smokeloader | dfa1030b49da1997953542e47d394a5e3327ce225bc779a20a93f3f1ea7502f4 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

NEAS.dfa10...JC.exe

windows7-x64

NEAS.dfa10...JC.exe

windows10-2004-x64

Sharing

General

Target

NEAS.dfa1030b49da1997953542e47d394a5e3327ce225bc779a20a93f3f1ea7502f4_JC.exe
Size

363KB
Sample

231006-tlq7qaec5s
MD5

dccb60fb185d8098f3844b5d5777a045
SHA1

2b8e3b905310d713a443b844e110dbb71359b09c
SHA256

dfa1030b49da1997953542e47d394a5e3327ce225bc779a20a93f3f1ea7502f4
SHA512

edb8ee6fda1764a2958e9b932828e579c2408cdd29919331f461a02107d01be48d3e03f51329410630c614d933302b4df380efe38616cdaa7754cd267d566639
SSDEEP

3072:wwH52YRs4UEbwIeG+p1C3nIsP3ozz6rRZ+pr4/lGW/o2xNbr7ZwVRU/qIUgd1Uvc:tEYC4UmwIeG/I+3Ks/UC7ZwV8Pyo

Score

10^/10

smokeloader 0024 backdoor collection evasion trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

NEAS.dfa1030b49da1997953542e47d394a5e3327ce225bc779a20a93f3f1ea7502f4_JC.exe

Resource

win7-20230831-en

smokeloader 0024 backdoor trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

NEAS.dfa1030b49da1997953542e47d394a5e3327ce225bc779a20a93f3f1ea7502f4_JC.exe

Resource

win10v2004-20230915-en

smokeloader 0024 backdoor collection evasion trojan

windows10-2004-x64

26 signatures

150 seconds

Malware Config

Extracted

Family

smokeloader

Botnet

0024

Extracted

Family

smokeloader

Version

2022

C2

https://utah-saints.com/search.php

https://atlanta-newspaper.com/search.php

rc4.i32

rc4.i32

Targets

- Target
  
  NEAS.dfa1030b49da1997953542e47d394a5e3327ce225bc779a20a93f3f1ea7502f4_JC.exe
- Size
  
  363KB
- MD5
  
  dccb60fb185d8098f3844b5d5777a045
- SHA1
  
  2b8e3b905310d713a443b844e110dbb71359b09c
- SHA256
  
  dfa1030b49da1997953542e47d394a5e3327ce225bc779a20a93f3f1ea7502f4
- SHA512
  
  edb8ee6fda1764a2958e9b932828e579c2408cdd29919331f461a02107d01be48d3e03f51329410630c614d933302b4df380efe38616cdaa7754cd267d566639
- SSDEEP
  
  3072:wwH52YRs4UEbwIeG+p1C3nIsP3ozz6rRZ+pr4/lGW/o2xNbr7ZwVRU/qIUgd1Uvc:tEYC4UmwIeG/I+3Ks/UC7ZwV8Pyo
Score

10^/10

smokeloader 0024 backdoor trojan collection evasion
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Peripheral Device Discovery

Process Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

smokeloader0024backdoortrojan

behavioral2

smokeloader0024backdoorcollectionevasiontrojan

© 2018-2025

Terms | Privacy