dharma | b1d0d50f6e59811b2985ddbedbaed3813f5f3b1e81d4c4e3a517b76ac0a53ce8 | Triage

Submit
Reports

Overview

overview

Static

static

smokey_loader.exe

windows7_x64

smokey_loader.exe

windows10_x64

Sharing

General

Target

smokey_loader.exe
Size

40KB
Sample

200827-84pwc3q9fn
MD5

112f0d958cadae441b1b1624e270ce38
SHA1

c3823572821f717fd6a9537febb66ad566b2081a
SHA256

b1d0d50f6e59811b2985ddbedbaed3813f5f3b1e81d4c4e3a517b76ac0a53ce8
SHA512

f444d911b5547e53b953e6500cf81986023667878aef3f787fa7642f211ace315901c1de8c4ef6df4a199e4878c92f2fe45bdb1cacfee2c658c39e4505467e83

Score

10^/10

dharma smokeloader backdoor persistence ransomware trojan

Static task

static1

Behavioral task

behavioral1

Sample

smokey_loader.exe

Resource

win7v200722

ransomware dharma persistence trojan backdoor smokeloader

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

smokey_loader.exe

Resource

win10

trojan backdoor smokeloader ransomware dharma persistence

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://rexstat35x.xyz/statweb955/

http://dexspot2x.xyz/statweb955/

http://atxspot20x.xyz/statweb955/

http://rexspot7x.xyz/statweb955/

http://fdmail85.club/statweb955/

http://servicem977x.xyz/statweb955/

http://advertxman7x.xyz/statweb955/

http://starxpush7x.xyz/statweb955/

rc4.i32

rc4.i32

Targets

- Target
  
  smokey_loader.exe
- Size
  
  40KB
- MD5
  
  112f0d958cadae441b1b1624e270ce38
- SHA1
  
  c3823572821f717fd6a9537febb66ad566b2081a
- SHA256
  
  b1d0d50f6e59811b2985ddbedbaed3813f5f3b1e81d4c4e3a517b76ac0a53ce8
- SHA512
  
  f444d911b5547e53b953e6500cf81986023667878aef3f787fa7642f211ace315901c1de8c4ef6df4a199e4878c92f2fe45bdb1cacfee2c658c39e4505467e83
Score

10^/10

ransomware dharma persistence trojan backdoor smokeloader
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Deletes itself
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

ransomwaredharmapersistencetrojanbackdoorsmokeloader

behavioral2

trojanbackdoorsmokeloaderransomwaredharmapersistence

© 2018-2024

Terms | Privacy