General

  • Target

    0219fce90ce1b20813ffe345fe235f40ab3b227a94e0e69c04e486c85868a3c3

  • Size

    270KB

  • Sample

    230925-hd7c7acg6z

  • MD5

    0bdc447c0cfeb2c7acd18eddebe41636

  • SHA1

    c853c981b5ba9b79fb29849b358f0fce2eb04e98

  • SHA256

    0219fce90ce1b20813ffe345fe235f40ab3b227a94e0e69c04e486c85868a3c3

  • SHA512

    212bb458170046a5a2825170fbdabebbfbd8c96b90ad498704b068f0dcef88931fd6957c4f67ca0c4e1f874a4b4b65212caca8ee689f94e0afdd85044935c9cd

  • SSDEEP

    6144:HRIhrJ+j+5j68KsT6h/OCy5U9uAOqA4z7qw6:HRuN+j+5+RsqGGuxwGw6

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Targets

    • Target

      0219fce90ce1b20813ffe345fe235f40ab3b227a94e0e69c04e486c85868a3c3

    • Size

      270KB

    • MD5

      0bdc447c0cfeb2c7acd18eddebe41636

    • SHA1

      c853c981b5ba9b79fb29849b358f0fce2eb04e98

    • SHA256

      0219fce90ce1b20813ffe345fe235f40ab3b227a94e0e69c04e486c85868a3c3

    • SHA512

      212bb458170046a5a2825170fbdabebbfbd8c96b90ad498704b068f0dcef88931fd6957c4f67ca0c4e1f874a4b4b65212caca8ee689f94e0afdd85044935c9cd

    • SSDEEP

      6144:HRIhrJ+j+5j68KsT6h/OCy5U9uAOqA4z7qw6:HRuN+j+5+RsqGGuxwGw6

    • Detected google phishing page

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks