General

  • Target

    aba228d167cbabe85ed94101c53d367bdd423d3fa84b977f4629c528912b0220.exe

  • Size

    735KB

  • Sample

    240523-r5zxvseg8s

  • MD5

    fb9c4b9a277d1bec79c5d72eb92048ae

  • SHA1

    cef6d340e836b1deb4be733e67273d1a9a328a35

  • SHA256

    aba228d167cbabe85ed94101c53d367bdd423d3fa84b977f4629c528912b0220

  • SHA512

    f5b1dd2da2d2417c7f54f339cb4a8ad8ffb099e758ec4521a1781507e9d71a166ea967ca425e1cf735c5b8aee7a207a98265a67e4067ab8a3bccc232f3d365d8

  • SSDEEP

    12288:ZFs228hxeGgy74QrVA2s/gUZj9yypbStAbQwxTnrmyP6iWOFhLKXMht7numB6804:s2/TD4QrsgYRyyItAHrmyfT3mCnT6804

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://bipto.org/tmp/index.php

http://jobresurs.ru/tmp/index.php

http://tonybabb.com/tmp/index.php

rc4.i32
rc4.i32

Extracted

Family

smokeloader

Botnet

pub2

Targets

    • Target

      aba228d167cbabe85ed94101c53d367bdd423d3fa84b977f4629c528912b0220.exe

    • Size

      735KB

    • MD5

      fb9c4b9a277d1bec79c5d72eb92048ae

    • SHA1

      cef6d340e836b1deb4be733e67273d1a9a328a35

    • SHA256

      aba228d167cbabe85ed94101c53d367bdd423d3fa84b977f4629c528912b0220

    • SHA512

      f5b1dd2da2d2417c7f54f339cb4a8ad8ffb099e758ec4521a1781507e9d71a166ea967ca425e1cf735c5b8aee7a207a98265a67e4067ab8a3bccc232f3d365d8

    • SSDEEP

      12288:ZFs228hxeGgy74QrVA2s/gUZj9yypbStAbQwxTnrmyP6iWOFhLKXMht7numB6804:s2/TD4QrsgYRyyItAHrmyfT3mCnT6804

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks