Overview
overview
10Static
static
7ICQLiteShell.dll
windows7-x64
1ICQLiteShell.dll
windows10-2004-x64
1ICQRT.dll
windows7-x64
3ICQRT.dll
windows10-2004-x64
3Language/WinRar.exe
windows7-x64
1Language/WinRar.exe
windows10-2004-x64
1LiteRes.dll
windows7-x64
1LiteRes.dll
windows10-2004-x64
1LiteSkinUtils.dll
windows7-x64
1LiteSkinUtils.dll
windows10-2004-x64
3Resource/L...me.dll
windows7-x64
1Resource/L...me.dll
windows10-2004-x64
1Resource/L...UI.dll
windows7-x64
1Resource/L...UI.dll
windows10-2004-x64
1Resource/L...op.dll
windows7-x64
1Resource/L...op.dll
windows10-2004-x64
1Resource/L...to.dll
windows7-x64
1Resource/L...to.dll
windows10-2004-x64
1Resource/L...op.dll
windows7-x64
1Resource/L...op.dll
windows10-2004-x64
1Resource/opengl64.dll
windows7-x64
1Resource/opengl64.dll
windows10-2004-x64
1setup.exe
windows7-x64
10setup.exe
windows10-2004-x64
10General
-
Target
file_release_v3.rar
-
Size
18.1MB
-
Sample
240214-y86yxaba8v
-
MD5
75a69b670035a31d71932807e9ef0414
-
SHA1
415a1f92b30a8b66a7e7a873be0c4fc30e4810bb
-
SHA256
2cdda26cc29f1ab91873bf2de8af2627aa7fa73002cb490f2f1ab73ff824ebf8
-
SHA512
758465ebdc88605380bade69eaeea9371518201eeb60e8c6f2eb56b28032ee143b42b37058c6ab533295dceee83c761389c5e951f8164172f0438ec3f6d2d084
-
SSDEEP
196608:RJIHDUJpH26uvpcO/gFnVpVd9yql3BF8LHhi071vnZyhklq8vagCGMFk31XOqUc+:LgwJpHzuvp7gpVPd32T+klAg0Od3hS
Behavioral task
behavioral1
Sample
ICQLiteShell.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ICQLiteShell.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
ICQRT.dll
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
ICQRT.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral5
Sample
Language/WinRar.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
Language/WinRar.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
LiteRes.dll
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
LiteRes.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
LiteSkinUtils.dll
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
LiteSkinUtils.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
Resource/Locals/x64/AdonisUI.ClassicTheme.dll
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
Resource/Locals/x64/AdonisUI.ClassicTheme.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
Resource/Locals/x64/AdonisUI.dll
Resource
win7-20231129-en
Behavioral task
behavioral14
Sample
Resource/Locals/x64/AdonisUI.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral15
Sample
Resource/Locals/x64/SQLite.Interop.dll
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
Resource/Locals/x64/SQLite.Interop.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral17
Sample
Resource/Locals/x86/BouncyCastle.Crypto.dll
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
Resource/Locals/x86/BouncyCastle.Crypto.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
Resource/Locals/x86/SQLite.Interop.dll
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
Resource/Locals/x86/SQLite.Interop.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
Resource/opengl64.dll
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
Resource/opengl64.dll
Resource
win10v2004-20231215-en
Malware Config
Extracted
smokeloader
pub3
Extracted
stealc
http://185.172.128.24
-
url_path
/f993692117a3fda2.php
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Extracted
risepro
193.233.132.49:50500
193.233.132.67:50500
Targets
-
-
Target
ICQLiteShell.dll
-
Size
56KB
-
MD5
05e61539b8917fca37c03756bbdd043d
-
SHA1
5a72e0e528260de0ea5b34badb9e5f9873cb4245
-
SHA256
515c8e0b93f0fef15da3e2573ad92b7e7840374140e65e5d73df63d8e22cb3e8
-
SHA512
565d57783e6044d6e7e2026c79dbd897e637c5e1d96e7930dc704ef2b6d801669b38f0c26382f00e67e26668439274941e937a0ade54666de50b5d84f6da7e97
-
SSDEEP
768:YEGJ9blT7XZBSbHwJU+tGR0KZUyGKZ0ZgwmF1+3UVambg:YEGJ9bln5o0KZjGKZ0Z1mF1+3UVayg
Score1/10 -
-
-
Target
ICQRT.dll
-
Size
32KB
-
MD5
1aedcb8994d6ad63ef9dcb87016e028f
-
SHA1
f5b891aa15c6353b681bdb7e2d96c6ac8a5f02d7
-
SHA256
53e1f40144bab532f9700ff25ec3d5c6a39784a98e17fada583b4ee6d9dd5dbc
-
SHA512
89c0f408797c4d78afc52335a9e162345c614e1e419f55487cb358c14f7a69ec82138a7e6250be3133233386ba3659d241e80ab63c9b972b6c8b26b0424cb0c8
-
SSDEEP
384:+qtTeds1tkMAp4TxCW9su5UcSu93ggoXUQQIPGEANHl:FTedukelF95RjQUUPpANHl
Score3/10 -
-
-
Target
Language/WinRar.exe
-
Size
3.2MB
-
MD5
b66dec691784f00061bc43e62030c343
-
SHA1
779d947d41efafc2995878e56e213411de8fb4cf
-
SHA256
26b40c79356453c60498772423f99384a3d24dd2d0662d215506768cb9c58370
-
SHA512
6a89bd581baf372f07e76a3378e6f6eb29cac2e4981a7f0affb4101153407cadfce9f1b6b28d5a003f7d4039577029b2ec6ebcfd58e55288e056614fb03f8ba3
-
SSDEEP
98304:lJXOBfK92HbAw0CNB3kJElzNsy8vGUvfCo3ABH43:lJ192HbAXCvDlzNsy8vGUyo3AB8
Score1/10 -
-
-
Target
LiteRes.dll
-
Size
735KB
-
MD5
88962410244bc5c03482b82a7e3cb5e1
-
SHA1
4622be2d3deda305bf0a16c0e01bc2ecf9d56fad
-
SHA256
afa884228afc5c05f4b47e90b6de42854d5a8886ec5ed15a253faeccd5309036
-
SHA512
c6e7667f91c1439e33ad4d9e2052b7c9fcc3ca2c7688d9e2bc0550b71a5762b76aa76427331df0217429d9bd984925997c7a8d009f25e44e2776c5ce7cc9d98c
-
SSDEEP
6144:x9Ej/jb82/HRoXO1q2pt+Mc1/PDPicsUzM+gYESoE/wOuET8F62bH5vnGfcJvl+b:fqptG/PDPo0no2Iq8F6CHBTWqU
Score1/10 -
-
-
Target
LiteSkinUtils.dll
-
Size
48KB
-
MD5
059d94e8944eca4056e92d60f7044f14
-
SHA1
46a491abbbb434b6a1a2a1b1a793d24acd1d6c4b
-
SHA256
9fa7cacb5730faacc2b17d735c45ee1370130d863c3366d08ec013afe648bfa6
-
SHA512
0f45fe8d5e80a8fabf9a1fd2a3f69b2c4ebb19f5ffdcfec6d17670f5577d5855378023a91988e0855c4bd85c9b2cc80375c3a0acb1d7a701aff32e9e78347902
-
SSDEEP
768:FPGeoWyuTx6vrP/zAdWQS6Z9CSKh64crVKTl9inMUAK:tGeJxIHepSKzjVK9iMUAK
Score3/10 -
-
-
Target
Resource/Locals/x64/AdonisUI.ClassicTheme.dll
-
Size
287KB
-
MD5
8a1b183bca062f48402c74f2daba7b92
-
SHA1
d9417bf78b3b37d668c08e67f3c0f21dbc6dc11e
-
SHA256
8103f2cce6a864ceefe6c5b0c05087ac85ab04a2abf150e93bc9db90c54d9d20
-
SHA512
0f5120fa9ed24d2a49b82cdc62113302002ccc5e1cf389cc28830f36b2915f876bdf77094fa6dfa312fc01b6f482465297fa734509511fa7e72285569ce57e87
-
SSDEEP
6144:aMNTja9KIKf5RCs1ussMKlzI5iJQn9gu5DPOvObo:5Za9KIjs1ussMKlzI5lo
Score1/10 -
-
-
Target
Resource/Locals/x64/AdonisUI.dll
-
Size
164KB
-
MD5
3d4c8b6aad28ec574e56ccda22b34ef3
-
SHA1
bc22ac7097e597fba3d7367b2fd5c61adff28941
-
SHA256
db46b6106dc1b30041ce3f287ded91166895ff3f1928250fc79dd46c444b1e45
-
SHA512
fc56241e65dc7bcc678a2af92f79bda017ceb3f7c4f203c7e9ce753d573da868608a6f56545c0d181a625737278b7b73223e5dcce85bf1f3c5b7b1b06e5c5739
-
SSDEEP
3072:fuZPAdWKbu3355s555GPQKljrKxX0yAbTxin1YzqHf0llbS1sjZ73h39Iwj:GydWDrKxG3h39Iw
Score1/10 -
-
-
Target
Resource/Locals/x64/SQLite.Interop.dll
-
Size
1.7MB
-
MD5
56a504a34d2cfbfc7eaa2b68e34af8ad
-
SHA1
426b48b0f3b691e3bb29f465aed9b936f29fc8cc
-
SHA256
9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961
-
SHA512
170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7
-
SSDEEP
24576:YPUxmkgSxPgobZPRjZ22H6edtOZzWySRO3mlE0i/Yl5P+qF+8k+ao/si6:8UxXPgo8e6WYBSJZSS5P97I
Score1/10 -
-
-
Target
Resource/Locals/x86/BouncyCastle.Crypto.dll
-
Size
3.2MB
-
MD5
0cf454b6ed4d9e46bc40306421e4b800
-
SHA1
9611aa929d35cbd86b87e40b628f60d5177d2411
-
SHA256
e51721dc0647f4838b1abc592bd95fd8cb924716e8a64f83d4b947821fa1fa42
-
SHA512
85262f1bc67a89911640f59a759b476b30ca644bd1a1d9cd3213cc8aae16d7cc6ea689815f19b146db1d26f7a75772ceb48e71e27940e3686a83eb2cf7e46048
-
SSDEEP
49152:JIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9Y:6BbBWIgWljGxRB/LLY
Score1/10 -
-
-
Target
Resource/Locals/x86/SQLite.Interop.dll
-
Size
1.3MB
-
MD5
8be215abf1f36aa3d23555a671e7e3be
-
SHA1
547d59580b7843f90aaca238012a8a0c886330e6
-
SHA256
83f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae
-
SHA512
38cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b
-
SSDEEP
24576:eiDAYMz2epP8AEXn8z7qsyb8c+gntHKuvKtBLtTvD0nsrFSK96fYlYyv:1AYMza36enEuyjpTV96A2yv
Score1/10 -
-
-
Target
Resource/opengl64.dll
-
Size
145.8MB
-
MD5
71466589eb444bbf272c0f5c920c57f0
-
SHA1
4fcace49ee032779d3bf7b8e03c6a9f29ed871ba
-
SHA256
e7d625cf255360b0ea96a52ca990be6f1cef522ff7440393e45b12793ac88031
-
SHA512
eff62450cf03d72af2594d750a70b008226fa2e46216661716287639bf5e1ff1303076fdaf4f062ca4098ef10a8e29502de55ecb3a6e04753aad7fcad01e3352
-
SSDEEP
48:0ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZY:n
Score1/10 -
-
-
Target
setup.exe
-
Size
728.0MB
-
MD5
3efb89902601a691f786ab8c89b6ce12
-
SHA1
2c9b7cea478947d7e8dbfadb28a2d2235555c767
-
SHA256
bd109daf662c8d83ad1014c0a30c56d8810a8e7dea6b6d7fa770101e0bec578d
-
SHA512
c5bab4ebd21fdd421b5d1a6de5f564f650cd4a0dd91082219c7e86eddc101c589e3c5510ab4b6ff07689cba7e070308049bf9af0f10aa5bb617623f24e53bd4a
-
SSDEEP
98304:D7Rny4bP23Bv0oO+IkcpyM7Pby/mdTsuYhZQ6mc+Yt/3VYXc6nNN9GlRC333:/z2RMHN57uQTQ3QnQVf5
-
Detect ZGRat V1
-
Glupteba payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1