General

  • Target

    5xa4g.dll.zip

  • Size

    201KB

  • Sample

    210109-5tve7n9my2

  • MD5

    54259c450ca2e9bb526fb7e9d29d7165

  • SHA1

    d35f35ac91d45a57cf891c473035ffc9ba547c9e

  • SHA256

    95d30f9f1b8e01dd9b3e44ccf0297aefdfcc0e7c1a76099b6ac2ebec55c4d31b

  • SHA512

    a30b77206e66ed44b756df4ffbd276b1e898c53f6417f711ade03f88df5f14303d91629d7f8612a0ff909eca4e1fc3d9274d67a4b0cd6479a85585d16b3b7d20

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://etasuklavish.today/

http://mragyzmachnobesdi.today/

http://kimchinikuzims.today/

http://slacvostinrius.today/

http://straponuliusyn.today/

http://grammmdinss.today/

http://viprasputinsd.chimkent.su/

http://lupadypa.dagestan.su/

http://stoknolimchin.exnet.su/

http://musaroprovadnikov.live/

http://teemforyourexprensiti.life/

http://stolkgolmishutich.termez.su/

http://roompampamgandish.wtf/

rc4.i32
rc4.i32

Targets

    • Target

      5xa4g.dll.exe

    • Size

      251KB

    • MD5

      23627e96f5260b8e1d8fdc3da9250126

    • SHA1

      d68f46e0f9154972b5a0f1dae8e4380a8d227527

    • SHA256

      fed230e1f92000a5860c06228346b7925d8cce2ac1ebc1048ed5c26576c830f7

    • SHA512

      395afa4073a58f2644cb10923e7ed9cb5098ab44f8c4bb5efb3bf4c70f4b5f132511ada4d659667d64a743e18a3751082ce84b85de61566987859f2d29348398

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Deletes itself

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Tasks