Overview

overview

10

Static

static

440ff7b2ca...8c.exe

windows7_x64

10

440ff7b2ca...8c.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    440ff7b2ca1bca39ce17946fb76b1402036a1e1c3295229eccca429eccdaf28c

  • Size

    176KB

  • Sample

    220707-zqyp9abfcr

  • MD5

    944e5bdbdc8ebeca7ae267a0b873fcaa

  • SHA1

    f398dc78fbb9759ac920fde54b04b8871e496dfe

  • SHA256

    440ff7b2ca1bca39ce17946fb76b1402036a1e1c3295229eccca429eccdaf28c

  • SHA512

    ca9b220eb6917d12b61eb32b9a09670142b64800d79afa22770062d8f76be18db106fc8f9bf25c06738b699061e61ac3de566b564a94f631d8482f5479633977

Score
10/10
smokeloaderbackdoorpersistencesuricatatrojan

Malware Config

Extracted

Family

smokeloader

Version

2017

C2

http://bbank.bit/

http://abank.bit/

Targets

    • Target

      440ff7b2ca1bca39ce17946fb76b1402036a1e1c3295229eccca429eccdaf28c

    • Size

      176KB

    • MD5

      944e5bdbdc8ebeca7ae267a0b873fcaa

    • SHA1

      f398dc78fbb9759ac920fde54b04b8871e496dfe

    • SHA256

      440ff7b2ca1bca39ce17946fb76b1402036a1e1c3295229eccca429eccdaf28c

    • SHA512

      ca9b220eb6917d12b61eb32b9a09670142b64800d79afa22770062d8f76be18db106fc8f9bf25c06738b699061e61ac3de566b564a94f631d8482f5479633977

    Score
    10/10
    smokeloaderbackdoortrojanpersistencesuricata

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • suricata: ET MALWARE Sharik/Smoke Loader Java Connectivity Check

      suricata: ET MALWARE Sharik/Smoke Loader Java Connectivity Check

      suricata

    • suricata: ET MALWARE Sharik/Smoke Loader Microsoft Connectivity Check

      suricata: ET MALWARE Sharik/Smoke Loader Microsoft Connectivity Check

      suricata

    • Adds policy Run key to start application

      persistence

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks