smokeloader | 5e005ae3ad498f03e3b291b80d0755505381bd7751d1261b04d9b874cd5400d3 | Triage

Submit
Reports

Overview

overview

Static

static

3

a95bc0eeb6...3b.exe

windows7-x64

a95bc0eeb6...3b.exe

windows10-2004-x64

Sharing

General

Target

5e005ae3ad498f03e3b291b80d0755505381bd7751d1261b04d9b874cd5400d3
Size

150KB
Sample

240417-rsq47add51
MD5

bb6fcf4f1199e7968e99f567187882ce
SHA1

350d339b5cea5c16e62c149b27a358ceed8ef9e7
SHA256

5e005ae3ad498f03e3b291b80d0755505381bd7751d1261b04d9b874cd5400d3
SHA512

b1bb752a9571b9af45ec3766f62d7e59a29bfcb17a85cc62b60aca4cdc9a1d2ca5513fb9338278c4e208300ac83abfb636023f6217d3c46527f2d81b57e823a4
SSDEEP

3072:c0v3xyTwmcYIUsZwtyEUy7GO9oCh1/dIo5B6by11si0IISBHO/mg5cvzk:zv3xyTfcYIvZIyEUyaO9NDeyUkHGFCzk

Score

10^/10

smokeloader pub1 backdoor persistence trojan vmprotect

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

a95bc0eeb6c005214eed09c7a26a9b148bea237838cc3544ea2070076b8e893b.exe

Resource

win7-20240221-en

smokeloader pub1 backdoor persistence trojan vmprotect

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

a95bc0eeb6c005214eed09c7a26a9b148bea237838cc3544ea2070076b8e893b.exe

Resource

win10v2004-20240412-en

smokeloader pub1 backdoor trojan

windows10-2004-x64

3 signatures

150 seconds

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

rc4.i32

Targets

- Target
  
  a95bc0eeb6c005214eed09c7a26a9b148bea237838cc3544ea2070076b8e893b.exe
- Size
  
  233KB
- MD5
  
  36c3af072c2fcd97d5815cf8dd15027f
- SHA1
  
  36e732bc75dbb1d262c163c9b9561ac42fb0c430
- SHA256
  
  a95bc0eeb6c005214eed09c7a26a9b148bea237838cc3544ea2070076b8e893b
- SHA512
  
  16a6d4c39b79e9e8ffc35b5562837141ecf8c05059b626aa8d6e56e295fbcaf6c5f7d2cc4b210b2524c98c64207295b4ad3be9b56fada32a745c6e05ab55733d
- SSDEEP
  
  3072:QOwPX0z03zFWn4ZYBmb6H4IU0htFBDDwyIK0Y1aP8AXMsS518anEQwug3JB:E9FW4yH3UGtvUjq7q
Score

10^/10

smokeloader pub1 backdoor persistence trojan vmprotect
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Modifies Installed Components in the registry
  persistence
- Deletes itself
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

smokeloaderpub1backdoorpersistencetrojanvmprotect

behavioral2

smokeloaderpub1backdoortrojan

© 2018-2024

Terms | Privacy