smokeloader | 271b8b1752d9fc555fb8eb9d72e1f226c13b5fa7a35f256f20fb1ec42477a26d | Triage

Sharing

General

Target

271b8b1752d9fc555fb8eb9d72e1f226c13b5fa7a35f256f20fb1ec42477a26d
Size

147KB
Sample

240417-rtw2tsca43
MD5

d212254c3c14c4a22fd33fab5e0867f1
SHA1

e81d540733fec58a091d91b83e5864f28117eef6
SHA256

271b8b1752d9fc555fb8eb9d72e1f226c13b5fa7a35f256f20fb1ec42477a26d
SHA512

fa769bdb6f694dc884b1ec3fec2b957ecf9e128f870c5d6a61845ec5e33c7dbcc7d425385ed86e69614759030ea23ae32892414cc595e1dba5f47184559aa44d
SSDEEP

3072:FTIl/7VAIUVDfZ6s/0oJAmmUKuRBvDh1ZsbsYgN3yYvnLBf+fTP5PU:FTOyVDfIs/JzmCDjZsbxgN3yYfLcTBU

Score

10^/10

smokeloader pub1 backdoor persistence trojan vmprotect

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

rc4.i32

Targets

- Target
  
  bdbd0ee82dc7acfb5fafe10561dddd6b6b11c1d55f2f96bc6a1c8eb5dce167e1.exe
- Size
  
  244KB
- MD5
  
  88d758be6f5d43337e22f026abf3170f
- SHA1
  
  35437a2ad650484dde7a6ccf67fd76428ff4ada3
- SHA256
  
  bdbd0ee82dc7acfb5fafe10561dddd6b6b11c1d55f2f96bc6a1c8eb5dce167e1
- SHA512
  
  1bce2be76d97c9fa6d9af0d4b937a302ab61f45dd72d30c64cb6af1d551095ae225133de517fc642864aeaf88d56429ab5242be598c35b3ac63756f9b23aa3ad
- SSDEEP
  
  3072:MwZm1wLxrRmuh2/xEQFz0i1g/ZNF/5kwfM3c16kbPsTdNRunrcSO4Dtl16/AaqP:Fm1w4ZEsg3FhZfMk3rNh
Score

10^/10

smokeloader pub1 backdoor persistence trojan vmprotect
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Modifies Installed Components in the registry
  persistence
- Deletes itself
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

smokeloaderpub1backdoorpersistencetrojanvmprotect

behavioral2

smokeloaderpub1backdoortrojan