General

  • Target

    b7779eb7756debf18a7d37bb2a04cbac8420167ea8f746774835e73fa4458703

  • Size

    399KB

  • Sample

    230717-gxm8zsae52

  • MD5

    bf116d38feeab4b00d4b8703776ffdf3

  • SHA1

    175a33faf58fa9d8af84da39527357363ee42de4

  • SHA256

    b7779eb7756debf18a7d37bb2a04cbac8420167ea8f746774835e73fa4458703

  • SHA512

    24590155f0aa2b7276d3779940dc1d2656b7f180187b15c55e864a90ef667bff8d12af74bd5823207857f09066fcd093c5994f31359d8625c5feb47c7204a955

  • SSDEEP

    6144:fPXoDQpcUz+TfBDma1bjx2aQRWHBMaMD4V4JQpW9Dhnn9tDbrqDC/Y2AFz/VsLaH:DWDfh2WHaD4eQp2lnvf4CQAL

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://cletonmy.com/

http://alpatrik.com/

rc4.i32
rc4.i32

Targets

    • Target

      b7779eb7756debf18a7d37bb2a04cbac8420167ea8f746774835e73fa4458703

    • Size

      399KB

    • MD5

      bf116d38feeab4b00d4b8703776ffdf3

    • SHA1

      175a33faf58fa9d8af84da39527357363ee42de4

    • SHA256

      b7779eb7756debf18a7d37bb2a04cbac8420167ea8f746774835e73fa4458703

    • SHA512

      24590155f0aa2b7276d3779940dc1d2656b7f180187b15c55e864a90ef667bff8d12af74bd5823207857f09066fcd093c5994f31359d8625c5feb47c7204a955

    • SSDEEP

      6144:fPXoDQpcUz+TfBDma1bjx2aQRWHBMaMD4V4JQpW9Dhnn9tDbrqDC/Y2AFz/VsLaH:DWDfh2WHaD4eQp2lnvf4CQAL

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks