General

  • Target

    5ac311dc851b50ca928ce97e7e8ffc6baaeaaf0274b1e9bc92ef0e98ebe3659e

  • Size

    723KB

  • Sample

    240504-2fb5lsde8t

  • MD5

    9e37e5165f3f418ca29aad898f3471e7

  • SHA1

    e8936b02ac82bf0d0a861ccc2ad291e6fbda7126

  • SHA256

    5ac311dc851b50ca928ce97e7e8ffc6baaeaaf0274b1e9bc92ef0e98ebe3659e

  • SHA512

    5d86b2c47cb2713f5601cc5637ec745127abc682672b1b679471f078250073926cd581f6ca0b2c0b729f6abc7a6f8a8fafdbef6ac8d0ebb45e9571a23ca61989

  • SSDEEP

    12288:qMwr9Chz85CA0vrmgk/2JuksiHMn8AfEaCebzdYvtI8SnChtRVptmtKP7:qMwrCz85+vrm2JPFS8AsNebzdSyLCLpT

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://cellc.org/tmp/index.php

http://h-c-v.ru/tmp/index.php

http://icebrasilpr.com/tmp/index.php

http://piratia-life.ru/tmp/index.php

http://piratia.su/tmp/index.php

rc4.i32
rc4.i32

Extracted

Family

smokeloader

Botnet

pub3

Targets

    • Target

      5ac311dc851b50ca928ce97e7e8ffc6baaeaaf0274b1e9bc92ef0e98ebe3659e

    • Size

      723KB

    • MD5

      9e37e5165f3f418ca29aad898f3471e7

    • SHA1

      e8936b02ac82bf0d0a861ccc2ad291e6fbda7126

    • SHA256

      5ac311dc851b50ca928ce97e7e8ffc6baaeaaf0274b1e9bc92ef0e98ebe3659e

    • SHA512

      5d86b2c47cb2713f5601cc5637ec745127abc682672b1b679471f078250073926cd581f6ca0b2c0b729f6abc7a6f8a8fafdbef6ac8d0ebb45e9571a23ca61989

    • SSDEEP

      12288:qMwr9Chz85CA0vrmgk/2JuksiHMn8AfEaCebzdYvtI8SnChtRVptmtKP7:qMwrCz85+vrm2JPFS8AsNebzdSyLCLpT

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Discovery

System Information Discovery

2
T1082

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Remote System Discovery

1
T1018

Tasks