General

  • Target

    7dc8133fb148b87f8cfcfa834c1a0134647f9dd55d5f59dec510f8f1b320ea66

  • Size

    696KB

  • Sample

    240507-29j3bagc54

  • MD5

    8fad1b737e2fb852710b43eba52d6b52

  • SHA1

    bad376c9582758c4e64956fd6a3df3f10462ba19

  • SHA256

    7dc8133fb148b87f8cfcfa834c1a0134647f9dd55d5f59dec510f8f1b320ea66

  • SHA512

    44acc7fea7525f3fceb38746d1190e56e42618f72f10c9bb2a3404000d77fa696285bce968786f6b1f5df70f402927ce4dc4f0d42ffeaef06a97d70da0938c92

  • SSDEEP

    12288:/Mw4PBDrHW6ncbkrC41L99OVhFHKQGQ9Ua+nQNtl0nD9rBmCvcpj3PmZ7fG4Erw8:/Mw45lncbk+4z9uFqQGXayC30bmCvcqw

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://cellc.org/tmp/index.php

http://h-c-v.ru/tmp/index.php

http://icebrasilpr.com/tmp/index.php

http://piratia-life.ru/tmp/index.php

http://piratia.su/tmp/index.php

rc4.i32
rc4.i32

Extracted

Family

smokeloader

Botnet

pub3

Targets

    • Target

      7dc8133fb148b87f8cfcfa834c1a0134647f9dd55d5f59dec510f8f1b320ea66

    • Size

      696KB

    • MD5

      8fad1b737e2fb852710b43eba52d6b52

    • SHA1

      bad376c9582758c4e64956fd6a3df3f10462ba19

    • SHA256

      7dc8133fb148b87f8cfcfa834c1a0134647f9dd55d5f59dec510f8f1b320ea66

    • SHA512

      44acc7fea7525f3fceb38746d1190e56e42618f72f10c9bb2a3404000d77fa696285bce968786f6b1f5df70f402927ce4dc4f0d42ffeaef06a97d70da0938c92

    • SSDEEP

      12288:/Mw4PBDrHW6ncbkrC41L99OVhFHKQGQ9Ua+nQNtl0nD9rBmCvcpj3PmZ7fG4Erw8:/Mw45lncbk+4z9uFqQGXayC30bmCvcqw

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Remote System Discovery

1
T1018

Tasks