smokeloader | bd47a6c86b0088b8524db00c5c8e6ca98f9f798cf15ae447aeb789e881663676 | Triage

Sharing

General

Target

bd47a6c86b0088b8524db00c5c8e6ca98f9f798cf15ae447aeb789e881663676
Size

318KB
Sample

220126-apxn5aadhr
MD5

9e5b2e4f56f3380389362b790aa17b44
SHA1

7a2f8ee8e21dbf10f5bd84f538a6621dc32f8f84
SHA256

bd47a6c86b0088b8524db00c5c8e6ca98f9f798cf15ae447aeb789e881663676
SHA512

7207936d2e544e94016098a0aa07822c85d555eaea02d774631268c4f6c7a423bc686653e1a1b7d70b6d52bf3b7d1548ccc517dc1d5340b2f7f3b3514def2aa7

Score

10^/10

smokeloader backdoor persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

rc4.i32

Targets

- Target
  
  bd47a6c86b0088b8524db00c5c8e6ca98f9f798cf15ae447aeb789e881663676
- Size
  
  318KB
- MD5
  
  9e5b2e4f56f3380389362b790aa17b44
- SHA1
  
  7a2f8ee8e21dbf10f5bd84f538a6621dc32f8f84
- SHA256
  
  bd47a6c86b0088b8524db00c5c8e6ca98f9f798cf15ae447aeb789e881663676
- SHA512
  
  7207936d2e544e94016098a0aa07822c85d555eaea02d774631268c4f6c7a423bc686653e1a1b7d70b6d52bf3b7d1548ccc517dc1d5340b2f7f3b3514def2aa7
Score

10^/10

smokeloader backdoor persistence trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Sets service image path in registry
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

smokeloaderbackdoorpersistencetrojan