General
-
Target
7159c4581077ad7284ade1d4236127150fd08cc7ece7692a86673092eb64416f
-
Size
169KB
-
Sample
240313-fjcdwsdb9s
-
MD5
76e09f2bf60bedfc3379c34464a6b038
-
SHA1
b0c0d1c7bb55dd36e6e410ba75fe0576c7ba1f8f
-
SHA256
7159c4581077ad7284ade1d4236127150fd08cc7ece7692a86673092eb64416f
-
SHA512
f7c3f903772cf8fe35b846de4876e0fc5349a7f4bd3f60f8bffe417763d1e977f97bc4aab15e31515240eb9b9f0b5d60848d9cc2e993c653dfb451a82ce02ffd
-
SSDEEP
1536:DDFtleMOvunw7uvP6M5PD08CxU+z5uJicewN4d24/t/6B07lYf1hjbkWC0xB/Bo+:0MO5uVBA8Cy+yL+W6sjgWC0xBD
Static task
static1
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
stealc
http://185.172.128.145
-
url_path
/3cd2b41cbde8fc9c.php
Extracted
lumma
https://colorfulequalugliess.shop/api
https://relevantvoicelesskw.shop/api
https://associationokeo.shop/api
Targets
-
-
Target
7159c4581077ad7284ade1d4236127150fd08cc7ece7692a86673092eb64416f
-
Size
169KB
-
MD5
76e09f2bf60bedfc3379c34464a6b038
-
SHA1
b0c0d1c7bb55dd36e6e410ba75fe0576c7ba1f8f
-
SHA256
7159c4581077ad7284ade1d4236127150fd08cc7ece7692a86673092eb64416f
-
SHA512
f7c3f903772cf8fe35b846de4876e0fc5349a7f4bd3f60f8bffe417763d1e977f97bc4aab15e31515240eb9b9f0b5d60848d9cc2e993c653dfb451a82ce02ffd
-
SSDEEP
1536:DDFtleMOvunw7uvP6M5PD08CxU+z5uJicewN4d24/t/6B07lYf1hjbkWC0xB/Bo+:0MO5uVBA8Cy+yL+W6sjgWC0xBD
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect ZGRat V1
-
Pitou
Pitou.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
1Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2Credential Access
Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1