General

  • Target

    2c2cb2aa0782874d3c14cdd6f063f979.exe

  • Size

    847KB

  • Sample

    210413-y5cb33t8pj

  • MD5

    2c2cb2aa0782874d3c14cdd6f063f979

  • SHA1

    583c43ca939f9d8a4eea53a7d71157ac3571a350

  • SHA256

    c508cefc2d6430d8be028c7224aac6641e0da4f072e503261b32b950e0ef21da

  • SHA512

    34c35989b80841ce09672856ad8c52475a2fa96da1004a61d2417241a25c12e108439f1c7e4851f125ea6af412e96487da793213f63feebb5ffed8f3a97c9d26

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://u.teknik.io/bHrgG.jpg

Extracted

Family

smokeloader

Version

2018

C2

http://94.140.114.59/1/

rc4.i32
rc4.i32

Targets

    • Target

      2c2cb2aa0782874d3c14cdd6f063f979.exe

    • Size

      847KB

    • MD5

      2c2cb2aa0782874d3c14cdd6f063f979

    • SHA1

      583c43ca939f9d8a4eea53a7d71157ac3571a350

    • SHA256

      c508cefc2d6430d8be028c7224aac6641e0da4f072e503261b32b950e0ef21da

    • SHA512

      34c35989b80841ce09672856ad8c52475a2fa96da1004a61d2417241a25c12e108439f1c7e4851f125ea6af412e96487da793213f63feebb5ffed8f3a97c9d26

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Tasks