General
-
Target
9eabf4c63eb61d6f57d39f04f1cef92117318a04731b8f61f6139d1600d092fd
-
Size
251KB
-
Sample
240215-1vzzjsad86
-
MD5
83fc58bf7eeea13c8750e29db4859609
-
SHA1
c7bcdc80a1aa469f5d41215bdfa60a0437645936
-
SHA256
9eabf4c63eb61d6f57d39f04f1cef92117318a04731b8f61f6139d1600d092fd
-
SHA512
c0b9ed5d9b21ccdf915c20e6319dff7698e9ef5b705166f1a8696adad86ac58f0c09cf4b186d07a96d38f221ee5a7b5e0eb6102ff6a226b0457dc521f6c0dddf
-
SSDEEP
3072:NBQWCIDLD4XfZehN+5EmJi6nt+xVby3PVPKUXQZM/YfwbG6nSRIRETsFTWmBYBXs:NhbLDK2Ny5Ey/VKUOMQoBnGQWmWBj2
Static task
static1
Behavioral task
behavioral1
Sample
9eabf4c63eb61d6f57d39f04f1cef92117318a04731b8f61f6139d1600d092fd.exe
Resource
win7-20231215-en
Malware Config
Extracted
smokeloader
pub2
Extracted
smokeloader
2022
http://gxutc2c.com/tmp/index.php
http://proekt8.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://pirateking.online/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Extracted
amadey
4.14
http://anfesq.com
http://cbinr.com
http://rimakc.ru
-
install_dir
68fd3d7ade
-
install_file
Utsysc.exe
-
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
-
url_paths
/forum/index.php
Targets
-
-
Target
9eabf4c63eb61d6f57d39f04f1cef92117318a04731b8f61f6139d1600d092fd
-
Size
251KB
-
MD5
83fc58bf7eeea13c8750e29db4859609
-
SHA1
c7bcdc80a1aa469f5d41215bdfa60a0437645936
-
SHA256
9eabf4c63eb61d6f57d39f04f1cef92117318a04731b8f61f6139d1600d092fd
-
SHA512
c0b9ed5d9b21ccdf915c20e6319dff7698e9ef5b705166f1a8696adad86ac58f0c09cf4b186d07a96d38f221ee5a7b5e0eb6102ff6a226b0457dc521f6c0dddf
-
SSDEEP
3072:NBQWCIDLD4XfZehN+5EmJi6nt+xVby3PVPKUXQZM/YfwbG6nSRIRETsFTWmBYBXs:NhbLDK2Ny5Ey/VKUOMQoBnGQWmWBj2
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-