smokeloader | 0e69f482529fbb8becbd25b4233632e7a6594356094831a6d330ee155fb32ac1 | Triage

Sharing

General

Target

0e69f482529fbb8becbd25b4233632e7a6594356094831a6d330ee155fb32ac1
Size

190KB
Sample

220127-wffj5sgehk
MD5

c9a706068be25ac61c747c25611e8807
SHA1

777e629fd273f7c6cd07f7e3d5c0b3c38a6c9676
SHA256

0e69f482529fbb8becbd25b4233632e7a6594356094831a6d330ee155fb32ac1
SHA512

1d56cd67125fa7d1cfc50213cc770823df963c27dfa3b3e5794f269c581d3abae6611004eaab08d1f1a469c9ea62a19ab81ac62b41b7da5ba7ba9271714e515c

Score

10^/10

smokeloader backdoor persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

rc4.i32

Targets

- Target
  
  0e69f482529fbb8becbd25b4233632e7a6594356094831a6d330ee155fb32ac1
- Size
  
  190KB
- MD5
  
  c9a706068be25ac61c747c25611e8807
- SHA1
  
  777e629fd273f7c6cd07f7e3d5c0b3c38a6c9676
- SHA256
  
  0e69f482529fbb8becbd25b4233632e7a6594356094831a6d330ee155fb32ac1
- SHA512
  
  1d56cd67125fa7d1cfc50213cc770823df963c27dfa3b3e5794f269c581d3abae6611004eaab08d1f1a469c9ea62a19ab81ac62b41b7da5ba7ba9271714e515c
Score

10^/10

smokeloader backdoor persistence trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Sets service image path in registry
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

smokeloaderbackdoorpersistencetrojan