smokeloader | 85660f53b413aec419d226daa868ec603bc048db1b11c8524f22d7eac6dd16dc | Triage

Submit
Reports

Overview

overview

Static

static

1

38787f7e57...48.exe

windows7-x64

38787f7e57...48.exe

windows10-2004-x64

Sharing

General

Target

652685c8ba9a7aa68011ae58ef4ba00c.bin
Size

164KB
Sample

230328-by1yksgc72
MD5

3ab1c9cd8aa613d7dbd5e0f67aaadfb3
SHA1

ee56b389ad0cd270d29fd684355f8a898c3bb60c
SHA256

85660f53b413aec419d226daa868ec603bc048db1b11c8524f22d7eac6dd16dc
SHA512

f5517d40ce66cf13bff910ba483e70810158a73aa383b83636cb12fbf7df4d38a7592810ccf77797bb97e3cfe5fbc7230809ae075f91c493dfa2f45104960372
SSDEEP

3072:ftroxkKD54J1tR0MV63+k0IddMUam2K3t/XwaN5CQB0HF4scE9SvMjG:ft8T5e0HJdMNmt/XxzCZivMjG

Score

10^/10

smokeloader pub4 backdoor collection discovery persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

38787f7e57bc6977e4c2ba92d208d29777dabafd4558a13070dd422449aa1c48.exe

Resource

win7-20230220-en

smokeloader pub4 backdoor trojan

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

38787f7e57bc6977e4c2ba92d208d29777dabafd4558a13070dd422449aa1c48.exe

Resource

win10v2004-20230221-en

smokeloader pub4 backdoor collection discovery persistence spyware stealer trojan

windows10-2004-x64

30 signatures

150 seconds

Malware Config

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

smokeloader

Version

2022

C2

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/

rc4.i32

rc4.i32

Targets

- Target
  
  38787f7e57bc6977e4c2ba92d208d29777dabafd4558a13070dd422449aa1c48.exe
- Size
  
  274KB
- MD5
  
  652685c8ba9a7aa68011ae58ef4ba00c
- SHA1
  
  6dcfbd4f8cea0f732038bb36d12e42875d974a65
- SHA256
  
  38787f7e57bc6977e4c2ba92d208d29777dabafd4558a13070dd422449aa1c48
- SHA512
  
  35a357269fc185b2905dd589768f6284692c737bd0e912436f9aef05d105aa4fd8ea60adf97caff4a1834896603891027ac4d026567540911874895e593e1b4d
- SSDEEP
  
  3072:e3zrCktY3urayKuR1ukF4bZjcQsjS+tFDg9zV8/Og3lSgwae/CpL//c5pNN4TJY:8AOahuRKl+txgBV4OgNJnpL/mNN4T
Score

10^/10

smokeloader pub4 backdoor trojan collection discovery persistence spyware stealer
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Blocklisted process makes network request
- Downloads MZ/PE file
- Sets DLL path for service in the registry
  persistence
- Sets service image path in registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

smokeloaderpub4backdoortrojan

behavioral2

smokeloaderpub4backdoorcollectiondiscoverypersistencespywarestealertrojan

© 2018-2024

Terms | Privacy