General

  • Target

    sweetnessgoodforgreatnessthingswithgood.tIF.vbs

  • Size

    219KB

  • Sample

    250109-vqr59axmbq

  • MD5

    8ccd875893cd23b67d7c61ea735f5c52

  • SHA1

    6171c7dd4f67a67fff0ca151c7e9a06104e00def

  • SHA256

    16328212055d6aa79c45b6624607f74b732b159db4c6cdf7d8e6835ebdc6e392

  • SHA512

    3ceb06944fb1cb3f176e9163f761e3c2d97e72a9e0177f417d4a83e03f4b539fbcb2d7ebe53865a483cacdc8eaf16ce292245aed1cc60c207f7ca038ced07f31

  • SSDEEP

    3072:A8gVmI3b0mgfmWu+ke9VOv5iG5sVhQ30Wk+70wgA1A:A8gVxe9VOvM

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg%20

exe.dropper

https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg%20

Targets

    • Target

      sweetnessgoodforgreatnessthingswithgood.tIF.vbs

    • Size

      219KB

    • MD5

      8ccd875893cd23b67d7c61ea735f5c52

    • SHA1

      6171c7dd4f67a67fff0ca151c7e9a06104e00def

    • SHA256

      16328212055d6aa79c45b6624607f74b732b159db4c6cdf7d8e6835ebdc6e392

    • SHA512

      3ceb06944fb1cb3f176e9163f761e3c2d97e72a9e0177f417d4a83e03f4b539fbcb2d7ebe53865a483cacdc8eaf16ce292245aed1cc60c207f7ca038ced07f31

    • SSDEEP

      3072:A8gVmI3b0mgfmWu+ke9VOv5iG5sVhQ30Wk+70wgA1A:A8gVxe9VOvM

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Smokeloader family

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks