smokeloader | 878f2e91c03e56ba9719c1c7848ec02bcb27b0da5cb0259f8b05ecd20d7142ae | Triage

Sharing

General

Target

NEAS.878f2e91c03e56ba9719c1c7848ec02bcb27b0da5cb0259f8b05ecd20d7142ae_JC.exe
Size

286KB
Sample

231008-s29hkadg41
MD5

b9ea009ab46c07ed971498d131b67233
SHA1

89a93ee4351aa170b00af86fc0ae718f0135bad9
SHA256

878f2e91c03e56ba9719c1c7848ec02bcb27b0da5cb0259f8b05ecd20d7142ae
SHA512

78f80535f4666b96f6f9cfb9879a618f5fd7ef61a8724d169fd924367c00b0287541d039f8437e6107db88d01ed4f613087e352e4e5e854179fdc83681badd8d
SSDEEP

3072:2aSr5W1ev1Weqgob3IQgl1X6M1xOyy6vQbCQq97kIi4Z:FSrAYWtVb3Q1XPvy6vQbvqdri

Score

10^/10

smokeloader up3 backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

rc4.i32

Targets

- Target
  
  NEAS.878f2e91c03e56ba9719c1c7848ec02bcb27b0da5cb0259f8b05ecd20d7142ae_JC.exe
- Size
  
  286KB
- MD5
  
  b9ea009ab46c07ed971498d131b67233
- SHA1
  
  89a93ee4351aa170b00af86fc0ae718f0135bad9
- SHA256
  
  878f2e91c03e56ba9719c1c7848ec02bcb27b0da5cb0259f8b05ecd20d7142ae
- SHA512
  
  78f80535f4666b96f6f9cfb9879a618f5fd7ef61a8724d169fd924367c00b0287541d039f8437e6107db88d01ed4f613087e352e4e5e854179fdc83681badd8d
- SSDEEP
  
  3072:2aSr5W1ev1Weqgob3IQgl1X6M1xOyy6vQbCQq97kIi4Z:FSrAYWtVb3Q1XPvy6vQbvqdri
Score

10^/10

smokeloader up3 backdoor trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

smokeloaderup3backdoortrojan

behavioral2

smokeloaderup3backdoortrojan