smokeloader | 474c65289e7c68055b5fced2afa669eb8fb4cce35b05c1b952ab0e90c4d8b594 | Triage

Sharing

General

Target

474c65289e7c68055b5fced2afa669eb8fb4cce35b05c1b952ab0e90c4d8b594
Size

2.1MB
Sample

240908-w3qzdszgqj
MD5

1a6cdff2b97a62c28ea6ac397219f8af
SHA1

2a81951f33d443b482dad08e5900abec56af61fe
SHA256

474c65289e7c68055b5fced2afa669eb8fb4cce35b05c1b952ab0e90c4d8b594
SHA512

1d068806a36b500dc2f8ec03d24d9923b2c6b7a7e64f094646f8da6db77df863ce60a8f65dcc9a9ed69966b4b0643763c39072af0684f4b0ccea96f3f0ff406e
SSDEEP

49152:4OC7utMJFh8ZzgS9Up9i27GRx1+o/vL9p1KKPp5/GRoc+0cJ:4Z7utLZzgpp42ODtvL9Z0ovPJ

Score

10^/10

smokeloader backdoor discovery execution persistence trojan

Malware Config

Targets

- Target
  
  474c65289e7c68055b5fced2afa669eb8fb4cce35b05c1b952ab0e90c4d8b594
- Size
  
  2.1MB
- MD5
  
  1a6cdff2b97a62c28ea6ac397219f8af
- SHA1
  
  2a81951f33d443b482dad08e5900abec56af61fe
- SHA256
  
  474c65289e7c68055b5fced2afa669eb8fb4cce35b05c1b952ab0e90c4d8b594
- SHA512
  
  1d068806a36b500dc2f8ec03d24d9923b2c6b7a7e64f094646f8da6db77df863ce60a8f65dcc9a9ed69966b4b0643763c39072af0684f4b0ccea96f3f0ff406e
- SSDEEP
  
  49152:4OC7utMJFh8ZzgS9Up9i27GRx1+o/vL9p1KKPp5/GRoc+0cJ:4Z7utLZzgpp42ODtvL9Z0ovPJ
Score

10^/10

smokeloader backdoor discovery execution persistence trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

smokeloaderbackdoordiscoveryexecutionpersistencetrojan

behavioral2

smokeloaderbackdoordiscoveryexecutionpersistencetrojan