smokeloader | ea164dacd96c7c2f93dcc8ddb9798def103def1b7e1febad0813a521346106e0 | Triage

Sharing

General

Target

ea164dacd96c7c2f93dcc8ddb9798def103def1b7e1febad0813a521346106e0
Size

353KB
Sample

220128-mgbg5sbahm
MD5

4be7a3e011c85f196567c25284b31088
SHA1

ab187a3b3d75291791d2e1ee9e9875f88c52b27c
SHA256

ea164dacd96c7c2f93dcc8ddb9798def103def1b7e1febad0813a521346106e0
SHA512

d317d3d38669a74a8da01159af0b952609c60291d1ecaa44b8da4118292e76d2035e89f79708b12410ca35ae0a2610ee949cb5aebb05f7e32d14678d6754ecfc

Score

10^/10

smokeloader backdoor persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

rc4.i32

Targets

- Target
  
  ea164dacd96c7c2f93dcc8ddb9798def103def1b7e1febad0813a521346106e0
- Size
  
  353KB
- MD5
  
  4be7a3e011c85f196567c25284b31088
- SHA1
  
  ab187a3b3d75291791d2e1ee9e9875f88c52b27c
- SHA256
  
  ea164dacd96c7c2f93dcc8ddb9798def103def1b7e1febad0813a521346106e0
- SHA512
  
  d317d3d38669a74a8da01159af0b952609c60291d1ecaa44b8da4118292e76d2035e89f79708b12410ca35ae0a2610ee949cb5aebb05f7e32d14678d6754ecfc
Score

10^/10

smokeloader backdoor persistence trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Sets service image path in registry
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

smokeloaderbackdoorpersistencetrojan