smokeloader | 917d9b49f0f74337ef54a15a640ba5bdd996d4ce6cc1ab9520b96eeb940eaebf | Triage

Sharing

General

Target

917d9b49f0f74337ef54a15a640ba5bdd996d4ce6cc1ab9520b96eeb940eaebf
Size

189KB
Sample

220127-vsktysghd3
MD5

874452dbe27bfca41ffd22ca8ddc1c4e
SHA1

3840a51c89928deaec77100be44bd15e788a0a68
SHA256

917d9b49f0f74337ef54a15a640ba5bdd996d4ce6cc1ab9520b96eeb940eaebf
SHA512

a8c50cd254ac0fade53c54ce2853ab4504567d3d14e08fb9c68ebeec1defa0ae65e7aa82436334277aa49e2c1c133407543d9b873a84359fb6bca6aa2226c8b3

Score

10^/10

smokeloader backdoor persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

rc4.i32

Targets

- Target
  
  917d9b49f0f74337ef54a15a640ba5bdd996d4ce6cc1ab9520b96eeb940eaebf
- Size
  
  189KB
- MD5
  
  874452dbe27bfca41ffd22ca8ddc1c4e
- SHA1
  
  3840a51c89928deaec77100be44bd15e788a0a68
- SHA256
  
  917d9b49f0f74337ef54a15a640ba5bdd996d4ce6cc1ab9520b96eeb940eaebf
- SHA512
  
  a8c50cd254ac0fade53c54ce2853ab4504567d3d14e08fb9c68ebeec1defa0ae65e7aa82436334277aa49e2c1c133407543d9b873a84359fb6bca6aa2226c8b3
Score

10^/10

smokeloader backdoor persistence trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Sets service image path in registry
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

smokeloaderbackdoorpersistencetrojan