smokeloader | 9c6c6d5dd31a89f884c98268c23de580bd4fa0311b05ef502ea74827afcc42a5 | Triage

Sharing

General

Target

9c6c6d5dd31a89f884c98268c23de580bd4fa0311b05ef502ea74827afcc42a5
Size

353KB
Sample

220128-t1kngsghd6
MD5

2b96c5bde8c917215c08d2ba95079509
SHA1

34492b4f0cf93d3e7d8cfc02daf973f06dfaaeda
SHA256

9c6c6d5dd31a89f884c98268c23de580bd4fa0311b05ef502ea74827afcc42a5
SHA512

d5aa900d1befd7e93a2747bdfd263a7e03c57e9f101f1f7e39015892053f8a5a572d1899c8b8007c1ed3c0a0760a6e6bbb8914db9cda711d4558a9511a27e614

Score

10^/10

smokeloader backdoor persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

rc4.i32

Targets

- Target
  
  9c6c6d5dd31a89f884c98268c23de580bd4fa0311b05ef502ea74827afcc42a5
- Size
  
  353KB
- MD5
  
  2b96c5bde8c917215c08d2ba95079509
- SHA1
  
  34492b4f0cf93d3e7d8cfc02daf973f06dfaaeda
- SHA256
  
  9c6c6d5dd31a89f884c98268c23de580bd4fa0311b05ef502ea74827afcc42a5
- SHA512
  
  d5aa900d1befd7e93a2747bdfd263a7e03c57e9f101f1f7e39015892053f8a5a572d1899c8b8007c1ed3c0a0760a6e6bbb8914db9cda711d4558a9511a27e614
Score

10^/10

smokeloader backdoor persistence trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Sets service image path in registry
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

smokeloaderbackdoorpersistencetrojan