General
-
Target
setup.exe
-
Size
737.0MB
-
Sample
240226-wryj4adb2s
-
MD5
a1490571ff3bd0e096afb0d9f09de8d2
-
SHA1
f6b5e986daf241bd9c618a3a35ef16366d7ef3a2
-
SHA256
6d7249aa6746504e63224ab19abb7f1d640c808930c5ee76bcc15aad80576ec7
-
SHA512
7c21b0a0c49c1547ab6e93ab55c253a87ce647b7c92e06f4ee52f31a799368d407969d8ab931960a7ef8dc410d0d350fbd27dacf016a841786e9908a72436f6c
-
SSDEEP
98304:FtyKqBPFisfaRlGMYuxUJLG6i19lsQffnbXy22ue:2KUPFraOMALC9lsQHzr2n
Static task
static1
Malware Config
Extracted
risepro
193.233.132.67:50500
193.233.132.62
Extracted
smokeloader
pub3
Extracted
tofsee
vanaheim.cn
jotunheim.name
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
Targets
-
-
Target
setup.exe
-
Size
737.0MB
-
MD5
a1490571ff3bd0e096afb0d9f09de8d2
-
SHA1
f6b5e986daf241bd9c618a3a35ef16366d7ef3a2
-
SHA256
6d7249aa6746504e63224ab19abb7f1d640c808930c5ee76bcc15aad80576ec7
-
SHA512
7c21b0a0c49c1547ab6e93ab55c253a87ce647b7c92e06f4ee52f31a799368d407969d8ab931960a7ef8dc410d0d350fbd27dacf016a841786e9908a72436f6c
-
SSDEEP
98304:FtyKqBPFisfaRlGMYuxUJLG6i19lsQffnbXy22ue:2KUPFraOMALC9lsQHzr2n
-
Detect ZGRat V1
-
Glupteba payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Creates new service(s)
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Virtualization/Sandbox Evasion
1