Overview

overview

10

Static

static

3

e6516d2911...ca.exe

windows7-x64

10

e6516d2911...ca.exe

windows10-2004-x64

7

$PLUGINSDI...nu.dll

windows7-x64

3

$PLUGINSDI...nu.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

uninstall.exe

windows7-x64

7

uninstall.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e6516d2911fc3378903b396b1b3ec97ddd497a1e8b974b531b1f140a485d39ca

  • Size

    114KB

  • Sample

    240423-gywlraea97

  • MD5

    0636fd9e7c9ef4c50d4c18127c848161

  • SHA1

    cd62c961e6a537cbbe25922b5c2494da45083848

  • SHA256

    e6516d2911fc3378903b396b1b3ec97ddd497a1e8b974b531b1f140a485d39ca

  • SHA512

    b38779e6045cfd732a9d4d9f2413a105c396f37d8a6e0dfa01fdbcc01c99c886fbc6ae6e0879d5a6fbfb279376abdfc6373c67457ed6fd46621b5e7ddac5e0ff

  • SSDEEP

    3072:UNzPHk9Mpct45TTqKR4hsEaiLez7TXHVh:UhREKu04wZrVh

Score
10/10
smokeloaderbackdoorpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Version

2017

C2

http://hellobro.bit/

Targets

    • Target

      e6516d2911fc3378903b396b1b3ec97ddd497a1e8b974b531b1f140a485d39ca

    • Size

      114KB

    • MD5

      0636fd9e7c9ef4c50d4c18127c848161

    • SHA1

      cd62c961e6a537cbbe25922b5c2494da45083848

    • SHA256

      e6516d2911fc3378903b396b1b3ec97ddd497a1e8b974b531b1f140a485d39ca

    • SHA512

      b38779e6045cfd732a9d4d9f2413a105c396f37d8a6e0dfa01fdbcc01c99c886fbc6ae6e0879d5a6fbfb279376abdfc6373c67457ed6fd46621b5e7ddac5e0ff

    • SSDEEP

      3072:UNzPHk9Mpct45TTqKR4hsEaiLez7TXHVh:UhREKu04wZrVh

    Score
    10/10
    smokeloaderbackdoorpersistencetrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Adds policy Run key to start application

      persistence

    • Deletes itself

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/StartMenu.dll

    • Size

      7KB

    • MD5

      a09bcf528d02f89f9befa78937ca7d7b

    • SHA1

      3cbcb0fdc32a8f21d6d557cc4c3bb6c4ee246b6f

    • SHA256

      5a31abf36c0ed5e74295b7d7db5a2b09d8aa308483612b7b0bc04771000ac8ad

    • SHA512

      ad4bbc478c028d4b8b890ea60a26ecae1c0dfacad872d150bfb1c334d7f52f2963123c45cef4ee0d773d9b3e143dde2c3d8da92ea9f703e44c5ee873a873b95c

    • SSDEEP

      96:QgiqVPb3X8K8Kdr3gEq6nNdMk6Qiw290+q6LDtJ1tT3hhEl7y:QgiqVPgK8K9eIdE9B/tThg7

    Score
    3/10
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      55a26d7800446f1373056064c64c3ce8

    • SHA1

      80256857e9a0a9c8897923b717f3435295a76002

    • SHA256

      904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8

    • SHA512

      04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b

    • SSDEEP

      192:MPtkumJX7zBE2kGwfy9S9VkPsFQ1Mx1c:97O2k5q9wA1Mxa

    Score
    3/10
    behavioral5behavioral6

    • Target

      $PLUGINSDIR/nsDialogs.dll

    • Size

      9KB

    • MD5

      ee449b0adce56fbfa433b0239f3f81be

    • SHA1

      ec1e4f9815ea592a3f19b1fe473329b8ddfa201c

    • SHA256

      c1cc3aa4326e83a73a778dee0cf9afcc03a6bafb0a32cea791a27eb9c2288985

    • SHA512

      22fb25bc7628946213e6e970a865d3fbd50d12ce559c37d6848a82c28fa6be09fedffc3b87d5aea8dcfe8dfc4e0f129d9f02e32dae764b8e6a08332b42386686

    • SSDEEP

      96:oCqZ4zC5RH3cXX1LlYlRowycxM2DjDf3GEst+Nt+jvDYx4iqndYHnxss:oCq+CP3uKrpyREs06Yx+dGn

    Score
    3/10
    behavioral7behavioral8

    • Target

      uninstall.exe

    • Size

      57KB

    • MD5

      3dd164e1390999df68f79ddb0fb77818

    • SHA1

      bd0fb9fff84ca0c89726d6669c32b46482911705

    • SHA256

      c7358c274c33377a6aaeab76b13e5eec4f9af598875a59c07951b5ec0bf09e86

    • SHA512

      3ffdcfa36bc7f4ef6b028be2942340e3c25e3cf9d5d82953479cc27303ad7ea522a950a10210afe0776a8f12cc459c49fa30607c914b137a38a216dbd50bd28b

    • SSDEEP

      1536:UU+dcy3fxBk9UmZHs/hcnBgdLeAyNxHQDqAzk:UNzPHk9MpcBceA5DNzk

    Score
    7/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral10behavioral9

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks