General
-
Target
572831b4dcb5d526f669bbb81f011b1b0abd5e5f3d44642c34d5c3d60f8119b5
-
Size
279KB
-
Sample
240501-25gfmahg8s
-
MD5
6cf5467cb6baf7f36a68b8d201472437
-
SHA1
dcc57b51295957ac135c0bc7617865eb32c81650
-
SHA256
572831b4dcb5d526f669bbb81f011b1b0abd5e5f3d44642c34d5c3d60f8119b5
-
SHA512
8cc7cd2335c20a816120e4c67d1846de517d4ea5e995096722481d3906bc0ab31b7f61d536f7690b79ef8f799fe97ada1dbdefc883f1873b03f2c1944ffa5b28
-
SSDEEP
3072:XYqW1BHlxlpbbOujI+R+gT0AA5qpH6BaSeNS3EzlohwdO8YfNn4kYpuNb9AhLgVQ:XYqC9AkIFgTwKFEE5o7NnBBqk
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Targets
-
-
Target
572831b4dcb5d526f669bbb81f011b1b0abd5e5f3d44642c34d5c3d60f8119b5
-
Size
279KB
-
MD5
6cf5467cb6baf7f36a68b8d201472437
-
SHA1
dcc57b51295957ac135c0bc7617865eb32c81650
-
SHA256
572831b4dcb5d526f669bbb81f011b1b0abd5e5f3d44642c34d5c3d60f8119b5
-
SHA512
8cc7cd2335c20a816120e4c67d1846de517d4ea5e995096722481d3906bc0ab31b7f61d536f7690b79ef8f799fe97ada1dbdefc883f1873b03f2c1944ffa5b28
-
SSDEEP
3072:XYqW1BHlxlpbbOujI+R+gT0AA5qpH6BaSeNS3EzlohwdO8YfNn4kYpuNb9AhLgVQ:XYqC9AkIFgTwKFEE5o7NnBBqk
Score10/10-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry
-
Deletes itself
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1