General

  • Target

    f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed

  • Size

    270KB

  • Sample

    230925-haa6ksec36

  • MD5

    fa4a866b8887e82a5f0add46bd86df80

  • SHA1

    f820209cbd21ec679da29cb2ff2c47607b12aff9

  • SHA256

    f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed

  • SHA512

    fed02605d7dd3ec7f1dbcc6989ee27afffafe2fc3a6d583f8dce4ff7035767ee08f08030b2c8f51630ef3c4b83248e17adc0112aef65738fec3e979bd598601f

  • SSDEEP

    6144:9RGcMQ+j+5j68KsT6h/OCy5UKuAOkgx6DU6w4LmwK:9RN7+j+5+RsqGhubbfwK

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Targets

    • Target

      f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed

    • Size

      270KB

    • MD5

      fa4a866b8887e82a5f0add46bd86df80

    • SHA1

      f820209cbd21ec679da29cb2ff2c47607b12aff9

    • SHA256

      f5ae13eddf77bc37fc394c220c26668e6ba19ee424ca9f27683d61028409b1ed

    • SHA512

      fed02605d7dd3ec7f1dbcc6989ee27afffafe2fc3a6d583f8dce4ff7035767ee08f08030b2c8f51630ef3c4b83248e17adc0112aef65738fec3e979bd598601f

    • SSDEEP

      6144:9RGcMQ+j+5j68KsT6h/OCy5UKuAOkgx6DU6w4LmwK:9RN7+j+5+RsqGhubbfwK

    • Detected google phishing page

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks