General

  • Target

    1552dbdb5fcb0236dbc9897df14e98c6.exe

  • Size

    136KB

  • Sample

    201229-214lpy2lns

  • MD5

    1552dbdb5fcb0236dbc9897df14e98c6

  • SHA1

    c29986b9d0d1c05a721f08a3c259c62814ef8a34

  • SHA256

    5dd71da9e576dc4b91f9b9ded0c0b7648604938fb83343063e44b99bc3eb23c6

  • SHA512

    70fe2fa9000bc8aee8eaca6a1c39cf6131f747a72d3623c077f5b9f24b9354cf3f3431c21bdecc94d0b8962522865a380aa1737a854e61b18957e727da67e980

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://vtdilet.com/upload/

http://netvxi.com/upload/

http://tinnys.monster/upload/

rc4.i32
rc4.i32

Targets

    • Target

      1552dbdb5fcb0236dbc9897df14e98c6.exe

    • Size

      136KB

    • MD5

      1552dbdb5fcb0236dbc9897df14e98c6

    • SHA1

      c29986b9d0d1c05a721f08a3c259c62814ef8a34

    • SHA256

      5dd71da9e576dc4b91f9b9ded0c0b7648604938fb83343063e44b99bc3eb23c6

    • SHA512

      70fe2fa9000bc8aee8eaca6a1c39cf6131f747a72d3623c077f5b9f24b9354cf3f3431c21bdecc94d0b8962522865a380aa1737a854e61b18957e727da67e980

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • JavaScript code in executable

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Tasks