General

  • Target

    18628c2d3458d7600cc76a4d3cfbc580f7896bb3cd8aef5b1f1b0752887127d9

  • Size

    270KB

  • Sample

    230925-dratxsdc42

  • MD5

    aff69542afafacc0df4a5e7c67bd8995

  • SHA1

    2b1c5a5dd469394105a0c1f2764177548fc11903

  • SHA256

    18628c2d3458d7600cc76a4d3cfbc580f7896bb3cd8aef5b1f1b0752887127d9

  • SHA512

    4e90a6d5ec3259e06c3a7363bd7b2ebeed4c104f4c5bb3d0fee8ff6712b7cf110c72c4cabc2b87727fa7dd64302cf247ec363cfcbdd3c467118c23839dbfb1bb

  • SSDEEP

    6144:hRihrJ+j+5j68KsT6h/OCy5U9uAOAATTPDbF6znqw6:hRMN+j+5+RsqGGuLLbnw6

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Targets

    • Target

      18628c2d3458d7600cc76a4d3cfbc580f7896bb3cd8aef5b1f1b0752887127d9

    • Size

      270KB

    • MD5

      aff69542afafacc0df4a5e7c67bd8995

    • SHA1

      2b1c5a5dd469394105a0c1f2764177548fc11903

    • SHA256

      18628c2d3458d7600cc76a4d3cfbc580f7896bb3cd8aef5b1f1b0752887127d9

    • SHA512

      4e90a6d5ec3259e06c3a7363bd7b2ebeed4c104f4c5bb3d0fee8ff6712b7cf110c72c4cabc2b87727fa7dd64302cf247ec363cfcbdd3c467118c23839dbfb1bb

    • SSDEEP

      6144:hRihrJ+j+5j68KsT6h/OCy5U9uAOAATTPDbF6znqw6:hRMN+j+5+RsqGGuLLbnw6

    • Detected google phishing page

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks