General

  • Target

    2021lk049459.doc

  • Size

    2MB

  • Sample

    210413-pfkjm2xd9x

  • MD5

    40f9df41effa8762858974452db083d9

  • SHA1

    fd382c2ae4ad3545b5d198d8c51735045584f8ce

  • SHA256

    06b686985f4246819d7fed52a2b9fc1dbed7406d80f902d655866aed61392cbd

  • SHA512

    f09b0b5415ac3f1c9af5f13774bb01675540a3238ac23301b404f13fb847f62725e7ad03f7de7b0fbecf19c90ee2be53b5e7b09aada12780f7685258b54f58f2

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://u.teknik.io/bHrgG.jpg

Extracted

Family

smokeloader

Version

2018

C2

http://94.140.114.59/1/

rc4.i32
rc4.i32

Targets

    • Target

      2021lk049459.doc

    • Size

      2MB

    • MD5

      40f9df41effa8762858974452db083d9

    • SHA1

      fd382c2ae4ad3545b5d198d8c51735045584f8ce

    • SHA256

      06b686985f4246819d7fed52a2b9fc1dbed7406d80f902d655866aed61392cbd

    • SHA512

      f09b0b5415ac3f1c9af5f13774bb01675540a3238ac23301b404f13fb847f62725e7ad03f7de7b0fbecf19c90ee2be53b5e7b09aada12780f7685258b54f58f2

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Execution

Exploitation for Client Execution

1
T1203

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Tasks