smokeloader | b8f9fe4f2a6afc881cdd986b661c2874f76d8a2b8c34a83b5360da74c5755389 | Triage

Submit
Reports

Overview

overview

Static

static

3

e2ee33a7a4...64.exe

windows7-x64

e2ee33a7a4...64.exe

windows10-2004-x64

Sharing

General

Target

e2ee33a7a4d96b608f35b98c659f1e65642f4036353140ac2fd0ff5152eb4964.zip
Size

93KB
Sample

240402-l1yaksdf7x
MD5

15adbd16289d90ba076a50823f8b0938
SHA1

68ebe05198303d590a90050a06d4c0d97eec5350
SHA256

b8f9fe4f2a6afc881cdd986b661c2874f76d8a2b8c34a83b5360da74c5755389
SHA512

20f262e1f3593e9d1c97249da0c67ca9326ebd15b8dd74ceeb81f9ef0d6a0940ca4f9fba6996cfe83e9b7b59b962acf9d99b43b9dbf7518270a321a7393f5e38
SSDEEP

1536:bnUVCH+5xroqe9XNZaatZfOZufMCp4FYCTLvg94d2riYF9dHQnSmXr2aoC:bn2oEloPXNga3O4BIYMM6Yr1fmXr2HC

Score

10^/10

smokeloader stealc zgrat tfd5 backdoor rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

e2ee33a7a4d96b608f35b98c659f1e65642f4036353140ac2fd0ff5152eb4964.exe

Resource

win7-20240221-en

smokeloader tfd5 backdoor trojan

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

e2ee33a7a4d96b608f35b98c659f1e65642f4036353140ac2fd0ff5152eb4964.exe

Resource

win10v2004-20240226-en

smokeloader stealc zgrat tfd5 backdoor rat spyware stealer trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

smokeloader

Botnet

tfd5

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

rc4.i32

Extracted

Family

stealc

C2

http://94.156.8.97

Attributes

url_path
/990ecb7630625681.php

Targets

- Target
  
  e2ee33a7a4d96b608f35b98c659f1e65642f4036353140ac2fd0ff5152eb4964.exe
- Size
  
  161KB
- MD5
  
  6d06917a4f1ce19595f45d652cc3f5f1
- SHA1
  
  f12921fead53f540793ae3ceec9ddd9d2cbf576b
- SHA256
  
  e2ee33a7a4d96b608f35b98c659f1e65642f4036353140ac2fd0ff5152eb4964
- SHA512
  
  ea79f414aadc75c78e0de7956909ccc5a95b350aeb72846c6df6869a0249ed763f839b56ebc86f8087b56dbe3ef5943a45e8e37e273319816f1f6ca3611fba31
- SSDEEP
  
  3072:diZUCzlE+mKEYsBqbVj0Mx96KuuW58v7gyCXLO2Vf:d6UCz3SWVP96KM5CIO2F
Score

10^/10

smokeloader tfd5 backdoor trojan stealc zgrat rat spyware stealer
- Detect ZGRat V1
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Downloads MZ/PE file
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

smokeloadertfd5backdoortrojan

behavioral2

smokeloaderstealczgrattfd5backdoorratspywarestealertrojan

© 2018-2024

Terms | Privacy