General
-
Target
270d3f441e678ec516527bf25c20023d.exe
-
Size
261KB
-
Sample
240228-cbbwlsgf23
-
MD5
270d3f441e678ec516527bf25c20023d
-
SHA1
4664604103288d56244609208fd8de851a5599a0
-
SHA256
d6567cc8e6b82d69347065de9fa8c7d2441ee63185ac52fe0e5e4bc6b2642910
-
SHA512
b534d84edfd01c4e926b65ba0ddc6604954ef025a012ef6ae1c33e54ee912fcc9f206fd1b4f82247be2938c38716ee13f643d40da4a18290097d9459532cb8c1
-
SSDEEP
3072:rHYuRgCFBQh1Sjw67WXFsFk3zXnE20P+UX/Ig5JiT+yx:DFw1SjBWVsGz3E/+QQAiT
Static task
static1
Behavioral task
behavioral1
Sample
270d3f441e678ec516527bf25c20023d.exe
Resource
win7-20240221-en
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
http://kamsmad.com/tmp/index.php
http://souzhensil.ru/tmp/index.php
http://teplokub.com.ua/tmp/index.php
Extracted
smokeloader
pub1
Extracted
Protocol: ftp- Host:
houseoffunk.net - Port:
21 - Username:
[email protected] - Password:
brynna123
Extracted
Protocol: ftp- Host:
houseoffunk.net - Port:
21 - Username:
brynna123 - Password:
brynna123
Extracted
Protocol: ftp- Host:
pacificode.co - Port:
21 - Username:
[email protected] - Password:
8000/register
Extracted
Protocol: ftp- Host:
houseoffunk.net - Port:
21 - Username:
admin - Password:
brynna123
Extracted
lumma
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Targets
-
-
Target
270d3f441e678ec516527bf25c20023d.exe
-
Size
261KB
-
MD5
270d3f441e678ec516527bf25c20023d
-
SHA1
4664604103288d56244609208fd8de851a5599a0
-
SHA256
d6567cc8e6b82d69347065de9fa8c7d2441ee63185ac52fe0e5e4bc6b2642910
-
SHA512
b534d84edfd01c4e926b65ba0ddc6604954ef025a012ef6ae1c33e54ee912fcc9f206fd1b4f82247be2938c38716ee13f643d40da4a18290097d9459532cb8c1
-
SSDEEP
3072:rHYuRgCFBQh1Sjw67WXFsFk3zXnE20P+UX/Ig5JiT+yx:DFw1SjBWVsGz3E/+QQAiT
-
Glupteba payload
-
Creates new service(s)
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Modifies boot configuration data using bcdedit
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
1Pre-OS Boot
1Bootkit
1