smokeloader | d8052f56f2e9f3acae5f32a65f1b4c39dfbb87d39219ca52f6dd492ff1affa5c | Triage

Sharing

General

Target

d8052f56f2e9f3acae5f32a65f1b4c39dfbb87d39219ca52f6dd492ff1affa5c
Size

356KB
Sample

220126-zcc7dsadf3
MD5

284929a616faaa9f9e4ffc327c3e53c6
SHA1

82e2063ad8132d5740581d30776098116c2d6393
SHA256

d8052f56f2e9f3acae5f32a65f1b4c39dfbb87d39219ca52f6dd492ff1affa5c
SHA512

e7da1b0a20fb201ff1d53b35f597e095c32b38d42fcf9059ae734c7333e7c2edbf8e6af30e4ffc15efc6aeef2d4232a910c9617eecc88534232db3f0ee45b0b7

Score

10^/10

smokeloader backdoor persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

rc4.i32

Targets

- Target
  
  d8052f56f2e9f3acae5f32a65f1b4c39dfbb87d39219ca52f6dd492ff1affa5c
- Size
  
  356KB
- MD5
  
  284929a616faaa9f9e4ffc327c3e53c6
- SHA1
  
  82e2063ad8132d5740581d30776098116c2d6393
- SHA256
  
  d8052f56f2e9f3acae5f32a65f1b4c39dfbb87d39219ca52f6dd492ff1affa5c
- SHA512
  
  e7da1b0a20fb201ff1d53b35f597e095c32b38d42fcf9059ae734c7333e7c2edbf8e6af30e4ffc15efc6aeef2d4232a910c9617eecc88534232db3f0ee45b0b7
Score

10^/10

smokeloader backdoor persistence trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Sets service image path in registry
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

smokeloaderbackdoorpersistencetrojan