smokeloader | 2456b26f6388c60b0a71d1859e497970e6df6eb69e91a07106755ee0b1359cfa | Triage

Sharing

Copy URL Twitter E-mail

General

Target

c94dc9c2bcff3a56a2bff590eea3cc4b8dca265bf9a62c3a586c20601b6ed8f0
Size

131KB
Sample

231212-bwa95scfan
MD5

e6b2e44a6b9dece31e184bb5a8345bac
SHA1

12928e67a4922f3b94ebaa4a62cd6eb4ee633fdf
SHA256

2456b26f6388c60b0a71d1859e497970e6df6eb69e91a07106755ee0b1359cfa
SHA512

e7faef2747633f95e7174bf30f5dea3fba4bcf0bc6ac9d0839331842232b165e6ad501d7e40bc0adec9eea88efaee38afcffa9f5fb7f4b0e7e171bca9b07296c
SSDEEP

3072:BOdoKYqlBkEZFCMFyzpoHf0iFnRX4GDsE7P+eUbVviLb5:BOdoKdlxtFyVoHfJffD4vix

Score

10^/10

smokeloader pub1 backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

rc4.i32

Targets

- Target
  
  c94dc9c2bcff3a56a2bff590eea3cc4b8dca265bf9a62c3a586c20601b6ed8f0
- Size
  
  206KB
- MD5
  
  8c1ab7b76a63c7e42a5c71117cf5279c
- SHA1
  
  6798daea8e0c7e914e470fbbde5446656dd179f9
- SHA256
  
  c94dc9c2bcff3a56a2bff590eea3cc4b8dca265bf9a62c3a586c20601b6ed8f0
- SHA512
  
  e90bfde6b955b28b478c2757606d39932417c47194fac7a8ec3e73e6a592b1a7d7e4dc6c40c92f939350e7626e4a20ecfa7283b63db59e9fdb6bf08b7f6d1dee
- SSDEEP
  
  3072:EEbx6L3uNUQJa9guOUepD7fxRhRoHf0iFnRX4nTo5f5hTY:Px6LeN1EMN3oHfJfYiT
Score

10^/10

smokeloader pub1 backdoor trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

smokeloaderpub1backdoortrojan

behavioral2

smokeloaderpub1backdoortrojan