smokeloader | 877dc1247e7be963bf69476f61887ef11afa571a2b0fb4b40d9c32b344576479 | Triage

Sharing

General

Target

877dc1247e7be963bf69476f61887ef11afa571a2b0fb4b40d9c32b344576479
Size

191KB
Sample

220127-qctdyadee4
MD5

8c1cb76818d910752b0fdae41fc7be4f
SHA1

618edc41b68ddc9849afb0cc0079ab4a7504306a
SHA256

877dc1247e7be963bf69476f61887ef11afa571a2b0fb4b40d9c32b344576479
SHA512

a53cf9e20c87fc445cb294e3865e76e1bc12f48e7e67ccc3a426be736b2fbd405507a1c9a49d1202df9b0b6c94335b56845b4bc8803de71ffadeb2b9f55f0359

Score

10^/10

smokeloader backdoor persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

rc4.i32

Targets

- Target
  
  877dc1247e7be963bf69476f61887ef11afa571a2b0fb4b40d9c32b344576479
- Size
  
  191KB
- MD5
  
  8c1cb76818d910752b0fdae41fc7be4f
- SHA1
  
  618edc41b68ddc9849afb0cc0079ab4a7504306a
- SHA256
  
  877dc1247e7be963bf69476f61887ef11afa571a2b0fb4b40d9c32b344576479
- SHA512
  
  a53cf9e20c87fc445cb294e3865e76e1bc12f48e7e67ccc3a426be736b2fbd405507a1c9a49d1202df9b0b6c94335b56845b4bc8803de71ffadeb2b9f55f0359
Score

10^/10

smokeloader backdoor persistence trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Sets service image path in registry
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

smokeloaderbackdoorpersistencetrojan