General

  • Target

    tmp

  • Size

    277KB

  • Sample

    230712-dm3zxabf94

  • MD5

    9d341b792c8d1b0bafbbe84fcc1c818b

  • SHA1

    adac991b02c3d81e3db35031d421f341a5cc48ac

  • SHA256

    f1f34fb945e11816aa831608948a74516f936d8cbfb74b2c0fbd05837bd3d96f

  • SHA512

    a0895ea92465204efca2399047c32b6894cc4cc8c1c5d44571677506bc70007b22b0804af5f552cc8d928df0568e6b1910382f3c23d3252ffa6258339b4cf036

  • SSDEEP

    6144:CR+xXj/CUco+DBNFQ/hrunNmfxh6hF8RWCqv7v//Hid59U0LmWgf1wtJVY9i8P:2c/CUZ+BWhKef6/8RWNv7vnQLZgSrUl

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://cletonmy.com/

http://alpatrik.com/

rc4.i32
rc4.i32

Targets

    • Target

      tmp

    • Size

      277KB

    • MD5

      9d341b792c8d1b0bafbbe84fcc1c818b

    • SHA1

      adac991b02c3d81e3db35031d421f341a5cc48ac

    • SHA256

      f1f34fb945e11816aa831608948a74516f936d8cbfb74b2c0fbd05837bd3d96f

    • SHA512

      a0895ea92465204efca2399047c32b6894cc4cc8c1c5d44571677506bc70007b22b0804af5f552cc8d928df0568e6b1910382f3c23d3252ffa6258339b4cf036

    • SSDEEP

      6144:CR+xXj/CUco+DBNFQ/hrunNmfxh6hF8RWCqv7v//Hid59U0LmWgf1wtJVY9i8P:2c/CUZ+BWhKef6/8RWNv7vnQLZgSrUl

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks