General

  • Target

    debeea64857d020a5626850ad7f0b850b08dda331336e5e79004ec1d0fcc3a60

  • Size

    1.1MB

  • Sample

    240411-2m1rjsff36

  • MD5

    43c498cf3e4f835f38cec7a475bc5e2c

  • SHA1

    a810481973afefc920845d7f937b51201a09c58b

  • SHA256

    debeea64857d020a5626850ad7f0b850b08dda331336e5e79004ec1d0fcc3a60

  • SHA512

    cc7300050dfa3613aba9e74ed6373018a1011d3f8bf5ee65e9152b13ac2e9b7f577c56490b8c58f5506dcf11e025ae3695a639e3abeec3829033f21925e644f2

  • SSDEEP

    12288:EqMVbxllIU0til6szxaeaQlqPFXA4yKRahvbAi+a7B0nC7elWSohmL/fRzrM2u8U:EFlpmNQlULyKRahvbAiv9JzmLhzrnq7

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

smokeloader

Version

2022

C2

http://sunvi.org/tmp/index.php

http://zarya-amura.ru/tmp/index.php

http://akros.in.net/tmp/index.php

rc4.i32
rc4.i32

Targets

    • Target

      debeea64857d020a5626850ad7f0b850b08dda331336e5e79004ec1d0fcc3a60

    • Size

      1.1MB

    • MD5

      43c498cf3e4f835f38cec7a475bc5e2c

    • SHA1

      a810481973afefc920845d7f937b51201a09c58b

    • SHA256

      debeea64857d020a5626850ad7f0b850b08dda331336e5e79004ec1d0fcc3a60

    • SHA512

      cc7300050dfa3613aba9e74ed6373018a1011d3f8bf5ee65e9152b13ac2e9b7f577c56490b8c58f5506dcf11e025ae3695a639e3abeec3829033f21925e644f2

    • SSDEEP

      12288:EqMVbxllIU0til6szxaeaQlqPFXA4yKRahvbAi+a7B0nC7elWSohmL/fRzrM2u8U:EFlpmNQlULyKRahvbAiv9JzmLhzrnq7

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks