00000000072BE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/5072-113-0x0000000007270000-0x0000000007281000-memory.dmp

          Filesize

          68KB

          Download

        • memory/5072-112-0x0000000007310000-0x00000000073A6000-memory.dmp

          Filesize

          600KB

          Download

        • memory/5072-111-0x0000000007240000-0x000000000724A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/5072-110-0x0000000007150000-0x00000000071F3000-memory.dmp

          Filesize

          652KB

          Download

        • memory/5072-109-0x00000000070F0000-0x000000000710E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/5072-95-0x0000000074C40000-0x00000000753F0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/5072-99-0x0000000070C70000-0x0000000070FC4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/5072-97-0x000000007FAC0000-0x000000007FAD0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5072-98-0x0000000070AE0000-0x0000000070B2C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/5072-96-0x0000000007110000-0x0000000007142000-memory.dmp

          Filesize

          200KB

          Download

        • memory/5072-91-0x0000000006F70000-0x0000000006F8A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/5072-90-0x00000000075F0000-0x0000000007C6A000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/5072-89-0x0000000006CF0000-0x0000000006D66000-memory.dmp

          Filesize

          472KB

          Download

        • memory/5072-88-0x0000000002660000-0x0000000002670000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5072-87-0x00000000060F0000-0x0000000006134000-memory.dmp

          Filesize

          272KB

          Download

        • memory/5072-85-0x0000000005CE0000-0x0000000005D2C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/5072-81-0x0000000005BA0000-0x0000000005BBE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/5072-80-0x00000000055A0000-0x00000000058F4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/5072-70-0x0000000005520000-0x0000000005586000-memory.dmp

          Filesize

          408KB

          Download

        • memory/5072-69-0x00000000054B0000-0x0000000005516000-memory.dmp

          Filesize

          408KB

          Download

        • memory/5072-68-0x0000000004BE0000-0x0000000004C02000-memory.dmp

          Filesize

          136KB

          Download

        • memory/5072-65-0x0000000004D80000-0x00000000053A8000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/5072-64-0x0000000002660000-0x0000000002670000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5072-62-0x00000000025A0000-0x00000000025D6000-memory.dmp

          Filesize

          216KB

          Download