General

  • Target

    a3f12a86956b46caf03b7ab7a7802dc4e6f63d62f2983c9e5fa4b12983525b50

  • Size

    272KB

  • Sample

    230917-hwsbzsah36

  • MD5

    5ee48fa6fdc554fbacbbc9b66da4f2aa

  • SHA1

    006f3580e833bc5e965ddc5cf4593396c96031dc

  • SHA256

    a3f12a86956b46caf03b7ab7a7802dc4e6f63d62f2983c9e5fa4b12983525b50

  • SHA512

    21f184ab5a541611f7342c6823addcd37a28aef72956b87874e3ee1631b9212fe5afac9f2b8d744b6d04170c8381a79d5c0500a31a454f08cdd1469f904e07fe

  • SSDEEP

    3072:AQvRg2YvVcjtvEKny84ccbqvPZg7UCmiMiG6Cb/V0KNMGNDn:dvwvVcjt8KnyXbqvPZg7gIJ8VBL

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32
rc4.i32

Targets

    • Target

      a3f12a86956b46caf03b7ab7a7802dc4e6f63d62f2983c9e5fa4b12983525b50

    • Size

      272KB

    • MD5

      5ee48fa6fdc554fbacbbc9b66da4f2aa

    • SHA1

      006f3580e833bc5e965ddc5cf4593396c96031dc

    • SHA256

      a3f12a86956b46caf03b7ab7a7802dc4e6f63d62f2983c9e5fa4b12983525b50

    • SHA512

      21f184ab5a541611f7342c6823addcd37a28aef72956b87874e3ee1631b9212fe5afac9f2b8d744b6d04170c8381a79d5c0500a31a454f08cdd1469f904e07fe

    • SSDEEP

      3072:AQvRg2YvVcjtvEKny84ccbqvPZg7UCmiMiG6Cb/V0KNMGNDn:dvwvVcjt8KnyXbqvPZg7gIJ8VBL

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks