Overview

overview

10

Static

static

8

616476ce3c...0.docm

windows7-x64

10

616476ce3c...0.docm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    616476ce3c35d67b5edbb73b6c8965d5894f404f90074add16986f8d5c81d6f0.doc

  • Size

    518KB

  • Sample

    240524-bq6h4aga7w

  • MD5

    1f2d795ca29afadf24325cfbb3f60e4e

  • SHA1

    d5e05bf7300a09b6706082907e726b0d5a09e550

  • SHA256

    616476ce3c35d67b5edbb73b6c8965d5894f404f90074add16986f8d5c81d6f0

  • SHA512

    40ff395e3e62e9c0b47d9ec088129042b26ceeee28c76c23615086c33fcbc57250a8c4ea53464dfd5398a5e023743dca988d7c86ec1f6039a873d8b3352393b7

  • SSDEEP

    6144:sEc+F+HLHNIvPl8qZDC9VT8L38S8WyI6OLxoq5seCsH8BB3y8dqtUO2TsyUrOSo:sEcJHNopZW9eLH8WyITLfyXXvqxj9o

Score
10/10
smokeloaderbackdoormacrotrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://94.232.249.161/download/svc.exe

Extracted

Family

smokeloader

Version

2022

C2

http://rafraystore.ru/index.php

http://picwalldoor.ru/index.php

http://agentsuperpupervinil.ru/index.php

http://vivianstyler.ru/index.php

http://sephoraofficetz.ru/index.php

http://vikompalion.ru/index.php

http://ccbaminumpot.ru/index.php
rc4.i32
rc4.i32

Targets

    • Target

      616476ce3c35d67b5edbb73b6c8965d5894f404f90074add16986f8d5c81d6f0.doc

    • Size

      518KB

    • MD5

      1f2d795ca29afadf24325cfbb3f60e4e

    • SHA1

      d5e05bf7300a09b6706082907e726b0d5a09e550

    • SHA256

      616476ce3c35d67b5edbb73b6c8965d5894f404f90074add16986f8d5c81d6f0

    • SHA512

      40ff395e3e62e9c0b47d9ec088129042b26ceeee28c76c23615086c33fcbc57250a8c4ea53464dfd5398a5e023743dca988d7c86ec1f6039a873d8b3352393b7

    • SSDEEP

      6144:sEc+F+HLHNIvPl8qZDC9VT8L38S8WyI6OLxoq5seCsH8BB3y8dqtUO2TsyUrOSo:sEcJHNopZW9eLH8WyITLfyXXvqxj9o

    Score
    10/10
    smokeloaderbackdoortrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

4
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks