smokeloader | 7910bb1786288ed1cc204913f0785c32a1bd0b1ee3476d2ef260df564be3b2a5 | Triage

Sharing

General

Target

7910bb1786288ed1cc204913f0785c32a1bd0b1ee3476d2ef260df564be3b2a5.hta
Size

131KB
Sample

241028-c98y1aycqf
MD5

63c86bc9c616e32406ec965054e9d4b0
SHA1

d1a0215e7fa42f4a994228d9cf86ac0a9e3ccebe
SHA256

7910bb1786288ed1cc204913f0785c32a1bd0b1ee3476d2ef260df564be3b2a5
SHA512

15109c6afb31ea10c80b8d3b02eede606d3b2f7f50f55046431b526ec52a9ee0a9ef0328a72dad288e6d11dd5eb2b21f43ecc83a999d03b2886c5926a7606d01
SSDEEP

96:Eam7Xy1+49+cxfj3+dn8HQKozLnm+/07T:Ea2Xy1l9qdQQ7LnmIaT

Score

10^/10

smokeloader backdoor defense_evasion discovery execution trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Targets

- Target
  
  7910bb1786288ed1cc204913f0785c32a1bd0b1ee3476d2ef260df564be3b2a5.hta
- Size
  
  131KB
- MD5
  
  63c86bc9c616e32406ec965054e9d4b0
- SHA1
  
  d1a0215e7fa42f4a994228d9cf86ac0a9e3ccebe
- SHA256
  
  7910bb1786288ed1cc204913f0785c32a1bd0b1ee3476d2ef260df564be3b2a5
- SHA512
  
  15109c6afb31ea10c80b8d3b02eede606d3b2f7f50f55046431b526ec52a9ee0a9ef0328a72dad288e6d11dd5eb2b21f43ecc83a999d03b2886c5926a7606d01
- SSDEEP
  
  96:Eam7Xy1+49+cxfj3+dn8HQKozLnm+/07T:Ea2Xy1l9qdQQ7LnmIaT
Score

10^/10

defense_evasion discovery execution smokeloader backdoor trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Smokeloader family
  smokeloader
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Evasion via Device Credential Deployment
  defense_evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasiondiscoveryexecution

behavioral2

smokeloaderbackdoordefense_evasiondiscoveryexecutiontrojan