smokeloader | 40992e098d80c2251fc947ed2c51f5add6579c91a8c09012360c6e15ffbc4573 | Triage

Sharing

General

Target

40992e098d80c2251fc947ed2c51f5add6579c91a8c09012360c6e15ffbc4573
Size

241KB
Sample

220127-j3tdashgem
MD5

8ecb3f0291ea4c4786268e07a3431093
SHA1

7a9f740ae1d5a4f70457ad829d9e28ff87d49bcb
SHA256

40992e098d80c2251fc947ed2c51f5add6579c91a8c09012360c6e15ffbc4573
SHA512

84a9557ed396d0407ff90cb520c5d1b196b611c453b4e526110b4678df5e1e2f271cd061cc2533cdcc40565b68287fbe2976f2e0b96ef5c7d09ac9f9a6094a3f

Score

10^/10

smokeloader backdoor persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

rc4.i32

Targets

- Target
  
  40992e098d80c2251fc947ed2c51f5add6579c91a8c09012360c6e15ffbc4573
- Size
  
  241KB
- MD5
  
  8ecb3f0291ea4c4786268e07a3431093
- SHA1
  
  7a9f740ae1d5a4f70457ad829d9e28ff87d49bcb
- SHA256
  
  40992e098d80c2251fc947ed2c51f5add6579c91a8c09012360c6e15ffbc4573
- SHA512
  
  84a9557ed396d0407ff90cb520c5d1b196b611c453b4e526110b4678df5e1e2f271cd061cc2533cdcc40565b68287fbe2976f2e0b96ef5c7d09ac9f9a6094a3f
Score

10^/10

smokeloader backdoor persistence trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Sets service image path in registry
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

smokeloaderbackdoorpersistencetrojan