smokeloader | 64a4451cd02928f64713eda76180ed51914f03a349df777416cc1ea2dfbe1906 | Triage

Sharing

General

Target

61eb45e462738c0e3984137f0a6da5ec_JaffaCakes118
Size

124KB
Sample

240521-d9qyvsgg5t
MD5

61eb45e462738c0e3984137f0a6da5ec
SHA1

82f6201b9f0a77b4298861a1da4cce08b99afb55
SHA256

64a4451cd02928f64713eda76180ed51914f03a349df777416cc1ea2dfbe1906
SHA512

c43aaf6811475f46021ddbabb197c9133c442f17f71f949c1e1b34e532b0c18c9644a931fc6eb9d66e0b666794afa7cb8242c4c974552c514c80b9eb3c99b80b
SSDEEP

3072:zClEDPzAWJJgekoUZXZqXVCAiM3GM+Zs:z8EDPz5LgIUZXZwEAd332

Score

10^/10

smokeloader vgu backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

VgU

Extracted

Family

smokeloader

Version

2018

C2

http://osetr.hk/css/

rc4.i32

rc4.i32

Targets

- Target
  
  61eb45e462738c0e3984137f0a6da5ec_JaffaCakes118
- Size
  
  124KB
- MD5
  
  61eb45e462738c0e3984137f0a6da5ec
- SHA1
  
  82f6201b9f0a77b4298861a1da4cce08b99afb55
- SHA256
  
  64a4451cd02928f64713eda76180ed51914f03a349df777416cc1ea2dfbe1906
- SHA512
  
  c43aaf6811475f46021ddbabb197c9133c442f17f71f949c1e1b34e532b0c18c9644a931fc6eb9d66e0b666794afa7cb8242c4c974552c514c80b9eb3c99b80b
- SSDEEP
  
  3072:zClEDPzAWJJgekoUZXZqXVCAiM3GM+Zs:z8EDPz5LgIUZXZwEAd332
Score

10^/10

smokeloader vgu backdoor trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

smokeloadervgubackdoortrojan

behavioral2

smokeloaderbackdoortrojan