Overview

overview

10

Static

static

dridex

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c65fa1c272dfed333cc5998c8a49afb64f1e29ee034d2028486535e7e312689d

  • Size

    333KB

  • Sample

    220126-zhanfsabcr

  • MD5

    5442c936447943b763574d001e77a70b

  • SHA1

    b0dd0c3c0642bc5c175b4ef593b14ef36a6818bb

  • SHA256

    c65fa1c272dfed333cc5998c8a49afb64f1e29ee034d2028486535e7e312689d

  • SHA512

    decf02649002a0e7f468a15ee074cd6bb4eed3af47167fe619cd42bd042f1c9707c9b6536ebdff12e14ac5851be2b48fc72e5a70d62c3033573d1523c1c3e83e

Score
10/10
smokeloaderbackdoorpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://kotabuki.com/

http://slusextense.com/

http://purekidboo.com/

http://wildzipcode.biz/
rc4.i32
rc4.i32

Targets

    • Target

      c65fa1c272dfed333cc5998c8a49afb64f1e29ee034d2028486535e7e312689d

    • Size

      333KB

    • MD5

      5442c936447943b763574d001e77a70b

    • SHA1

      b0dd0c3c0642bc5c175b4ef593b14ef36a6818bb

    • SHA256

      c65fa1c272dfed333cc5998c8a49afb64f1e29ee034d2028486535e7e312689d

    • SHA512

      decf02649002a0e7f468a15ee074cd6bb4eed3af47167fe619cd42bd042f1c9707c9b6536ebdff12e14ac5851be2b48fc72e5a70d62c3033573d1523c1c3e83e

    Score
    10/10
    smokeloaderbackdoorpersistencetrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Sets service image path in registry

      persistence
    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks