General

  • Target

    e433ff5b48bf60a0380c22d86c850df53ff68afe67e9555b8ef312dd8825c167

  • Size

    270KB

  • Sample

    230925-fsmwzsdg98

  • MD5

    f33c27d87bb2612b6ec76909fbc76f0d

  • SHA1

    1fdf7ac30756b17f72d0d07419f7c91a8c5eb2b0

  • SHA256

    e433ff5b48bf60a0380c22d86c850df53ff68afe67e9555b8ef312dd8825c167

  • SHA512

    5a0e69399dc159475d9381a2815aedae91d9ac83a75d712070841c53a5d7fde1075950ff98d7c513a0d98eeef94a951596533ebcb098d73fa9afd12151f5b148

  • SSDEEP

    6144:SR1hrJ+j+5j68KsT6h/OCy5U9uAOpAtjZRZwh1qw6:SRrN+j+5+RsqGGu4ttMyw6

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Targets

    • Target

      e433ff5b48bf60a0380c22d86c850df53ff68afe67e9555b8ef312dd8825c167

    • Size

      270KB

    • MD5

      f33c27d87bb2612b6ec76909fbc76f0d

    • SHA1

      1fdf7ac30756b17f72d0d07419f7c91a8c5eb2b0

    • SHA256

      e433ff5b48bf60a0380c22d86c850df53ff68afe67e9555b8ef312dd8825c167

    • SHA512

      5a0e69399dc159475d9381a2815aedae91d9ac83a75d712070841c53a5d7fde1075950ff98d7c513a0d98eeef94a951596533ebcb098d73fa9afd12151f5b148

    • SSDEEP

      6144:SR1hrJ+j+5j68KsT6h/OCy5U9uAOpAtjZRZwh1qw6:SRrN+j+5+RsqGGu4ttMyw6

    • Detected google phishing page

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks