General

  • Target

    4796cf8c6eab52df224915dd04ecda81a30384c53e284e6dae7c55a3cae9f976

  • Size

    270KB

  • Sample

    230925-cybt5ada45

  • MD5

    c5e478eec410f273b71b66891382d22a

  • SHA1

    980bd6d85b793b708da5be58a1c61192200628a1

  • SHA256

    4796cf8c6eab52df224915dd04ecda81a30384c53e284e6dae7c55a3cae9f976

  • SHA512

    9a6aefc655fc4212f145fa3a37fa8f013ff132f263b27bbc4f9a8a10ed504b9ebcb087d88bdc49642fb69cb087787014b8a39a4610508257cc5e049c3f8f9518

  • SSDEEP

    6144:sR/hrJ+j+5j68KsT6h/OCy5U9uAO7APOQO7qw6:sR5N+j+5+RsqGGuChOGw6

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Targets

    • Target

      4796cf8c6eab52df224915dd04ecda81a30384c53e284e6dae7c55a3cae9f976

    • Size

      270KB

    • MD5

      c5e478eec410f273b71b66891382d22a

    • SHA1

      980bd6d85b793b708da5be58a1c61192200628a1

    • SHA256

      4796cf8c6eab52df224915dd04ecda81a30384c53e284e6dae7c55a3cae9f976

    • SHA512

      9a6aefc655fc4212f145fa3a37fa8f013ff132f263b27bbc4f9a8a10ed504b9ebcb087d88bdc49642fb69cb087787014b8a39a4610508257cc5e049c3f8f9518

    • SSDEEP

      6144:sR/hrJ+j+5j68KsT6h/OCy5U9uAO7APOQO7qw6:sR5N+j+5+RsqGGuChOGw6

    • Detected google phishing page

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks