General

  • Target

    565e9c1e5bc0639b4ca4cd733e7443ff8965950d7e378fddece097e8cfeb68dd

  • Size

    270KB

  • Sample

    230925-feqqqadg34

  • MD5

    67fd2c8410763edad62b8c673de461d1

  • SHA1

    f8eaf5ff5abe611a5e512e52bc663d9445b6a9e0

  • SHA256

    565e9c1e5bc0639b4ca4cd733e7443ff8965950d7e378fddece097e8cfeb68dd

  • SHA512

    8fc74e78f2bb1a113aaa60769379b255df6e6b756444e5e92f647f87101c4da64942e3d03138559a18f762884bb3a23e6c4619906198058470f4f09487628274

  • SSDEEP

    6144:UREhrJ+j+5j68KsT6h/OCy5U9uAOTAPrxrmgMAoqw6:URqN+j+5+RsqGGuW9rQQw6

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Targets

    • Target

      565e9c1e5bc0639b4ca4cd733e7443ff8965950d7e378fddece097e8cfeb68dd

    • Size

      270KB

    • MD5

      67fd2c8410763edad62b8c673de461d1

    • SHA1

      f8eaf5ff5abe611a5e512e52bc663d9445b6a9e0

    • SHA256

      565e9c1e5bc0639b4ca4cd733e7443ff8965950d7e378fddece097e8cfeb68dd

    • SHA512

      8fc74e78f2bb1a113aaa60769379b255df6e6b756444e5e92f647f87101c4da64942e3d03138559a18f762884bb3a23e6c4619906198058470f4f09487628274

    • SSDEEP

      6144:UREhrJ+j+5j68KsT6h/OCy5U9uAOTAPrxrmgMAoqw6:URqN+j+5+RsqGGuW9rQQw6

    • Detected google phishing page

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks