Overview

overview

10

Static

static

Forever

windows7_x64

10

Resubmissions

28-10-2020 16:00

201028-svr7gh1tgj 10

28-10-2020 15:42

201028-38rr17b1an 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    asdf.rtf

  • Size

    2.3MB

  • Sample

    201028-svr7gh1tgj

  • MD5

    c99321eebd53d1881ced20ddd1dbfda0

  • SHA1

    db66a0c3cd32f56f68f9386cf017e39cce3dbe60

  • SHA256

    88c9417d5fc9539878eff56ea8d6105711a383a15a1dc54b6918016f25880120

  • SHA512

    2b3d20fc907302b9ea7bd893f684a12739ffd67586a649ebcff0a39619374fe0bb90ccb6cb055e1788c950ef58dc7547454cd1ad348a483b8400ab86509161bb

Score
10/10
smokeloaderbackdoortrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

httPs://paste.ee/r/DUMRL
ps1.dropper

httPs://paste.ee/r/wWuSK

Extracted

Family

smokeloader

Version

2020

C2

https://www.bristell.com/files/index.php

rc4.i32
rc4.i32

Targets

    • Target

      asdf.rtf

    • Size

      2.3MB

    • MD5

      c99321eebd53d1881ced20ddd1dbfda0

    • SHA1

      db66a0c3cd32f56f68f9386cf017e39cce3dbe60

    • SHA256

      88c9417d5fc9539878eff56ea8d6105711a383a15a1dc54b6918016f25880120

    • SHA512

      2b3d20fc907302b9ea7bd893f684a12739ffd67586a649ebcff0a39619374fe0bb90ccb6cb055e1788c950ef58dc7547454cd1ad348a483b8400ab86509161bb

    Score
    10/10
    smokeloaderbackdoortrojanupx

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Blocklisted process makes network request

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks