smokeloader | 39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4 | Triage

Submit
Reports

Overview

overview

Static

static

1

39db8f99f4...e4.exe

windows7_x64

39db8f99f4...e4.exe

windows10-2004_x64

Sharing

General

Target

39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4
Size

2.4MB
Sample

220625-jqlspaebd4
MD5

3d7c637e0e04b7f9e10414c227a2f102
SHA1

08e66ae0af9b16775fe9b614e2ed864934b74b2b
SHA256

39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4
SHA512

6e74ddf4e7e16e00bc8e60bf09ebbd9a0d29475c2cf20dafd8c7d5a82b1b3cb0083667a8b0de015f0eb88e8a46fced28856a315a7053a725b4dea9b528665373

Score

10^/10

smokeloader xmrig backdoor miner trojan vmprotect

Static task

static1

Behavioral task

behavioral1

Sample

39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe

Resource

win7-20220414-en

smokeloader xmrig backdoor miner trojan vmprotect

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe

Resource

win10v2004-20220414-en

smokeloader xmrig backdoor miner trojan vmprotect

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

smokeloader

Version

2018

C2

http://converadm.bit/

rc4.i32

rc4.i32

Targets

- Target
  
  39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4
- Size
  
  2.4MB
- MD5
  
  3d7c637e0e04b7f9e10414c227a2f102
- SHA1
  
  08e66ae0af9b16775fe9b614e2ed864934b74b2b
- SHA256
  
  39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4
- SHA512
  
  6e74ddf4e7e16e00bc8e60bf09ebbd9a0d29475c2cf20dafd8c7d5a82b1b3cb0083667a8b0de015f0eb88e8a46fced28856a315a7053a725b4dea9b528665373
Score

10^/10

smokeloader xmrig backdoor miner trojan vmprotect
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner Payload
  miner
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

smokeloaderxmrigbackdoorminertrojanvmprotect

behavioral2

smokeloaderxmrigbackdoorminertrojanvmprotect

© 2018-2024

Terms | Privacy