smokeloader | 2012b404dbdde24d9560ba06f7e5049ac33d50590651a71b02fa52369c7df3dd | Triage

Sharing

General

Target

2012b404dbdde24d9560ba06f7e5049ac33d50590651a71b02fa52369c7df3dd
Size

317KB
Sample

220125-lcseesdah4
MD5

ffc62e2ed4d58d453214a54fdfcfe893
SHA1

afc7889c2f75898465b1f40cc9966e6abba774bc
SHA256

2012b404dbdde24d9560ba06f7e5049ac33d50590651a71b02fa52369c7df3dd
SHA512

bef51e2aa9912e385154840c46d0c75be99138474a1f390d5529c8c478a47883efa42a4b9e7d35fec34573f5486b70ad07385097884681379fa4b88f3bd7ad77

Score

10^/10

smokeloader backdoor collection evasion trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://abpa.at/upload/

http://emaratghajari.com/upload/

http://d7qw.cn/upload/

http://alumik-group.ru/upload/

http://zamkikurgan.ru/upload/

rc4.i32

rc4.i32

rc4.i32

rc4.i32

Targets

- Target
  
  2012b404dbdde24d9560ba06f7e5049ac33d50590651a71b02fa52369c7df3dd
- Size
  
  317KB
- MD5
  
  ffc62e2ed4d58d453214a54fdfcfe893
- SHA1
  
  afc7889c2f75898465b1f40cc9966e6abba774bc
- SHA256
  
  2012b404dbdde24d9560ba06f7e5049ac33d50590651a71b02fa52369c7df3dd
- SHA512
  
  bef51e2aa9912e385154840c46d0c75be99138474a1f390d5529c8c478a47883efa42a4b9e7d35fec34573f5486b70ad07385097884681379fa4b88f3bd7ad77
Score

10^/10

smokeloader backdoor collection evasion trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Deletes itself
- Accesses Microsoft Outlook profiles
  collection
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Process Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

smokeloaderbackdoorcollectionevasiontrojan