General

  • Target

    1ccf523f1afdbcf943f7a11843de9e29e7edd596ec2db5a0ed375aabd15b5394

  • Size

    270KB

  • Sample

    230925-deb68adb22

  • MD5

    c26fce705fa2dde33f804942e4fb7526

  • SHA1

    880f25a77f8fa50858793dc9924bb90fb91d393a

  • SHA256

    1ccf523f1afdbcf943f7a11843de9e29e7edd596ec2db5a0ed375aabd15b5394

  • SHA512

    cb2ec751b091101ef11a27dde3aefb3343d622b8a383ec60f6c0fc7e528ec42bc472a4c2e81af445e2b3a498d9196947cbb7b4b714b37c6c8377c15ab09c8584

  • SSDEEP

    6144:BR2hrJ+j+5j68KsT6h/OCy5U9uAOQArrCmcqw6:BRgN+j+5+RsqGGuTrWmdw6

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Targets

    • Target

      1ccf523f1afdbcf943f7a11843de9e29e7edd596ec2db5a0ed375aabd15b5394

    • Size

      270KB

    • MD5

      c26fce705fa2dde33f804942e4fb7526

    • SHA1

      880f25a77f8fa50858793dc9924bb90fb91d393a

    • SHA256

      1ccf523f1afdbcf943f7a11843de9e29e7edd596ec2db5a0ed375aabd15b5394

    • SHA512

      cb2ec751b091101ef11a27dde3aefb3343d622b8a383ec60f6c0fc7e528ec42bc472a4c2e81af445e2b3a498d9196947cbb7b4b714b37c6c8377c15ab09c8584

    • SSDEEP

      6144:BR2hrJ+j+5j68KsT6h/OCy5U9uAOQArrCmcqw6:BRgN+j+5+RsqGGuTrWmdw6

    • Detected google phishing page

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks