smokeloader | 41f61d01e0004a9edf542d9c11fe66fdaf986968a2f977dc4eefc3906d9020a9 | Triage

Sharing

General

Target

41f61d01e0004a9edf542d9c11fe66fdaf986968a2f977dc4eefc3906d9020a9
Size

168KB
Sample

220708-el8dnsgfbk
MD5

b5312071e20af1b570ffa57464f422ab
SHA1

d6d152d270366382dcfe4eeb362a64567f4f55ea
SHA256

41f61d01e0004a9edf542d9c11fe66fdaf986968a2f977dc4eefc3906d9020a9
SHA512

aa512f4ffed9c1e4feb3b59af0aaa18f4884aaf35fb34a0fb8ccc2c45feebaa1be6cbdfcaba4f7023dce26012d8432bb6f9dfb26678d706ed43509e1e14c0c37

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2018

C2

http://mailcdn-office365.io/

http://update-vmware-service.com/

http://rocket365.to/

rc4.i32

rc4.i32

Targets

- Target
  
  41f61d01e0004a9edf542d9c11fe66fdaf986968a2f977dc4eefc3906d9020a9
- Size
  
  168KB
- MD5
  
  b5312071e20af1b570ffa57464f422ab
- SHA1
  
  d6d152d270366382dcfe4eeb362a64567f4f55ea
- SHA256
  
  41f61d01e0004a9edf542d9c11fe66fdaf986968a2f977dc4eefc3906d9020a9
- SHA512
  
  aa512f4ffed9c1e4feb3b59af0aaa18f4884aaf35fb34a0fb8ccc2c45feebaa1be6cbdfcaba4f7023dce26012d8432bb6f9dfb26678d706ed43509e1e14c0c37
Score

10^/10

smokeloader backdoor trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Loads dropped DLL
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

smokeloaderbackdoortrojan