smokeloader | cecc008c8d7603d9cda6bb9d127da6313a88f5fec9d21f894b167be0b9a9aebe | Triage

Submit
Reports

Overview

overview

Static

static

3

file.exe

windows7-x64

file.exe

windows10-2004-x64

Sharing

General

Target

file
Size

322KB
Sample

231012-chal5abg37
MD5

ce3638ec9647762f1fa7e6b4fc64a889
SHA1

c359b33b8d58b4f9962005a395a6efd218056d83
SHA256

cecc008c8d7603d9cda6bb9d127da6313a88f5fec9d21f894b167be0b9a9aebe
SHA512

5b2e90706a708ac6128248b956da6118ea2bca36dfc8ece8f946858703b3f0836ae1b66c9776ae74b30abc32bfea0b0a7c39ebe4ac7bb7ef21cabbb1fc4ef30e
SSDEEP

3072:ybGxh4qhSEdk38WkgbDLCDbyB5EOSZOvrfX9CcrpaQiu7531pw4XvLcrtxdB:yixh1hRdk3scLCKsBy9CUYPG531pb2

Score

10^/10

smokeloader pub4 backdoor discovery spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

file.exe

Resource

win7-20230831-en

smokeloader pub4 backdoor discovery spyware stealer trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

file.exe

Resource

win10v2004-20230915-en

smokeloader pub4 backdoor trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
195.85.115.195
Port:
21
Username:
TEST3
Password:
159753

Extracted

Credentials

Protocol: ftp
Host:
195.85.115.195
Port:
21
Username:
test
Password:
test

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

smokeloader

Version

2022

C2

http://gudintas.at/tmp/

http://pik96.ru/tmp/

http://rosatiauto.com/tmp/

http://kingpirate.ru/tmp/

rc4.i32

rc4.i32

Targets

- Target
  
  file
- Size
  
  322KB
- MD5
  
  ce3638ec9647762f1fa7e6b4fc64a889
- SHA1
  
  c359b33b8d58b4f9962005a395a6efd218056d83
- SHA256
  
  cecc008c8d7603d9cda6bb9d127da6313a88f5fec9d21f894b167be0b9a9aebe
- SHA512
  
  5b2e90706a708ac6128248b956da6118ea2bca36dfc8ece8f946858703b3f0836ae1b66c9776ae74b30abc32bfea0b0a7c39ebe4ac7bb7ef21cabbb1fc4ef30e
- SSDEEP
  
  3072:ybGxh4qhSEdk38WkgbDLCDbyB5EOSZOvrfX9CcrpaQiu7531pw4XvLcrtxdB:yixh1hRdk3scLCKsBy9CUYPG531pb2
Score

10^/10

smokeloader pub4 backdoor discovery spyware stealer trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

smokeloaderpub4backdoordiscoveryspywarestealertrojan

behavioral2

smokeloaderpub4backdoortrojan

© 2018-2025

Terms | Privacy