smokeloader | c19e87f1f2214126a5e01ae7f2f31ca6226d16707cb921197673a92ddf96d1d6 | Triage

Sharing

General

Target

c19e87f1f2214126a5e01ae7f2f31ca6226d16707cb921197673a92ddf96d1d6
Size

352KB
Sample

220128-y8qxpadbf8
MD5

e9b243b105c652443948ee240319f5ae
SHA1

9d4183ebec205e6f346465957887e3e96302d345
SHA256

c19e87f1f2214126a5e01ae7f2f31ca6226d16707cb921197673a92ddf96d1d6
SHA512

9bbce0c0dbe0e178ed0d46ec35d2b76d57fd601fd4dc4618ccb84e3d4d7b2d3b03b52f945edcecd8f26d5e920e8e8560d2394bb04fec6566b81d4c432d2f7749

Score

10^/10

smokeloader backdoor persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

rc4.i32

Targets

- Target
  
  c19e87f1f2214126a5e01ae7f2f31ca6226d16707cb921197673a92ddf96d1d6
- Size
  
  352KB
- MD5
  
  e9b243b105c652443948ee240319f5ae
- SHA1
  
  9d4183ebec205e6f346465957887e3e96302d345
- SHA256
  
  c19e87f1f2214126a5e01ae7f2f31ca6226d16707cb921197673a92ddf96d1d6
- SHA512
  
  9bbce0c0dbe0e178ed0d46ec35d2b76d57fd601fd4dc4618ccb84e3d4d7b2d3b03b52f945edcecd8f26d5e920e8e8560d2394bb04fec6566b81d4c432d2f7749
Score

10^/10

smokeloader backdoor persistence trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Sets service image path in registry
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

smokeloaderbackdoorpersistencetrojan