General

  • Target

    393a6fc616adbefad87e8946be9e4cce127749fde58b892e26c7c24b703efae1

  • Size

    138KB

  • Sample

    220625-n9h85aeaa4

  • MD5

    673817bbb2672a7c4cfc1118aae648c0

  • SHA1

    89ded1a96fb527828affcec59df70313ea45419e

  • SHA256

    393a6fc616adbefad87e8946be9e4cce127749fde58b892e26c7c24b703efae1

  • SHA512

    8fcd0fc02f32c6e308bf493f77f6b8f75d92b1ef97f9b41fefc814a8686638c32deed4adae795df82557a950ff5152c924037d1b63f6220843c280b1ac49ec9a

Malware Config

Extracted

Family

smokeloader

Version

2018

C2

http://nhocbo.bit/

http://nhocbo.ru/

rc4.i32
rc4.i32

Targets

    • Target

      393a6fc616adbefad87e8946be9e4cce127749fde58b892e26c7c24b703efae1

    • Size

      138KB

    • MD5

      673817bbb2672a7c4cfc1118aae648c0

    • SHA1

      89ded1a96fb527828affcec59df70313ea45419e

    • SHA256

      393a6fc616adbefad87e8946be9e4cce127749fde58b892e26c7c24b703efae1

    • SHA512

      8fcd0fc02f32c6e308bf493f77f6b8f75d92b1ef97f9b41fefc814a8686638c32deed4adae795df82557a950ff5152c924037d1b63f6220843c280b1ac49ec9a

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Loads dropped DLL

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Tasks