smokeloader | f91112004eb1e10814d6d9b90c65d6189e299b389da3277df7f1fdf4bcdfe033 | Triage

Sharing

General

Target

f91112004eb1e10814d6d9b90c65d6189e299b389da3277df7f1fdf4bcdfe033
Size

317KB
Sample

220125-y7z4zaeef3
MD5

0a77510939d386c78d044d8f23648535
SHA1

fddfa3685771667ba3d00240aa319a9cd93154b6
SHA256

f91112004eb1e10814d6d9b90c65d6189e299b389da3277df7f1fdf4bcdfe033
SHA512

a4296ea561359e5cd7faa00cfc0cbb8f7ca448ad9c0753c6245052367401605a1c5de0a76208059a6368b4cebee11118482bd913339731dfdbb455af4b9e3f94

Score

10^/10

smokeloader backdoor persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

rc4.i32

Targets

- Target
  
  f91112004eb1e10814d6d9b90c65d6189e299b389da3277df7f1fdf4bcdfe033
- Size
  
  317KB
- MD5
  
  0a77510939d386c78d044d8f23648535
- SHA1
  
  fddfa3685771667ba3d00240aa319a9cd93154b6
- SHA256
  
  f91112004eb1e10814d6d9b90c65d6189e299b389da3277df7f1fdf4bcdfe033
- SHA512
  
  a4296ea561359e5cd7faa00cfc0cbb8f7ca448ad9c0753c6245052367401605a1c5de0a76208059a6368b4cebee11118482bd913339731dfdbb455af4b9e3f94
Score

10^/10

smokeloader backdoor persistence trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Sets service image path in registry
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

smokeloaderbackdoorpersistencetrojan