smokeloader | 2e4938ec0e5c2beaff68ac02cfdfb4cd762a2399a26aff8c3298b716def6e234 | Triage

Sharing

General

Target

2e4938ec0e5c2beaff68ac02cfdfb4cd762a2399a26aff8c3298b716def6e234
Size

352KB
Sample

220128-n2ynvacaal
MD5

4ed9c436d50d8ed64fe9ce9b30099a37
SHA1

ad6467e4813cb95a4b5d35b4461274c089a5346d
SHA256

2e4938ec0e5c2beaff68ac02cfdfb4cd762a2399a26aff8c3298b716def6e234
SHA512

db7f06fbd14ce0fdc2ca15caaa7edd90ea62a7bf21fd7bf0cbd2cf5971a09df31a4f01e9c11b6d6a923c5d69c8d2b350fc8842d89147fe85be9ff601ab3ad019

Score

10^/10

smokeloader backdoor persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

rc4.i32

Targets

- Target
  
  2e4938ec0e5c2beaff68ac02cfdfb4cd762a2399a26aff8c3298b716def6e234
- Size
  
  352KB
- MD5
  
  4ed9c436d50d8ed64fe9ce9b30099a37
- SHA1
  
  ad6467e4813cb95a4b5d35b4461274c089a5346d
- SHA256
  
  2e4938ec0e5c2beaff68ac02cfdfb4cd762a2399a26aff8c3298b716def6e234
- SHA512
  
  db7f06fbd14ce0fdc2ca15caaa7edd90ea62a7bf21fd7bf0cbd2cf5971a09df31a4f01e9c11b6d6a923c5d69c8d2b350fc8842d89147fe85be9ff601ab3ad019
Score

10^/10

smokeloader backdoor persistence trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Sets service image path in registry
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

smokeloaderbackdoorpersistencetrojan