smokeloader

General

Target

SecuriteInfo.com.Mal.GandCrypt-A.4160.29287
Size

176KB
Sample

210331-8j1mr53f7j
MD5

2a838bb8b42d0fe72bb89b3129603e01
SHA1

06dff415d576c5c91c72fa821caed6059d9abdc7
SHA256

d27e90665d0a697e1fea9dfc3641c9785bfbf8fbd7ef885d82788943417d1ccd
SHA512

ef1de5a8ab7e920bf326c90b7d85bd1eac7dca688c9b825e2f574ad4617491a7ac30bd08b97ae5b843706b0f3f26817d33dd1a2b1852c6874bbcbfe460cd34e1

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://xsss99.icu/upload/

http://bingooodsg.icu/upload/

http://junntd.xyz/upload/

http://ginessa11.xyz/upload/

http://overplayninsx.xyz/upload/

http://bananinze.com/upload/

http://daunimlas.com/upload/

rc4.i32

Targets

- Target
  
  SecuriteInfo.com.Mal.GandCrypt-A.4160.29287
- Size
  
  176KB
- MD5
  
  2a838bb8b42d0fe72bb89b3129603e01
- SHA1
  
  06dff415d576c5c91c72fa821caed6059d9abdc7
- SHA256
  
  d27e90665d0a697e1fea9dfc3641c9785bfbf8fbd7ef885d82788943417d1ccd
- SHA512
  
  ef1de5a8ab7e920bf326c90b7d85bd1eac7dca688c9b825e2f574ad4617491a7ac30bd08b97ae5b843706b0f3f26817d33dd1a2b1852c6874bbcbfe460cd34e1
Score

10^/10

smokeloader tofsee backdoor bootkit evasion persistence trojan vidar discovery spyware stealer themida
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- themida
  Detects Themida, Advanced Windows software protection system.
  themida
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2