smokeloader | 25df30e381933312aa3836a86fee1b15a6d68b14bb6119785ba4d80efbb4dea6 | Triage

Sharing

General

Target

25df30e381933312aa3836a86fee1b15a6d68b14bb6119785ba4d80efbb4dea6
Size

333KB
Sample

220126-tc5nrafdb3
MD5

12e707746b2e0b1147967738363b0bd3
SHA1

1327e32b385ef5f676dd5ee67e2627cc46dca8b4
SHA256

25df30e381933312aa3836a86fee1b15a6d68b14bb6119785ba4d80efbb4dea6
SHA512

486b80df0d7e99eb06febed6c4a842b57d613d2f20b487d162fd7b09d858a43db11a09f765bf388b0df69999602642217388112d6bf15440f9828b3a8e8c01b3

Score

10^/10

smokeloader backdoor persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

rc4.i32

Targets

- Target
  
  25df30e381933312aa3836a86fee1b15a6d68b14bb6119785ba4d80efbb4dea6
- Size
  
  333KB
- MD5
  
  12e707746b2e0b1147967738363b0bd3
- SHA1
  
  1327e32b385ef5f676dd5ee67e2627cc46dca8b4
- SHA256
  
  25df30e381933312aa3836a86fee1b15a6d68b14bb6119785ba4d80efbb4dea6
- SHA512
  
  486b80df0d7e99eb06febed6c4a842b57d613d2f20b487d162fd7b09d858a43db11a09f765bf388b0df69999602642217388112d6bf15440f9828b3a8e8c01b3
Score

10^/10

smokeloader backdoor persistence trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Sets service image path in registry
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

smokeloaderbackdoorpersistencetrojan