General

  • Target

    32307017.xls

  • Size

    1.4MB

  • Sample

    230717-glv5fsad95

  • MD5

    ab03f70b31107892e798091706ca4f4f

  • SHA1

    6975a37ca9a7e5ed68111457e0633992bac30a53

  • SHA256

    27bd31839d54056c7868df571290b527d4940f209b66b3bb0a2cfb31f454c7d2

  • SHA512

    e2b9d7e74fc7c58ea6e59f67f8e4589c7201705bf04a5ea53a0fc60afba7b8e205b1cd4048205f5e65e7f822558b1c56c5cef6cd43ea77c80c850e1f8d644656

  • SSDEEP

    24576:wgu9VNZylw6V9OZyOw6VleHBlEzp7uNR0bgcwyA52CcP5YwVux:wguPR6V9YO6V8hOzNgjyPP5Yz

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://cletonmy.com/

http://alpatrik.com/

rc4.i32
rc4.i32

Targets

    • Target

      32307017.xls

    • Size

      1.4MB

    • MD5

      ab03f70b31107892e798091706ca4f4f

    • SHA1

      6975a37ca9a7e5ed68111457e0633992bac30a53

    • SHA256

      27bd31839d54056c7868df571290b527d4940f209b66b3bb0a2cfb31f454c7d2

    • SHA512

      e2b9d7e74fc7c58ea6e59f67f8e4589c7201705bf04a5ea53a0fc60afba7b8e205b1cd4048205f5e65e7f822558b1c56c5cef6cd43ea77c80c850e1f8d644656

    • SSDEEP

      24576:wgu9VNZylw6V9OZyOw6VleHBlEzp7uNR0bgcwyA52CcP5YwVux:wguPR6V9YO6V8hOzNgjyPP5Yz

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks