smokeloader | e9b5e34d1f0f535f7b2b89d25035b6ea9e6c40c5c89fdc85d1d7fa9b306afcc7 | Triage

Sharing

General

Target

e9b5e34d1f0f535f7b2b89d25035b6ea9e6c40c5c89fdc85d1d7fa9b306afcc7
Size

335KB
Sample

220126-wg3fasgfa2
MD5

ea009f0bbc16645c4ec01a4c4e7e0d05
SHA1

0fa6d9bfdb1582d4476113245b33bc694df94633
SHA256

e9b5e34d1f0f535f7b2b89d25035b6ea9e6c40c5c89fdc85d1d7fa9b306afcc7
SHA512

b31a8b27a8e7107ff44098f729698b3a848355c1fdc6a4858ef3bac1e311c8ef033a2f0572392383914a36522840e8b8ffa713d8160147bfbb588e6f451a5451

Score

10^/10

smokeloader backdoor persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

rc4.i32

Targets

- Target
  
  e9b5e34d1f0f535f7b2b89d25035b6ea9e6c40c5c89fdc85d1d7fa9b306afcc7
- Size
  
  335KB
- MD5
  
  ea009f0bbc16645c4ec01a4c4e7e0d05
- SHA1
  
  0fa6d9bfdb1582d4476113245b33bc694df94633
- SHA256
  
  e9b5e34d1f0f535f7b2b89d25035b6ea9e6c40c5c89fdc85d1d7fa9b306afcc7
- SHA512
  
  b31a8b27a8e7107ff44098f729698b3a848355c1fdc6a4858ef3bac1e311c8ef033a2f0572392383914a36522840e8b8ffa713d8160147bfbb588e6f451a5451
Score

10^/10

smokeloader backdoor persistence trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Sets service image path in registry
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

smokeloaderbackdoorpersistencetrojan