General

  • Target

    927c5f2c729689b6639e5ce9b394ad1fa9f061c897d9652783bf3231936ef49a

  • Size

    718KB

  • Sample

    240506-f62masah31

  • MD5

    20727e8bf3370af39df75322b09186d0

  • SHA1

    ac0d52954654165efabd811e159233a63731e384

  • SHA256

    927c5f2c729689b6639e5ce9b394ad1fa9f061c897d9652783bf3231936ef49a

  • SHA512

    8e37030e4016d400402b3ed141cffcfbd7d9f0848004ed9aeed7e144f292342bc3bda38b3c2d203c927a0c39496a97bef63e20113993dd8a37ff64e659cba513

  • SSDEEP

    12288:gMw76QE6uiHRCplEIXDUKDEYxUqgyTldZrGIWmJLy8MmI7y4xzURWCRy:gMw76P6vEEIX/DEEUehjWmZDMz7yUOpy

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://cellc.org/tmp/index.php

http://h-c-v.ru/tmp/index.php

http://icebrasilpr.com/tmp/index.php

http://piratia-life.ru/tmp/index.php

http://piratia.su/tmp/index.php

rc4.i32
rc4.i32

Extracted

Family

smokeloader

Botnet

pub3

Targets

    • Target

      927c5f2c729689b6639e5ce9b394ad1fa9f061c897d9652783bf3231936ef49a

    • Size

      718KB

    • MD5

      20727e8bf3370af39df75322b09186d0

    • SHA1

      ac0d52954654165efabd811e159233a63731e384

    • SHA256

      927c5f2c729689b6639e5ce9b394ad1fa9f061c897d9652783bf3231936ef49a

    • SHA512

      8e37030e4016d400402b3ed141cffcfbd7d9f0848004ed9aeed7e144f292342bc3bda38b3c2d203c927a0c39496a97bef63e20113993dd8a37ff64e659cba513

    • SSDEEP

      12288:gMw76QE6uiHRCplEIXDUKDEYxUqgyTldZrGIWmJLy8MmI7y4xzURWCRy:gMw76P6vEEIX/DEEUehjWmZDMz7yUOpy

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks