Overview

overview

10

Static

static

2021ME04LO14.doc

windows7_x64

10

2021ME04LO14.doc

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2021ME04LO14.doc

  • Size

    1.2MB

  • Sample

    210415-flgdl588qa

  • MD5

    a7efdf6b05f75d87da78ebac5d8ec871

  • SHA1

    8e15570191d6a989809d77f5759d4196c5675f57

  • SHA256

    9266b7e06934a2c37355df644d5fb7cbc94d013059ce03e8beeeb961bb529720

  • SHA512

    c973d523fed53fe50a25a46a5eba077db21cea853b955ddf6d5e8240bbc5ffea41322bdcd3f2c5ff9153edc2f437022e638ce4ce80dbfa84a01e3c6acb384f4e

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Extracted

Family

smokeloader

Version

2018

C2

http://melonco.com/0/

rc4.i32
rc4.i32

Targets

    • Target

      2021ME04LO14.doc

    • Size

      1.2MB

    • MD5

      a7efdf6b05f75d87da78ebac5d8ec871

    • SHA1

      8e15570191d6a989809d77f5759d4196c5675f57

    • SHA256

      9266b7e06934a2c37355df644d5fb7cbc94d013059ce03e8beeeb961bb529720

    • SHA512

      c973d523fed53fe50a25a46a5eba077db21cea853b955ddf6d5e8240bbc5ffea41322bdcd3f2c5ff9153edc2f437022e638ce4ce80dbfa84a01e3c6acb384f4e

    Score
    10/10
    smokeloaderbackdoortrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks