General
-
Target
setup.exe
-
Size
728.0MB
-
Sample
240212-jz97msac87
-
MD5
07491f43c88bce94ec2ae34a0ab19813
-
SHA1
c695ece633f8345ffa1bdb4c997a278399394cd9
-
SHA256
de7060ab1263374c8d99053b32378f4d4f307049c40aa80175ce974b84f31261
-
SHA512
259f3a1aef6e23a3515dcfb576cee8c54665b6fbd081bcf4702ba8fe031dc208abb1fd4cfdfa9780182615388153878d632d67773a653112483c09273c56930c
-
SSDEEP
98304:D/tdo9NaPpHP2QjU7LM2k6L7ifhlAe50f5Z2tc1/luH7333ZI:D/jYoxH/jiAA6E6tc1/luV
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20231129-en
Malware Config
Extracted
risepro
193.233.132.67:50500
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Extracted
tofsee
vanaheim.cn
jotunheim.name
Extracted
stealc
http://185.172.128.24
-
url_path
/f993692117a3fda2.php
Targets
-
-
Target
setup.exe
-
Size
728.0MB
-
MD5
07491f43c88bce94ec2ae34a0ab19813
-
SHA1
c695ece633f8345ffa1bdb4c997a278399394cd9
-
SHA256
de7060ab1263374c8d99053b32378f4d4f307049c40aa80175ce974b84f31261
-
SHA512
259f3a1aef6e23a3515dcfb576cee8c54665b6fbd081bcf4702ba8fe031dc208abb1fd4cfdfa9780182615388153878d632d67773a653112483c09273c56930c
-
SSDEEP
98304:D/tdo9NaPpHP2QjU7LM2k6L7ifhlAe50f5Z2tc1/luH7333ZI:D/jYoxH/jiAA6E6tc1/luV
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Creates new service(s)
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Virtualization/Sandbox Evasion
1