smokeloader | 381b289daadbf888d7db6c3854ba4320e55e4dcbd61e7c1461ece771660a1d37 | Triage

Sharing

General

Target

381b289daadbf888d7db6c3854ba4320e55e4dcbd61e7c1461ece771660a1d37
Size

176KB
Sample

220625-zypsbacbam
MD5

436189fbd2fa4bac4e15fb3c20a9594d
SHA1

fde79f57d1f23603dd5dbba1c8736919d182dae7
SHA256

381b289daadbf888d7db6c3854ba4320e55e4dcbd61e7c1461ece771660a1d37
SHA512

91e106d1b3311daca2b16d152f326e489e39adbdc877c25da41c3904183e9631fce88d736d8ea51f9a083438e2ed3ee8c9d4d46d149dbd50f66c8a7dc7638cee

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2018

C2

http://mailcdn-office365.io/

http://update-vmware-service.com/

http://rocket365.to/

rc4.i32

rc4.i32

Targets

- Target
  
  381b289daadbf888d7db6c3854ba4320e55e4dcbd61e7c1461ece771660a1d37
- Size
  
  176KB
- MD5
  
  436189fbd2fa4bac4e15fb3c20a9594d
- SHA1
  
  fde79f57d1f23603dd5dbba1c8736919d182dae7
- SHA256
  
  381b289daadbf888d7db6c3854ba4320e55e4dcbd61e7c1461ece771660a1d37
- SHA512
  
  91e106d1b3311daca2b16d152f326e489e39adbdc877c25da41c3904183e9631fce88d736d8ea51f9a083438e2ed3ee8c9d4d46d149dbd50f66c8a7dc7638cee
Score

10^/10

smokeloader backdoor trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Loads dropped DLL
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

smokeloaderbackdoortrojan

behavioral2

smokeloaderbackdoortrojan