smokeloader | 109a1add019fcaf6cda3889345f0583cfb99f5bf2f025fb39e61b54099ae993d | Triage

Sharing

General

Target

109a1add019fcaf6cda3889345f0583cfb99f5bf2f025fb39e61b54099ae993d
Size

316KB
Sample

220125-jxzm5abgcl
MD5

8762d0570c46e288932fb82dc87ab294
SHA1

f8dca88e281e6c08dbaf5a7efdc0b19aa200498c
SHA256

109a1add019fcaf6cda3889345f0583cfb99f5bf2f025fb39e61b54099ae993d
SHA512

8c2eee822535bcc905aaa47f23c08c23dc340c485e54ab0d9964835a8a565a9b530aaf4fbc907df3ef7614ed9d5e56d14b757e55a1a104d50948a1bd219d582f

Score

10^/10

smokeloader backdoor persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

rc4.i32

Targets

- Target
  
  109a1add019fcaf6cda3889345f0583cfb99f5bf2f025fb39e61b54099ae993d
- Size
  
  316KB
- MD5
  
  8762d0570c46e288932fb82dc87ab294
- SHA1
  
  f8dca88e281e6c08dbaf5a7efdc0b19aa200498c
- SHA256
  
  109a1add019fcaf6cda3889345f0583cfb99f5bf2f025fb39e61b54099ae993d
- SHA512
  
  8c2eee822535bcc905aaa47f23c08c23dc340c485e54ab0d9964835a8a565a9b530aaf4fbc907df3ef7614ed9d5e56d14b757e55a1a104d50948a1bd219d582f
Score

10^/10

smokeloader backdoor persistence trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Sets service image path in registry
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

smokeloaderbackdoorpersistencetrojan