General

  • Target

    e787e9b3eb07676a4848cb9ff1dad9a19a5b3aa11a220b2ba3d447ac6680abeb

  • Size

    734KB

  • Sample

    240506-267zzaff2z

  • MD5

    0c4cb8fd1e3cc4b42556562d317e6e59

  • SHA1

    8a572e6ef21e54b76cf0b38099c6ca47d607170e

  • SHA256

    e787e9b3eb07676a4848cb9ff1dad9a19a5b3aa11a220b2ba3d447ac6680abeb

  • SHA512

    0b7c6520fe39261743cb6f85a601d9e7306a17e25b1909150a14cd4e31e5c2d9c0faef30effbd1dc1eb1108da53b0f6284d701ce37ab5cef5dbcf9a2f8634652

  • SSDEEP

    12288:dXxKusPyZi+9cn2eIIcXopkUxTBdmEkH1Vmkw8dUfmBpHG9Yg1p8mgNahqYSkjQH:dXxKusaZi+9pI3xl1u1q/fmpnepSzYSr

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Targets

    • Target

      e787e9b3eb07676a4848cb9ff1dad9a19a5b3aa11a220b2ba3d447ac6680abeb

    • Size

      734KB

    • MD5

      0c4cb8fd1e3cc4b42556562d317e6e59

    • SHA1

      8a572e6ef21e54b76cf0b38099c6ca47d607170e

    • SHA256

      e787e9b3eb07676a4848cb9ff1dad9a19a5b3aa11a220b2ba3d447ac6680abeb

    • SHA512

      0b7c6520fe39261743cb6f85a601d9e7306a17e25b1909150a14cd4e31e5c2d9c0faef30effbd1dc1eb1108da53b0f6284d701ce37ab5cef5dbcf9a2f8634652

    • SSDEEP

      12288:dXxKusPyZi+9cn2eIIcXopkUxTBdmEkH1Vmkw8dUfmBpHG9Yg1p8mgNahqYSkjQH:dXxKusaZi+9pI3xl1u1q/fmpnepSzYSr

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Remote System Discovery

1
T1018

Tasks