smokeloader | 079b2007bf65f2c3a07237ba106a4214fd00ce494919cf1e158b6ee175d8c951 | Triage

Sharing

General

Target

079b2007bf65f2c3a07237ba106a4214fd00ce494919cf1e158b6ee175d8c951
Size

106KB
Sample

240417-mt5xhsea5t
MD5

dca3e02fbaf99eae209cea5241d17173
SHA1

c2a14cf1e32d7f7e0a05285a755bd429083b6215
SHA256

079b2007bf65f2c3a07237ba106a4214fd00ce494919cf1e158b6ee175d8c951
SHA512

7320542a286c13f332c1bccf914dbbce44ab67fc4383d23eb3001c77ea4323b4748e992193e175aae9d729ff6fbe3f0cf86fbbe6a178cd1634f5b11541d19936
SSDEEP

3072:UTrNqM1yU+7bbmHVn0XmTWbvsy1dWJBj+UQctIyS:GrNP7c/MCXUQEy1wJl+PctI5

Score

10^/10

smokeloader pub1 backdoor persistence trojan vmprotect

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

rc4.i32

Targets

- Target
  
  c6d317e1eb756b3577414068ac20fc445921f4edd86bef21dbab2d89920e4649.exe
- Size
  
  170KB
- MD5
  
  69d761d941e1a7a4721e267e91167b3a
- SHA1
  
  7e83135738bdd132a8c9da031b4794852cfc9f8b
- SHA256
  
  c6d317e1eb756b3577414068ac20fc445921f4edd86bef21dbab2d89920e4649
- SHA512
  
  4ccfe22c2a726f10e4956383fb12371cc07be797707ac6b5dba1a14a5b798c24503bd4f29302c525240dffd0a3f1d3775ff575a2fddb4443df974d1de5ce1295
- SSDEEP
  
  3072:lLWPQWxrjDjU6G+JLfeEXcUesyx0RcAJ+qVeYg:lLWPvjU6TFhXBes/c
Score

10^/10

smokeloader pub1 backdoor persistence trojan vmprotect
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Modifies Installed Components in the registry
  persistence
- Deletes itself
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

smokeloaderpub1backdoorpersistencetrojanvmprotect

behavioral2

smokeloaderpub1backdoortrojan