General

  • Target

    2021BR04IS14.doc

  • Size

    1.4MB

  • Sample

    210415-mgkb1r7r6a

  • MD5

    753885c288a257139fc732fa450b1b7c

  • SHA1

    d8e5d2a366bfe2a5c81a87976ed8c4e3dc2788c5

  • SHA256

    f71c236c3e632754e7b1d2beec8f6127d7835d54a35638b0e9507137ddd2928c

  • SHA512

    9db623c6f57d61fc1da835428702650e916e97cb8121403b22941d009f72b66968558bdf2a2e4c85d1f1d0b0c1b321642d5f803e25565206052713cb54160eb7

Malware Config

Extracted

Family

smokeloader

Version

2018

C2

http://bristell.com/0/

rc4.i32
rc4.i32

Targets

    • Target

      2021BR04IS14.doc

    • Size

      1.4MB

    • MD5

      753885c288a257139fc732fa450b1b7c

    • SHA1

      d8e5d2a366bfe2a5c81a87976ed8c4e3dc2788c5

    • SHA256

      f71c236c3e632754e7b1d2beec8f6127d7835d54a35638b0e9507137ddd2928c

    • SHA512

      9db623c6f57d61fc1da835428702650e916e97cb8121403b22941d009f72b66968558bdf2a2e4c85d1f1d0b0c1b321642d5f803e25565206052713cb54160eb7

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Matrix ATT&CK v6

Execution

Exploitation for Client Execution

1
T1203

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Tasks