smokeloader | fake_pe_with_shellcode | Triage

Sharing

Copy URL Twitter E-mail

General

Target

fake_pe_with_shellcode
Size

1.9MB
MD5

4727c2d2ab272af5fa728ed0154d783c
SHA1

d9524b8fc29b68a942c88feff1674d54c4214a32
SHA256

1b7636f82b64d7692edfa051db3c4ae88900188fb57c1685f467e6eab06b6374
SHA512

027887d8937c819e69ce1973560dbb5de31cf824ff5d7205035dea47e16dfb43efd464be298218689bfdba8a5b848f420584c916ac860e9d60a5650933738946
SSDEEP

24576:RQvvS3pUjWGLBOTtB6kQqBmIv4cvu32MyT5Wua16VXy09Q2MP9c:RQvv9WGLBy+lIvbu32MyToutyoQ1c

Score

10^/10

smokeloader

Malware Config

Extracted

Family

smokeloader

Version

2022

rc4.i32

rc4.i32

Signatures

Smokeloader family
smokeloader

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
fake_pe_with_shellcode

Files

fake_pe_with_shellcode
.exe windows x86

7bacf09401a48d4044c9fd6da22d7c17

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

A_SHAFinal
vsprintf

kernel32

BaseThreadInitThunk
EnumCalendarInfoA
EncodePointer

Sections

.text
Size: 555KB - Virtual size: 554KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 155KB - Virtual size: 154KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

ooooo
Size: 36KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE