smokeloader | 572831b4dcb5d526f669bbb81f011b1b0abd5e5f3d44642c34d5c3d60f8119b5 | Triage

Sharing

General

Target

572831b4dcb5d526f669bbb81f011b1b0abd5e5f3d44642c34d5c3d60f8119b5
Size

279KB
Sample

240501-25gfmahg8s
MD5

6cf5467cb6baf7f36a68b8d201472437
SHA1

dcc57b51295957ac135c0bc7617865eb32c81650
SHA256

572831b4dcb5d526f669bbb81f011b1b0abd5e5f3d44642c34d5c3d60f8119b5
SHA512

8cc7cd2335c20a816120e4c67d1846de517d4ea5e995096722481d3906bc0ab31b7f61d536f7690b79ef8f799fe97ada1dbdefc883f1873b03f2c1944ffa5b28
SSDEEP

3072:XYqW1BHlxlpbbOujI+R+gT0AA5qpH6BaSeNS3EzlohwdO8YfNn4kYpuNb9AhLgVQ:XYqC9AkIFgTwKFEE5o7NnBBqk

Score

10^/10

smokeloader pub1 backdoor bootkit persistence trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

rc4.i32

Targets

- Target
  
  572831b4dcb5d526f669bbb81f011b1b0abd5e5f3d44642c34d5c3d60f8119b5
- Size
  
  279KB
- MD5
  
  6cf5467cb6baf7f36a68b8d201472437
- SHA1
  
  dcc57b51295957ac135c0bc7617865eb32c81650
- SHA256
  
  572831b4dcb5d526f669bbb81f011b1b0abd5e5f3d44642c34d5c3d60f8119b5
- SHA512
  
  8cc7cd2335c20a816120e4c67d1846de517d4ea5e995096722481d3906bc0ab31b7f61d536f7690b79ef8f799fe97ada1dbdefc883f1873b03f2c1944ffa5b28
- SSDEEP
  
  3072:XYqW1BHlxlpbbOujI+R+gT0AA5qpH6BaSeNS3EzlohwdO8YfNn4kYpuNb9AhLgVQ:XYqC9AkIFgTwKFEE5o7NnBBqk
Score

10^/10

smokeloader pub1 backdoor bootkit persistence trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Modifies Installed Components in the registry
  persistence
- Deletes itself
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Pre-OS Boot

Bootkit

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Pre-OS Boot

Bootkit

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

smokeloaderpub1backdoorbootkitpersistencetrojan

behavioral2

smokeloaderpub1backdoortrojan