smokeloader

General

Target

7be9ef61632edc0f2fc6ad59d64ad69dbffbd05013a80ab1dfbb6bd8a6090b66.doc
Size

106KB
Sample

240524-bvf41agc21
MD5

0bd1328012301d04bdc921acb321b820
SHA1

724612a3c88f187aa000efe4ff4e9e04c9553696
SHA256

7be9ef61632edc0f2fc6ad59d64ad69dbffbd05013a80ab1dfbb6bd8a6090b66
SHA512

d588760ba4fb450a41563849ec10da311ef317c80da1e816b5d88198aef35379fd15f63512620fa7514f7d46f719afc07bce5fff7690ae6336e5a7d747e7d22f
SSDEEP

1536:FCuLaHmmF7tG8Q/qk8fowr/5mUpKNEteuEC5/ThAoLCAJZSfx6BrqbyGfh:hLIt7tD/rRmCK6guEC5/ThAQSfxSuGQ

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://45.84.0.173/download_22/server.exe

Extracted

Family

smokeloader

Version

2022

C2

http://rafraystore.ru/index.php

http://picwalldoor.ru/index.php

http://agentsuperpupervinil.ru/index.php

http://vivianstyler.ru/index.php

http://sephoraofficetz.ru/index.php

http://vikompalion.ru/index.php

http://ccbaminumpot.ru/index.php

rc4.i32

Targets

- Target
  
  7be9ef61632edc0f2fc6ad59d64ad69dbffbd05013a80ab1dfbb6bd8a6090b66.doc
- Size
  
  106KB
- MD5
  
  0bd1328012301d04bdc921acb321b820
- SHA1
  
  724612a3c88f187aa000efe4ff4e9e04c9553696
- SHA256
  
  7be9ef61632edc0f2fc6ad59d64ad69dbffbd05013a80ab1dfbb6bd8a6090b66
- SHA512
  
  d588760ba4fb450a41563849ec10da311ef317c80da1e816b5d88198aef35379fd15f63512620fa7514f7d46f719afc07bce5fff7690ae6336e5a7d747e7d22f
- SSDEEP
  
  1536:FCuLaHmmF7tG8Q/qk8fowr/5mUpKNEteuEC5/ThAoLCAJZSfx6BrqbyGfh:hLIt7tD/rRmCK6guEC5/ThAQSfxSuGQ
Score

10^/10

smokeloader backdoor trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Process spawned unexpected child process

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2