General
-
Target
7ebf41b7e0d24473f2ad0b25e354f615.exe
-
Size
1.0MB
-
Sample
220114-rs1cvsghgl
-
MD5
7ebf41b7e0d24473f2ad0b25e354f615
-
SHA1
6e9c110ed531f7239ff849a6b7c998d1c958f2d8
-
SHA256
15cea3c23e9d0f1ec3a748746bd425d642ae25b042b1b36c8364f721235f0f0d
-
SHA512
83dc1c23462f6f647d049214d9dba23874f3a1ba75815476107a0ffba769521d085a0e831132c09e02fe596290d1ec2ba954d26ec4d51cf7ee8636c2c5d2a24d
Static task
static1
Behavioral task
behavioral1
Sample
7ebf41b7e0d24473f2ad0b25e354f615.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7ebf41b7e0d24473f2ad0b25e354f615.exe
Resource
win10v2004-en-20220113
Malware Config
Extracted
smokeloader
2020
http://nahbleiben.at/upload/
http://noblecreativeaz.com/upload/
http://tvqaq.cn/upload/
http://recmaster.ru/upload/
http://sovels.ru/upload/
Targets
-
-
Target
7ebf41b7e0d24473f2ad0b25e354f615.exe
-
Size
1.0MB
-
MD5
7ebf41b7e0d24473f2ad0b25e354f615
-
SHA1
6e9c110ed531f7239ff849a6b7c998d1c958f2d8
-
SHA256
15cea3c23e9d0f1ec3a748746bd425d642ae25b042b1b36c8364f721235f0f0d
-
SHA512
83dc1c23462f6f647d049214d9dba23874f3a1ba75815476107a0ffba769521d085a0e831132c09e02fe596290d1ec2ba954d26ec4d51cf7ee8636c2c5d2a24d
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-