General
-
Target
c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe
-
Size
4.1MB
-
Sample
240312-dn1wyagf54
-
MD5
723ae6ee64497f45e3eb194dc928489c
-
SHA1
9e6e4e5816ee069e0d18bcb132d176df9949d165
-
SHA256
c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067
-
SHA512
488accf660b9541f37bf6fc38ad479347a985be42bb765ea3fce0005f28f5ee42b3fa356a077df2836b07a2344d567a9f3b79289129b3a2ba80cc1241ebb180c
-
SSDEEP
49152:36glmRKCncrCQV+8bjrajELExlb0zuFHQLNJYZI06m94H:nOOLSx9+UY
Static task
static1
Behavioral task
behavioral1
Sample
c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
stealc
http://185.172.128.145
-
url_path
/3cd2b41cbde8fc9c.php
Extracted
lumma
https://wisemassiveharmonious.shop/api
https://colorfulequalugliess.shop/api
https://resergvearyinitiani.shop/api
https://relevantvoicelesskw.shop/api
https://associationokeo.shop/api
Extracted
socks5systemz
http://csvpbch.net/search/?q=67e28dd83d5cf57a4406a9177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978f571ea771795af8e05c644db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608fff13c1ec95923f
Targets
-
-
Target
c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe
-
Size
4.1MB
-
MD5
723ae6ee64497f45e3eb194dc928489c
-
SHA1
9e6e4e5816ee069e0d18bcb132d176df9949d165
-
SHA256
c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067
-
SHA512
488accf660b9541f37bf6fc38ad479347a985be42bb765ea3fce0005f28f5ee42b3fa356a077df2836b07a2344d567a9f3b79289129b3a2ba80cc1241ebb180c
-
SSDEEP
49152:36glmRKCncrCQV+8bjrajELExlb0zuFHQLNJYZI06m94H:nOOLSx9+UY
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Socks5Systemz Payload
-
Glupteba payload
-
Detect binaries embedding considerable number of MFA browser extension IDs.
-
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
-
Detects Windows executables referencing non-Windows User-Agents
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables (downlaoders) containing URLs to raw contents of a paste
-
Detects executables Discord URL observed in first stage droppers
-
Detects executables containing URLs to raw contents of a Github gist
-
Detects executables containing artifacts associated with disabling Widnows Defender
-
Detects executables packed with VMProtect.
-
Detects executables referencing many varying, potentially fake Windows User-Agents
-
UPX dump on OEP (original entry point)
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies boot configuration data using bcdedit
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1