smokeloader | 04ad6dff980adf0c8eb6570408f677448fb43b65ae7bcbed830e155301201187 | Triage

Sharing

General

Target

04ad6dff980adf0c8eb6570408f677448fb43b65ae7bcbed830e155301201187
Size

318KB
Sample

220129-avbzlshcbr
MD5

e7d223d7731460991bf73b725e8c9a25
SHA1

75ef13930b7560ed6f852f5fc498692506d71756
SHA256

04ad6dff980adf0c8eb6570408f677448fb43b65ae7bcbed830e155301201187
SHA512

e2f7ed696c408eebdb9204408df3657c809dbad15ebf1ebef6782fd67115196f070b9a64144e671e0b57a4b3596065f680ebda96b61f24d82a8d4b033fa7d297

Score

10^/10

smokeloader backdoor persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

rc4.i32

Targets

- Target
  
  04ad6dff980adf0c8eb6570408f677448fb43b65ae7bcbed830e155301201187
- Size
  
  318KB
- MD5
  
  e7d223d7731460991bf73b725e8c9a25
- SHA1
  
  75ef13930b7560ed6f852f5fc498692506d71756
- SHA256
  
  04ad6dff980adf0c8eb6570408f677448fb43b65ae7bcbed830e155301201187
- SHA512
  
  e2f7ed696c408eebdb9204408df3657c809dbad15ebf1ebef6782fd67115196f070b9a64144e671e0b57a4b3596065f680ebda96b61f24d82a8d4b033fa7d297
Score

10^/10

smokeloader backdoor persistence trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Sets service image path in registry
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

smokeloaderbackdoorpersistencetrojan