General

  • Target

    fd36eff47ab8eefc9645f11b38a2a7c11ce9b36a76fd8f5f3c1aebe4d4c57c6d

  • Size

    270KB

  • Sample

    230925-e266jscb8z

  • MD5

    14903b4a2bf915d7807054a7efdfa39b

  • SHA1

    614733b0ca2635c6bcbaf592b6c917fc0fbc1891

  • SHA256

    fd36eff47ab8eefc9645f11b38a2a7c11ce9b36a76fd8f5f3c1aebe4d4c57c6d

  • SHA512

    77a540df09f952222d18372b7e36de8b77a3b5928b5e9b28326ef8f0024195dd45b4fbca203dba97d3a9e73b1ea338dd9dec25d4ac9cd00a6fc87faccdaf2d46

  • SSDEEP

    6144:tRAcMQ+j+5j68KsT6h/OCy5UKuAOYgea/vIFnTfYwK:tRT7+j+5+RsqGhuH//g5AwK

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Targets

    • Target

      fd36eff47ab8eefc9645f11b38a2a7c11ce9b36a76fd8f5f3c1aebe4d4c57c6d

    • Size

      270KB

    • MD5

      14903b4a2bf915d7807054a7efdfa39b

    • SHA1

      614733b0ca2635c6bcbaf592b6c917fc0fbc1891

    • SHA256

      fd36eff47ab8eefc9645f11b38a2a7c11ce9b36a76fd8f5f3c1aebe4d4c57c6d

    • SHA512

      77a540df09f952222d18372b7e36de8b77a3b5928b5e9b28326ef8f0024195dd45b4fbca203dba97d3a9e73b1ea338dd9dec25d4ac9cd00a6fc87faccdaf2d46

    • SSDEEP

      6144:tRAcMQ+j+5j68KsT6h/OCy5UKuAOYgea/vIFnTfYwK:tRT7+j+5+RsqGhuH//g5AwK

    • Detected google phishing page

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks