smokeloader | d31f7a4a68a38581a88a343cbc9be8480acdba021c3bca39f6d45c4cac352be1 | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-2004_x64

Sharing

General

Target

d31f7a4a68a38581a88a343cbc9be8480acdba021c3bca39f6d45c4cac352be1
Size

352KB
Sample

220128-whze2aaae4
MD5

11d9e55a4cc32d18382d0428eb99a651
SHA1

5d8d56e2743332e8184ac8c4724ee166387e1b54
SHA256

d31f7a4a68a38581a88a343cbc9be8480acdba021c3bca39f6d45c4cac352be1
SHA512

abc88024ca89676e8a6de77cd8eb6c4df17f34642b16163ccf814f86c72dbd5ecae6cd062fe180fb3e66227ec82b7ac52ae0fc8457c6c7cba66ee5e3ecc04684

Score

10^/10

smokeloader backdoor persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

d31f7a4a68a38581a88a343cbc9be8480acdba021c3bca39f6d45c4cac352be1.exe

Resource

win10v2004-en-20220112

smokeloader backdoor persistence trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://kotabuki.com/

http://slusextense.com/

http://purekidboo.com/

http://wildzipcode.biz/

rc4.i32

rc4.i32

Targets

- Target
  
  d31f7a4a68a38581a88a343cbc9be8480acdba021c3bca39f6d45c4cac352be1
- Size
  
  352KB
- MD5
  
  11d9e55a4cc32d18382d0428eb99a651
- SHA1
  
  5d8d56e2743332e8184ac8c4724ee166387e1b54
- SHA256
  
  d31f7a4a68a38581a88a343cbc9be8480acdba021c3bca39f6d45c4cac352be1
- SHA512
  
  abc88024ca89676e8a6de77cd8eb6c4df17f34642b16163ccf814f86c72dbd5ecae6cd062fe180fb3e66227ec82b7ac52ae0fc8457c6c7cba66ee5e3ecc04684
Score

10^/10

smokeloader backdoor persistence trojan
- Modifies WinLogon for persistence
  persistence
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

smokeloaderbackdoorpersistencetrojan

© 2018-2024

Terms | Privacy