smokeloader | 83236868049cc27a74a54ef2300893c81bd360fe97f17b9b442ff8f641ae4749 | Triage

Sharing

General

Target

83236868049cc27a74a54ef2300893c81bd360fe97f17b9b442ff8f641ae4749
Size

259KB
Sample

231122-a9f7waac4x
MD5

546697c3749efd2b5ba241724a22480e
SHA1

86b9659d59cc7fa90eda170a87cb0002d5c31161
SHA256

83236868049cc27a74a54ef2300893c81bd360fe97f17b9b442ff8f641ae4749
SHA512

09b7d3c3f6fc3a862b388e7553019e058982f9fcbfc3813bd4213235997ed7919af135813520b4c08d88fb80f375dcf146b5fdbc4fec26c5d21796ad5719a922
SSDEEP

3072:JiqEK1HRFasHhmVzwuOXG0rqnx81+AXo9q/Et+UHlmmgSP/SDP6cPB:4wZzaShc/OXfWxjo/8+UHF3Z

Score

10^/10

smokeloader up4 backdoor persistence trojan

Malware Config

Extracted

Family

smokeloader

Botnet

up4

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-file0.com/

http://file-file-file1.com/

rc4.i32

rc4.i32

Targets

- Target
  
  83236868049cc27a74a54ef2300893c81bd360fe97f17b9b442ff8f641ae4749
- Size
  
  259KB
- MD5
  
  546697c3749efd2b5ba241724a22480e
- SHA1
  
  86b9659d59cc7fa90eda170a87cb0002d5c31161
- SHA256
  
  83236868049cc27a74a54ef2300893c81bd360fe97f17b9b442ff8f641ae4749
- SHA512
  
  09b7d3c3f6fc3a862b388e7553019e058982f9fcbfc3813bd4213235997ed7919af135813520b4c08d88fb80f375dcf146b5fdbc4fec26c5d21796ad5719a922
- SSDEEP
  
  3072:JiqEK1HRFasHhmVzwuOXG0rqnx81+AXo9q/Et+UHlmmgSP/SDP6cPB:4wZzaShc/OXfWxjo/8+UHF3Z
Score

10^/10

smokeloader up4 backdoor persistence trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Modifies Installed Components in the registry
  persistence
- Deletes itself
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

smokeloaderup4backdoorpersistencetrojan