smokeloader | 22e09cd7882f7e698ce36f495fe27bc7230456fcbaa01f76684e8e60ae49e0d3 | Triage

Sharing

General

Target

22e09cd7882f7e698ce36f495fe27bc7230456fcbaa01f76684e8e60ae49e0d3
Size

191KB
Sample

220127-nc8shsbhg4
MD5

f55625db12904c1a5707618799a12ef9
SHA1

a8de7098d479b5323b9623c84beecc3238ed361b
SHA256

22e09cd7882f7e698ce36f495fe27bc7230456fcbaa01f76684e8e60ae49e0d3
SHA512

4013b0a7184db4d86ce17e7c7c8068c5cbdbabe5e4e93ccab353435fa37041171ebcc6627430558cb2471ed245735668d5ccd37da3cd5d46584ded23a6bb8ac0

Score

10^/10

smokeloader backdoor persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

rc4.i32

Targets

- Target
  
  22e09cd7882f7e698ce36f495fe27bc7230456fcbaa01f76684e8e60ae49e0d3
- Size
  
  191KB
- MD5
  
  f55625db12904c1a5707618799a12ef9
- SHA1
  
  a8de7098d479b5323b9623c84beecc3238ed361b
- SHA256
  
  22e09cd7882f7e698ce36f495fe27bc7230456fcbaa01f76684e8e60ae49e0d3
- SHA512
  
  4013b0a7184db4d86ce17e7c7c8068c5cbdbabe5e4e93ccab353435fa37041171ebcc6627430558cb2471ed245735668d5ccd37da3cd5d46584ded23a6bb8ac0
Score

10^/10

smokeloader backdoor persistence trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Sets service image path in registry
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

smokeloaderbackdoorpersistencetrojan