Managed XDR

home-petik-ss-malware-...ys_smoke-loader_stealc — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
home-petik-ss-malware-2025-11-11_4fe7ea9fafef35d58fb3125c9c3345e4_amadey_elex_karagany_rhadamanthys_smoke-loader_stealc
Тип файла
PE32 executable (GUI) Intel 80386, for MS Windows
Размер файла
305 KB
Первое обнаружение
Последнее обнаружение

Окружение

w10/x86 en

Хеши

SHA1
384c469442b1d81f276e0b4781836604eb217ce5
SHA256
5363f6c7ab73afce8556a43eb4fb252c0e91fb0fc7f32e7e0e7b3ad9f5cca97c
MD5
4fe7ea9fafef35d58fb3125c9c3345e4

Сигнатуры

Persistence

T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key

Privilege Escalation

T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1070.004 deletes_self: Moves to different location or removes the original executable file
T1574.011 persistence_services: Modifies Services registry key
T1036 system_filename: Created a file named as a common system file
T1027.002 packer_upx: The executable file is compressed using UPX
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1070.004 self_removal_command: Executes command to delete itself
T1218 suspicious_cmdline_keywords: Cmdline with suspicious keywords

Credential Access

T1552 infostealer_browser: Retrieves personal information from local Internet browsers
T1503 infostealer_browser: Retrieves personal information from local Internet browsers
T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files

Discovery

T1082 uses_windows_utilities: Uses Windows utilities for basic Windows functionality

Command and Control

T1071.001 network_http: Performs HTTP requests
T1071.001 wininet_openurl: Performs HTTP/HTTPS-requests using InternetOpenUrl

Other

suricata_alert: Malicious traffic detected
creates_exe: Creates executable files in the file system
executes_dropped_exe: Executes dropped exe files
network_bind: Starts servers listening at 0.0.0.0:0
dns_without_resolve: DNS query without a response
dead_host: Connects to IP addresses that do not respond to requests
has_pdb: This executable file has a PDB path
creates_suspended_process: Creates suspended process
malware_cmdline: Suspicious words in the command line
suspicious_network_port: Performs TCP or UDP request to non-standard port
checktokenmembership: Checks user token with CheckTokenMembership call
writes_data: Writes big amount of data to disk
pe_overlay: PE file contains overlay
js_suspicious: Suspicious javascript