General

  • Target

    93789a41239fd2a685450274d6d62d1ce5c4bd40e6b7af40265ec965fe4849ca

  • Size

    715KB

  • Sample

    240506-2vz5zsfa2w

  • MD5

    eba5a23fd3d9e89f63c3e54290b187a3

  • SHA1

    6c84b461c4b632344431da28ef56527813369a41

  • SHA256

    93789a41239fd2a685450274d6d62d1ce5c4bd40e6b7af40265ec965fe4849ca

  • SHA512

    27c4c348d2b3be81dcf3d35cfcfa3d65f8d22266f549ed50bbdd1f6ce7696ab3e816bd9d6d29d826ba90300e82d0817e3fd15532e00636d1a1e976f16e34e2f1

  • SSDEEP

    12288:gMwy281Z442vgAKDptW72mrXLOwOAZ0iLnjcemxuy2+7HimmH2K+dl:gMwy5WfPI0PrLOwOuYe67Hjw2Vl

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://cellc.org/tmp/index.php

http://h-c-v.ru/tmp/index.php

http://icebrasilpr.com/tmp/index.php

http://piratia-life.ru/tmp/index.php

http://piratia.su/tmp/index.php

rc4.i32
rc4.i32

Extracted

Family

smokeloader

Botnet

pub3

Targets

    • Target

      93789a41239fd2a685450274d6d62d1ce5c4bd40e6b7af40265ec965fe4849ca

    • Size

      715KB

    • MD5

      eba5a23fd3d9e89f63c3e54290b187a3

    • SHA1

      6c84b461c4b632344431da28ef56527813369a41

    • SHA256

      93789a41239fd2a685450274d6d62d1ce5c4bd40e6b7af40265ec965fe4849ca

    • SHA512

      27c4c348d2b3be81dcf3d35cfcfa3d65f8d22266f549ed50bbdd1f6ce7696ab3e816bd9d6d29d826ba90300e82d0817e3fd15532e00636d1a1e976f16e34e2f1

    • SSDEEP

      12288:gMwy281Z442vgAKDptW72mrXLOwOAZ0iLnjcemxuy2+7HimmH2K+dl:gMwy5WfPI0PrLOwOuYe67Hjw2Vl

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Discovery

System Information Discovery

2
T1082

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Remote System Discovery

1
T1018

Tasks