General
-
Target
bc113ed2bff68b7cf9dd805ec562bffc04fbadcf75a16df1ec6fcfa6b479f5ce
-
Size
213KB
-
Sample
240501-3twxlscg96
-
MD5
2c8f5e7a9e670c3850b2de0d2f3758b2
-
SHA1
42409c886411ce73c1d6f07bbae47bf8f2db713c
-
SHA256
bc113ed2bff68b7cf9dd805ec562bffc04fbadcf75a16df1ec6fcfa6b479f5ce
-
SHA512
1237d9fbc5cfd97e2377c56143a100daeeff8e71ffa90c4fa7227eab94b3edf841e8ca8b68a8ed8c18d9cc03457a4c246a98147ab317079650bcf88877211454
-
SSDEEP
3072:WztTEAEwLBu9QeT5Zpsnf26/5WSIKM4XLr2:WztTEAE4u9Qefp426kSIKM2Lr
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Targets
-
-
Target
bc113ed2bff68b7cf9dd805ec562bffc04fbadcf75a16df1ec6fcfa6b479f5ce
-
Size
213KB
-
MD5
2c8f5e7a9e670c3850b2de0d2f3758b2
-
SHA1
42409c886411ce73c1d6f07bbae47bf8f2db713c
-
SHA256
bc113ed2bff68b7cf9dd805ec562bffc04fbadcf75a16df1ec6fcfa6b479f5ce
-
SHA512
1237d9fbc5cfd97e2377c56143a100daeeff8e71ffa90c4fa7227eab94b3edf841e8ca8b68a8ed8c18d9cc03457a4c246a98147ab317079650bcf88877211454
-
SSDEEP
3072:WztTEAEwLBu9QeT5Zpsnf26/5WSIKM4XLr2:WztTEAE4u9Qefp426kSIKM2Lr
Score10/10-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry
-
Deletes itself
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1