General

  • Target

    1bde783efbb5f9dcc60adf9ffa5852906d5211a4d8e644bd31e5fe27e0844131

  • Size

    700KB

  • Sample

    240503-18wjaaaf93

  • MD5

    b738131a6a14ac7019a8704718cdbaed

  • SHA1

    86f3a2f6115bbadfef82238fe425426bc634d0e1

  • SHA256

    1bde783efbb5f9dcc60adf9ffa5852906d5211a4d8e644bd31e5fe27e0844131

  • SHA512

    87cedf06c6ecae24cc74924efd489eaa9e94413af54e605cda9f7601e03fa65fcfbd93f9a6ae77684903db2e5056884f145f960d6590f0b6ea15923cacab43d5

  • SSDEEP

    12288:1Mwh9coeIVMKnKUwR2s8pw8OOHdTfuAhCBstRLQ+b3qNppZK6dZCetm8i:1Mwh9FNKPn8pw4LuA++QeIjZMX

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://cellc.org/tmp/index.php

http://h-c-v.ru/tmp/index.php

http://icebrasilpr.com/tmp/index.php

http://piratia-life.ru/tmp/index.php

http://piratia.su/tmp/index.php

rc4.i32
rc4.i32

Extracted

Family

smokeloader

Botnet

pub3

Targets

    • Target

      1bde783efbb5f9dcc60adf9ffa5852906d5211a4d8e644bd31e5fe27e0844131

    • Size

      700KB

    • MD5

      b738131a6a14ac7019a8704718cdbaed

    • SHA1

      86f3a2f6115bbadfef82238fe425426bc634d0e1

    • SHA256

      1bde783efbb5f9dcc60adf9ffa5852906d5211a4d8e644bd31e5fe27e0844131

    • SHA512

      87cedf06c6ecae24cc74924efd489eaa9e94413af54e605cda9f7601e03fa65fcfbd93f9a6ae77684903db2e5056884f145f960d6590f0b6ea15923cacab43d5

    • SSDEEP

      12288:1Mwh9coeIVMKnKUwR2s8pw8OOHdTfuAhCBstRLQ+b3qNppZK6dZCetm8i:1Mwh9FNKPn8pw4LuA++QeIjZMX

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Discovery

System Information Discovery

2
T1082

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Remote System Discovery

1
T1018

Tasks