Overview

overview

10

Static

static

3

c1a94b4836...cf.exe

windows7-x64

10

c1a94b4836...cf.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    025a443a77681f6f0573ef8abf6b3d1996f4a4ff9d5873287758d3bc804f1bcf

  • Size

    162KB

  • Sample

    240417-r4zkpscf74

  • MD5

    e4ebfb2bb5982466acdad60270039eb5

  • SHA1

    ecf7e1295951c8df816d6cae33d72f6b714a8191

  • SHA256

    025a443a77681f6f0573ef8abf6b3d1996f4a4ff9d5873287758d3bc804f1bcf

  • SHA512

    2f059691889a9da1930f78b094b16da4366bf3845190a05fc450ca6ff470da81a74b06e7e6349c865bbb8c101708e080332989737e9e610ce088dd64006db6da

  • SSDEEP

    3072:oVjBlPoZdfyqFm3BWgasKS60scMcOnxHIdfWlvtTXcdvmVxUKFkRGGStYqS2:orlyltsKSIFnLRX99oBCvS2

Score
10/10
smokeloaderpub1backdoorpersistencetrojanvmprotect

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php
rc4.i32
rc4.i32

Targets

    • Target

      c1a94b4836ce341261dafddcdd0b7f2fb0d8974418cfe37bfe4edac452966dcf.exe

    • Size

      272KB

    • MD5

      1b34541fb0dc55293424cd982f09cb30

    • SHA1

      6e27e8c899d92da67fdb5b6f07b3d3ef54dcf62b

    • SHA256

      c1a94b4836ce341261dafddcdd0b7f2fb0d8974418cfe37bfe4edac452966dcf

    • SHA512

      ca39dbca5ae9771feba001fc6aecb8dfd32e4c78be53c14af092b49e7277d8575833fa65ff5f7b06809f1733215892c1506dcbd968376f97ea18f0d5313d10d8

    • SSDEEP

      3072:qSSVrZvALNCLjw5s0CUoMhvd+Kq7pFxoV07PD9z5OEeU2K6gvX:qSwvALNCLvMdAFFeV0yYB

    Score
    10/10
    smokeloaderpub1backdoorpersistencetrojanvmprotect

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Modifies Installed Components in the registry

      persistence

    • Deletes itself

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks