Overview

overview

10

Static

static

3

8dec86d0a0...c0.exe

windows7-x64

10

8dec86d0a0...c0.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8eda65a82fe9ba5cbb26a4c2d51d19f7f03860c4707a189c3af513390b3ec49b

  • Size

    153KB

  • Sample

    240417-qmqe2aag6w

  • MD5

    378af187a9155eddc4e0eefc4d46e2e9

  • SHA1

    654ebefa72d5be08f2549b93949bbbc78499907e

  • SHA256

    8eda65a82fe9ba5cbb26a4c2d51d19f7f03860c4707a189c3af513390b3ec49b

  • SHA512

    99cf8eed7ee69239ce817f59ad19ebb62b54e009267c4d4edeee3ef9eb41a94a45b99c4cad1b559b12bf6a8c320e14b409c5c2313bfb5bb9ac9d61659fd979aa

  • SSDEEP

    3072:8q3sium89YF0/2m4+ANM5X2cRUC+vlSQGWD0rNJ0G8z0xHXN2XXiAVc3:8q3sz9YF0ZHA61FU1ld1qNJp80pMCAVa

Score
10/10
smokeloaderpub1backdoorpersistencetrojanvmprotect

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php
rc4.i32
rc4.i32

Targets

    • Target

      8dec86d0a0c4034b6d688a0610742694517e0d31939c53db11b898c0ba7315c0.exe

    • Size

      259KB

    • MD5

      117a962cde2568514649b76a004190f1

    • SHA1

      e92ab6267e005eb78bac3c13b9de881b726bc7f2

    • SHA256

      8dec86d0a0c4034b6d688a0610742694517e0d31939c53db11b898c0ba7315c0

    • SHA512

      a2eb2cd551bea8eead2cc7cf17dd91849395c475f329e9bd47ff4ebab8aff0c9a1e33921e4fc6af9ca762b6c80c48056b8991f8813b7e19a7eca4dfb0914041d

    • SSDEEP

      3072:15QiI6J/iVo/QgheGRdWfPy0R9gSMGFwLh4+giekZXfSg55xGT+yx:1gVo/Qgp+lR9g+OhlRR9qwxGT

    Score
    10/10
    smokeloaderpub1backdoorpersistencetrojanvmprotect

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Modifies Installed Components in the registry

      persistence

    • Deletes itself

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks