smokeloader | ba157977a0314511d9e5331f56c43a3b6c691f8198cec4fca4164d1e32dc1014 | Triage

Sharing

General

Target

ba157977a0314511d9e5331f56c43a3b6c691f8198cec4fca4164d1e32dc1014
Size

128KB
Sample

240417-sbdcfadb68
MD5

03bf6a4081c94a60a24e6cbdafb3d392
SHA1

3dda80fa09abebd949ee25d3f0fea49c26b6c674
SHA256

ba157977a0314511d9e5331f56c43a3b6c691f8198cec4fca4164d1e32dc1014
SHA512

b35908500b435018d95d7cb7fe2d60d18d86bbdd1a6b6b6237d153efdb9c97fa38608e7ecd3dd4cc3036408cb64fd71b5fefbe8287917ee5caf597fdbe2e41c8
SSDEEP

3072:67LXjO2x1qC5bqLqcdjk6flYrqV/Azqm+pDA3BxgOyfder:6vS2xwOYk6fiWyu/DARXlr

Score

10^/10

smokeloader up3 backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

rc4.i32

Targets

- Target
  
  1749c2de6125b6a38e42dd557b64b2d07abec025eb50f23743394136f655cf35.exe
- Size
  
  202KB
- MD5
  
  88db6b5d0b618c25d79c4bd58947f751
- SHA1
  
  cebebb5b9c4a919208e19555a5e5f0ac0c3b8c52
- SHA256
  
  1749c2de6125b6a38e42dd557b64b2d07abec025eb50f23743394136f655cf35
- SHA512
  
  93ac48110b6260cc29aa4a6d6d1d4eef41a8e03bb4217539dcb69f360cc877af0d525d394a82639c1678e419cc85ee9b60a8f81d0c725519acf2717276007fbc
- SSDEEP
  
  3072:xARO2LoVS5fgevom6PJiMrt+NqaDXF6KBQ0Q2hTZMgsNKId16zxZRU5JnD:G3LofGMT3KBk2hSfNKny5h
Score

10^/10

smokeloader up3 backdoor trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

smokeloaderup3backdoortrojan

behavioral2

smokeloaderup3backdoortrojan