smokeloader | 63fd7eed07b783897ff9b1926eb9924a37a57d4af6803958299d5c303a1d1086 | Triage

Sharing

General

Target

63fd7eed07b783897ff9b1926eb9924a37a57d4af6803958299d5c303a1d1086
Size

351KB
Sample

220128-yv8kkscdbl
MD5

79cd578c6198391d8ce8b1ccc1b301d1
SHA1

adc7a417da2c9c01c4664c1b740c317f16dcef5c
SHA256

63fd7eed07b783897ff9b1926eb9924a37a57d4af6803958299d5c303a1d1086
SHA512

7d497694a48182689c78abdbf8bbc13e1937900a4728ce7c02e06033d3b1923337bec3def940dfc3896746fab59b5b00a6e2e8de0126eff19d490290d3ee31e4

Score

10^/10

smokeloader backdoor persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

rc4.i32

Targets

- Target
  
  63fd7eed07b783897ff9b1926eb9924a37a57d4af6803958299d5c303a1d1086
- Size
  
  351KB
- MD5
  
  79cd578c6198391d8ce8b1ccc1b301d1
- SHA1
  
  adc7a417da2c9c01c4664c1b740c317f16dcef5c
- SHA256
  
  63fd7eed07b783897ff9b1926eb9924a37a57d4af6803958299d5c303a1d1086
- SHA512
  
  7d497694a48182689c78abdbf8bbc13e1937900a4728ce7c02e06033d3b1923337bec3def940dfc3896746fab59b5b00a6e2e8de0126eff19d490290d3ee31e4
Score

10^/10

smokeloader backdoor persistence trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Sets service image path in registry
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

smokeloaderbackdoorpersistencetrojan