General

  • Target

    c03d3f3fac3615256c7c0805743819a2.exe

  • Size

    391KB

  • Sample

    230718-hcx35ahe2w

  • MD5

    c03d3f3fac3615256c7c0805743819a2

  • SHA1

    edb2096b1065550825ace73f5450b2594de35d2b

  • SHA256

    7c9d8f3b2f5bb94e50c4d1aa0e4136851e5671d211584abce1a6879933e916e8

  • SHA512

    93428f35d6b51a5d6aa3a69a278e7f4be02bf28f7da11e1530e12ab105e04000cedcdc6de3808b8c6e54da64925bd99d385f91734998a1ef99c09527192866b0

  • SSDEEP

    6144:CPXoDQpcUz+TfBDma1bMPeakaPMbXtuYv1m6EIzF8FihlIn8HdmD:aWDfhhBXtzv0fA8FiLIIdmD

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://cletonmy.com/

http://alpatrik.com/

rc4.i32
rc4.i32

Targets

    • Target

      c03d3f3fac3615256c7c0805743819a2.exe

    • Size

      391KB

    • MD5

      c03d3f3fac3615256c7c0805743819a2

    • SHA1

      edb2096b1065550825ace73f5450b2594de35d2b

    • SHA256

      7c9d8f3b2f5bb94e50c4d1aa0e4136851e5671d211584abce1a6879933e916e8

    • SHA512

      93428f35d6b51a5d6aa3a69a278e7f4be02bf28f7da11e1530e12ab105e04000cedcdc6de3808b8c6e54da64925bd99d385f91734998a1ef99c09527192866b0

    • SSDEEP

      6144:CPXoDQpcUz+TfBDma1bMPeakaPMbXtuYv1m6EIzF8FihlIn8HdmD:aWDfhhBXtzv0fA8FiLIIdmD

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Deletes itself

    • Loads dropped DLL

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks