asdf.rtf

General
Target

asdf.rtf

Size

2MB

Sample

201028-38rr17b1an

Score
10 /10
MD5

c99321eebd53d1881ced20ddd1dbfda0

SHA1

db66a0c3cd32f56f68f9386cf017e39cce3dbe60

SHA256

88c9417d5fc9539878eff56ea8d6105711a383a15a1dc54b6918016f25880120

SHA512

2b3d20fc907302b9ea7bd893f684a12739ffd67586a649ebcff0a39619374fe0bb90ccb6cb055e1788c950ef58dc7547454cd1ad348a483b8400ab86509161bb

Malware Config

Extracted

Family smokeloader
Version 2020
C2

https://www.bristell.com/files/index.php

rc4.i32
rc4.i32
Targets
Target

asdf.rtf

MD5

c99321eebd53d1881ced20ddd1dbfda0

Filesize

2MB

Score
10 /10
SHA1

db66a0c3cd32f56f68f9386cf017e39cce3dbe60

SHA256

88c9417d5fc9539878eff56ea8d6105711a383a15a1dc54b6918016f25880120

SHA512

2b3d20fc907302b9ea7bd893f684a12739ffd67586a649ebcff0a39619374fe0bb90ccb6cb055e1788c950ef58dc7547454cd1ad348a483b8400ab86509161bb

Tags

Signatures

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Blacklisted process makes network request

  • Executes dropped EXE

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Exfiltration
      Impact
        Initial Access
          Lateral Movement
            Persistence
              Privilege Escalation
                Tasks

                static1

                behavioral2

                1/10