smokeloader | 3cf0f56a8b601b0a8f0788b54b52160e4abbc3d77c1aedf079dec62630281868 | Triage

Sharing

General

Target

3cf0f56a8b601b0a8f0788b54b52160e4abbc3d77c1aedf079dec62630281868
Size

317KB
Sample

220125-fjjg7shaek
MD5

0e9407872c7b312c730e5dcc39009d81
SHA1

5b2a44419599cc7ecfe85eea1aeb252869669e21
SHA256

3cf0f56a8b601b0a8f0788b54b52160e4abbc3d77c1aedf079dec62630281868
SHA512

958875c9c1cc32edf4ca72e8f94beec584c2ff937aab5688e89bed0adac81a35a0a20efa3d1f7148f872390e2723c630b3569a3db8fa2edc2b29a2e02cdb8326

Score

10^/10

smokeloader backdoor persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

rc4.i32

Targets

- Target
  
  3cf0f56a8b601b0a8f0788b54b52160e4abbc3d77c1aedf079dec62630281868
- Size
  
  317KB
- MD5
  
  0e9407872c7b312c730e5dcc39009d81
- SHA1
  
  5b2a44419599cc7ecfe85eea1aeb252869669e21
- SHA256
  
  3cf0f56a8b601b0a8f0788b54b52160e4abbc3d77c1aedf079dec62630281868
- SHA512
  
  958875c9c1cc32edf4ca72e8f94beec584c2ff937aab5688e89bed0adac81a35a0a20efa3d1f7148f872390e2723c630b3569a3db8fa2edc2b29a2e02cdb8326
Score

10^/10

smokeloader backdoor persistence trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Sets service image path in registry
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

smokeloaderbackdoorpersistencetrojan