General
-
Target
12a5b844e946f8c8b4b4bb3301664f7a662a1341ea9171359d1c4fc25bc11b6a.zip
-
Size
6.5MB
-
Sample
240402-ma7a8sef2w
-
MD5
2859d41b6ff2538f7a1363425f886677
-
SHA1
259ec262b345d4c23e833677018fe29655c7c33f
-
SHA256
2c4506464a65a5997889d5cf8aa9c5ad1802cd9c8e24f560d014b5f18446c95e
-
SHA512
321640e4008391bbe7d7f9aca1125964be583773b29a3253890774fd3e249fea2d5ad1ee86f7b324db48eaab1769e16e9925dfc09bfcdcc814c412139a584c1a
-
SSDEEP
196608:GZVdwZ4BVXMwmG2kZwFmC0umuuhQs32F3:0dwKDXMwbZ4m5DhQr
Static task
static1
Behavioral task
behavioral1
Sample
12a5b844e946f8c8b4b4bb3301664f7a662a1341ea9171359d1c4fc25bc11b6a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
12a5b844e946f8c8b4b4bb3301664f7a662a1341ea9171359d1c4fc25bc11b6a.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
socks5systemz
51.159.66.125
217.23.6.51
151.80.38.159
217.23.9.168
37.187.122.227
http://datasheet.fun/manual/avon_3_2022.pdf?%.8x
-
rc4_key
heyfg645fdhwi
Targets
-
-
Target
12a5b844e946f8c8b4b4bb3301664f7a662a1341ea9171359d1c4fc25bc11b6a.exe
-
Size
7.3MB
-
MD5
91fcc906d24350286fc38d756bdacbfc
-
SHA1
b96e73c04be4d15ed18e2e7811b951554cf57e7b
-
SHA256
12a5b844e946f8c8b4b4bb3301664f7a662a1341ea9171359d1c4fc25bc11b6a
-
SHA512
b6cbca675648d967620e4d133345445a070896d2adebd44f58d9ad7f012db5bac0223d2304e86818bc9096e6c72087241c3917efed273d44809a7a1276787b3e
-
SSDEEP
196608:tH/rieS1u4+zl+k7GJWhlTC7BUQ4qye9tkvQ2y3w3W9uWD:tDiFk4+zhLOBB4qT9tk6EW9
-
Detect Socks5Systemz Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
XMRig Miner payload
-
Drops file in Drivers directory
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1