General

  • Target

    2a25eeef861d5abb4b2aa7084f80b8aa27ef1d3b999e25f49b315a4031ba6b90

  • Size

    270KB

  • Sample

    230925-cjra9sbd8x

  • MD5

    f3c025e5194d46ae3abf16ff4df06ba1

  • SHA1

    12629837e1407291b2071661a3ab2aadf70eb70f

  • SHA256

    2a25eeef861d5abb4b2aa7084f80b8aa27ef1d3b999e25f49b315a4031ba6b90

  • SHA512

    b1d7fba6577ed62e76d7301f850724c33f130cd982c9046b67f5e83a21b029849ae0786123ac2211b565a867832299c4639db8077e08afaf84ee58469e3662c9

  • SSDEEP

    6144:LRihrJ+j+5j68KsT6h/OCy5U9uAOSAoa68gqw6:LRMN+j+5+RsqGGuFocw6

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Targets

    • Target

      2a25eeef861d5abb4b2aa7084f80b8aa27ef1d3b999e25f49b315a4031ba6b90

    • Size

      270KB

    • MD5

      f3c025e5194d46ae3abf16ff4df06ba1

    • SHA1

      12629837e1407291b2071661a3ab2aadf70eb70f

    • SHA256

      2a25eeef861d5abb4b2aa7084f80b8aa27ef1d3b999e25f49b315a4031ba6b90

    • SHA512

      b1d7fba6577ed62e76d7301f850724c33f130cd982c9046b67f5e83a21b029849ae0786123ac2211b565a867832299c4639db8077e08afaf84ee58469e3662c9

    • SSDEEP

      6144:LRihrJ+j+5j68KsT6h/OCy5U9uAOSAoa68gqw6:LRMN+j+5+RsqGGuFocw6

    • Detected google phishing page

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks