Overview

overview

10

Static

static

1

smokeloade...4d.exe

windows7-x64

10

smokeloade...4d.exe

windows10-2004-x64

10

smokeloade...e4.exe

windows7-x64

10

smokeloade...e4.exe

windows10-2004-x64

10

smokeloade...a0.exe

windows7-x64

10

smokeloade...a0.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    smok.zip

  • Size

    422KB

  • Sample

    230310-egaxlsdc8v

  • MD5

    47e298ab27ad5dc35c7548f6f294c28a

  • SHA1

    c11299bd7bf1dbe805d4070a132e8f53e7a89005

  • SHA256

    3f428f05c1b7bb9e2d893d7c196eefec5e6cff1d1c1b761fea5ccec17e1bab3c

  • SHA512

    ad799b5f85819d4251d3338c2269e2ff11ddd671ba0dc423eca25b7d2a90f8bd8447c581e1461b13fcfc541ac4010e32e3aca27a4b3992d8369747531c34491d

  • SSDEEP

    12288:jAqQSqmB/gK1lKdImts8Q7jNzCdrFXv7XZ1m1tUzVgM8:EUhgK1QdImtBAZzCdZ/91mf8gp

Score
10/10
amadeydcratredlinerhadamanthyssmokeloader02-700-222023pub1agilenetbackdoordiscoveryevasioninfostealerpersistenceratspywarestealerthemidatrojan

Malware Config

Extracted

Family

smokeloader

Botnet

2023

Extracted

Family

smokeloader

Version

2022

C2

http://c3g6gx853u6j.xyz/

http://04yh16065cdi.xyz/

http://33qd2w560vnx.xyz/

http://neriir0f76gr.com/

http://b4y08hrp3jdb.com/

http://swp6fbywla09.com/

http://7iqt53dr345u.com/

http://mj4aj8r55mho.com/

http://ne4ym7bjn1ts.com/

http://perficut.at/tmp/

http://rutobacco.ru/tmp/

http://aingular.com/tmp /

http://piratia-life.ru/tmp/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

02-700-2

C2

167.235.133.96:43849

Attributes
  • auth_value

    8af50b3310e79fa317eef66b1e92900f

Extracted

Family

redline

Botnet

2

C2

51.81.126.50:19836

Attributes
  • auth_value

    7be92ecdf2c2f5400aa90f72d61cb2a4

Extracted

Family

amadey

Version

3.65

C2

hellomr.observer/7gjD0Vs3d/index.php

researchersgokick.rocks/7gjD0Vs3d/index.php

pleasetake.pictures/7gjD0Vs3d/index.php

Extracted

Family

smokeloader

Botnet

pub1

Targets

    • Target

      smokeloader/9afc600899956fa4398dc67bf2d8cc6990b2b3fc5e0e1ccd6ffc0156dbc2e04d.bin

    • Size

      243KB

    • MD5

      15ec74f8e94f99a442a7ccc8f0b41f5f

    • SHA1

      f988f2599784949d4155cf8d701cd8346f31cdcf

    • SHA256

      9afc600899956fa4398dc67bf2d8cc6990b2b3fc5e0e1ccd6ffc0156dbc2e04d

    • SHA512

      489324532a2dca2bbaef5d8431b204679da19283b887c1e813c44761a3c43fb603286b90ad3f4d7ea0379bb0f35fc341ec9e7f8edb6a88653e25bbd57fc06dbd

    • SSDEEP

      3072:IWMqMlmjLAFDQRCf32/DGqpamtKjdWbMBtF9hEKq3Slwlhio:xMSLlRCfq3amoYbMzuKqilwO

    Score
    10/10
    smokeloader2023backdoortrojanamadeydcratredlinerhadamanthys02-700-22agilenetdiscoveryevasioninfostealerpersistenceratspywarestealerthemida

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detect rhadamanthys stealer shellcode

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      smokeloader/a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.bin

    • Size

      194KB

    • MD5

      de2cc5ab0c1b901b1d57a0e10c0185be

    • SHA1

      f7d3144acc8e7473b8fb0c93cdc69632ea2de3ac

    • SHA256

      a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4

    • SHA512

      492fea5d91d8121432779fb4e01c6a5371b9fbe6675ecc9a32e416c583107e60ea160eeaa010cc83e7ace640ed7e31172ab1f4a3217526412cc9810960510be7

    • SSDEEP

      3072:lSbONVWNIbrL8vTk1Wi5XiKR0Cf6MzjN+C1HQJISv5f9juaQE4nL:lSbFcrL8o1fikjNzQJn51juaQE

    Score
    10/10
    smokeloader2023backdoortrojanamadeydcratredlinerhadamanthys02-700-22agilenetdiscoveryevasioninfostealerpersistenceratspywarestealerthemida

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detect rhadamanthys stealer shellcode

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      smokeloader/cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.bin

    • Size

      216KB

    • MD5

      7e9e7194490b4508e85827a6eddbbf50

    • SHA1

      8c39812d7ff46b9d3a8d24e8637df8c173ca27aa

    • SHA256

      cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0

    • SHA512

      2e6da9d8fb9c26b3ed5bb5a528e40a595ed7942372b7a986e1f842faaee54cbcb7017561756ae5abeff337d33cb0ca8940860bab401d6bff47d7afadcb837585

    • SSDEEP

      3072:XqstoULxtY+fpzP9991sxpR8zRVg1miGKRJBwptUhJV6/SaR5:zPLJf5DsSzXg1dJB+tUhJVg/

    Score
    10/10
    smokeloaderpub1backdoortrojanredlinediscoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

2
T1053

Persistence

Registry Run Keys / Startup Folder

2
T1060

Scheduled Task

2
T1053

Privilege Escalation

Scheduled Task

2
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Modify Registry

2
T1112

Credential Access

Credentials in Files

5
T1081

Discovery

Query Registry

17
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

13
T1082

Peripheral Device Discovery

3
T1120

Lateral Movement

Collection

Data from Local System

5
T1005

Exfiltration

Command and Control

Web Service

2
T1102

Impact

Tasks