General

  • Target

    e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0

  • Size

    281KB

  • Sample

    230619-nn8lwsef5s

  • MD5

    9769c181ecef69544bbb2f974b8c0e10

  • SHA1

    5d0f447f4ccc89d7d79c0565372195240cdfa25f

  • SHA256

    e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0

  • SHA512

    b3da8fea6ee5d6b67f55a4043f18d7325f1700c9f3dcb0e7cbf21f49ebdbb56b5a10a2d03153d0dfb1e8dc34db20cdea0236c448f2c361fadbabf9a6f59b4c7a

  • SSDEEP

    3072:Z5SXIMALRKEttgCWAbi1D1fJmxIV0BN3omE9MA5yXsztcJe9:GIMpEtCCWAbiBRmE9o6

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://serverlogs37.xyz/statweb255/

http://servblog757.xyz/statweb255/

http://dexblog45.xyz/statweb255/

http://admlogs.online/statweb255/

http://blogstat355.xyz/statweb255/

http://blogstatserv25.xyz/statweb255/

rc4.i32
rc4.i32

Targets

    • Target

      e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0

    • Size

      281KB

    • MD5

      9769c181ecef69544bbb2f974b8c0e10

    • SHA1

      5d0f447f4ccc89d7d79c0565372195240cdfa25f

    • SHA256

      e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0

    • SHA512

      b3da8fea6ee5d6b67f55a4043f18d7325f1700c9f3dcb0e7cbf21f49ebdbb56b5a10a2d03153d0dfb1e8dc34db20cdea0236c448f2c361fadbabf9a6f59b4c7a

    • SSDEEP

      3072:Z5SXIMALRKEttgCWAbi1D1fJmxIV0BN3omE9MA5yXsztcJe9:GIMpEtCCWAbiBRmE9o6

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (136) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Blocklisted process makes network request

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks