General

  • Target

    ce66da5e996530561316a5dbcac552720f1884f6d4e7d34e314664f16daae823

  • Size

    270KB

  • Sample

    230925-dygaaadc69

  • MD5

    b4eac4df68bbf2d3959610d2642e69ab

  • SHA1

    565e65c6a721d8378d03a42dbcec5ed3bfc3c4ce

  • SHA256

    ce66da5e996530561316a5dbcac552720f1884f6d4e7d34e314664f16daae823

  • SHA512

    05ddb62ee8627d4e5cffef20d0b84f89bb3c9b6d7a3a8a3c064b6a915586d9f43294a453922e23bc2ac19de56340a549ca492f645e8c9487a1f68131a2740113

  • SSDEEP

    6144:MR8cMQ+j+5j68KsT6h/OCy5UKuAOXgk3O8MwK:MRP7+j+5+RsqGhuCk3OXwK

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Targets

    • Target

      ce66da5e996530561316a5dbcac552720f1884f6d4e7d34e314664f16daae823

    • Size

      270KB

    • MD5

      b4eac4df68bbf2d3959610d2642e69ab

    • SHA1

      565e65c6a721d8378d03a42dbcec5ed3bfc3c4ce

    • SHA256

      ce66da5e996530561316a5dbcac552720f1884f6d4e7d34e314664f16daae823

    • SHA512

      05ddb62ee8627d4e5cffef20d0b84f89bb3c9b6d7a3a8a3c064b6a915586d9f43294a453922e23bc2ac19de56340a549ca492f645e8c9487a1f68131a2740113

    • SSDEEP

      6144:MR8cMQ+j+5j68KsT6h/OCy5UKuAOXgk3O8MwK:MRP7+j+5+RsqGhuCk3OXwK

    • Detected google phishing page

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks