smokeloader | e6199c29d7656617e794d4ecd836601db0dae5999e9b6fe7eb30a50f76df0d21 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

e6199c29d7656617e794d4ecd836601db0dae5999e9b6fe7eb30a50f76df0d21
Size

256KB
Sample

231107-g1v31acf5x
MD5

432286f1eff5789b5b4b536103f9ed91
SHA1

d4b6787bb8bd39661117c47f0633f4a323f1e231
SHA256

e6199c29d7656617e794d4ecd836601db0dae5999e9b6fe7eb30a50f76df0d21
SHA512

a4f03eacd49f3d8b51010dd729bb0fa655369e6d4a482ae191cb787ff5be59d94602a8ac9740498fcde65ab091e7cd57c36adf553de7604e2f52a43a788d735e
SSDEEP

3072:VPD5k8z/tYY4iVsGECzO86oGtOzeg8rCRCuSKfdK3Pdt1T:BZz/tG6sGJNzk9uSKg37

Score

10^/10

smokeloader up4 backdoor persistence trojan

Malware Config

Extracted

Family

smokeloader

Botnet

up4

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-file0.com/

http://file-file-file1.com/

rc4.i32

rc4.i32

Targets

- Target
  
  e6199c29d7656617e794d4ecd836601db0dae5999e9b6fe7eb30a50f76df0d21
- Size
  
  256KB
- MD5
  
  432286f1eff5789b5b4b536103f9ed91
- SHA1
  
  d4b6787bb8bd39661117c47f0633f4a323f1e231
- SHA256
  
  e6199c29d7656617e794d4ecd836601db0dae5999e9b6fe7eb30a50f76df0d21
- SHA512
  
  a4f03eacd49f3d8b51010dd729bb0fa655369e6d4a482ae191cb787ff5be59d94602a8ac9740498fcde65ab091e7cd57c36adf553de7604e2f52a43a788d735e
- SSDEEP
  
  3072:VPD5k8z/tYY4iVsGECzO86oGtOzeg8rCRCuSKfdK3Pdt1T:BZz/tG6sGJNzk9uSKg37
Score

10^/10

smokeloader up4 backdoor persistence trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Modifies Installed Components in the registry
  persistence
- Deletes itself
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

smokeloaderup4backdoorpersistencetrojan