smokeloader | 3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100 | Triage

Sharing

General

Target

3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100
Size

191KB
Sample

220127-n6b1mscee6
MD5

a05b981f73e296c8edf29ea9f68b8355
SHA1

f959ea0a5569320682e194bd87ae3fbf0b382647
SHA256

3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100
SHA512

d71c1655c13a4ea043caaa5533fe8b2b25f4146f5c750a801b4b19b3df514fedda7413dd9448be1b09eb6b532384d9439b1bb0628129413706224a051ea34ace

Score

10^/10

smokeloader backdoor persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

rc4.i32

Targets

- Target
  
  3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100
- Size
  
  191KB
- MD5
  
  a05b981f73e296c8edf29ea9f68b8355
- SHA1
  
  f959ea0a5569320682e194bd87ae3fbf0b382647
- SHA256
  
  3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100
- SHA512
  
  d71c1655c13a4ea043caaa5533fe8b2b25f4146f5c750a801b4b19b3df514fedda7413dd9448be1b09eb6b532384d9439b1bb0628129413706224a051ea34ace
Score

10^/10

smokeloader backdoor persistence trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Sets service image path in registry
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

smokeloaderbackdoorpersistencetrojan