smokeloader | 179d7cf2c6e16d7247aa3e2dc54c7c3cb4e2c04eeef43ec26d181b476a582333 | Triage

Sharing

General

Target

179d7cf2c6e16d7247aa3e2dc54c7c3cb4e2c04eeef43ec26d181b476a582333
Size

191KB
Sample

220608-y5t5yabgc9
MD5

98e4e3abda01fbfa7580166b057f8854
SHA1

a3b2f315b2c9ad0f73e21fa07f63d2ca6431362f
SHA256

179d7cf2c6e16d7247aa3e2dc54c7c3cb4e2c04eeef43ec26d181b476a582333
SHA512

53438154c43b0f00c0e1270220b24be41c38a55e05f56a3109b9c0e32a540a7e6f295d568975802222ffe74a947cba1dc198515bd5b95721b74afcce0d4dc373

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2018

C2

http://mailcdn-office365.io/

http://update-vmware-service.com/

http://rocket365.to/

rc4.i32

rc4.i32

Targets

- Target
  
  179d7cf2c6e16d7247aa3e2dc54c7c3cb4e2c04eeef43ec26d181b476a582333
- Size
  
  191KB
- MD5
  
  98e4e3abda01fbfa7580166b057f8854
- SHA1
  
  a3b2f315b2c9ad0f73e21fa07f63d2ca6431362f
- SHA256
  
  179d7cf2c6e16d7247aa3e2dc54c7c3cb4e2c04eeef43ec26d181b476a582333
- SHA512
  
  53438154c43b0f00c0e1270220b24be41c38a55e05f56a3109b9c0e32a540a7e6f295d568975802222ffe74a947cba1dc198515bd5b95721b74afcce0d4dc373
Score

10^/10

smokeloader backdoor trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Loads dropped DLL
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

smokeloaderbackdoortrojan

behavioral2

smokeloaderbackdoortrojan