smokeloader | 9af40d7dbe70e708bc2fc5cdf500f7f5389210ed8813f006ac342d6983dcd2ac | Triage

Sharing

General

Target

9af40d7dbe70e708bc2fc5cdf500f7f5389210ed8813f006ac342d6983dcd2ac.hta
Size

206KB
Sample

241107-db5z5athrm
MD5

1d7fd9405d04f45b7623ceea3602ac1a
SHA1

20d6bad0c83ace824ca2c962b9a16f6b2ff0afbb
SHA256

9af40d7dbe70e708bc2fc5cdf500f7f5389210ed8813f006ac342d6983dcd2ac
SHA512

c5ef145291e6a971497ccc1225b7ad369ea798164acdfdd03a1760cd5c435868feef43727df870cf3cb8e7d40c1046f7ae6aad0a825328148553aaa517936161
SSDEEP

48:4FhWsTR/F7gNqXfjH3BrGi3JX3Brmi3Jl7uW2ZxzBKI72VVVrsBAte0oNz3Brs3K:43F97ftlvFHGxtl2VfrJ4a+pM/Q

Score

10^/10

smokeloader backdoor defense_evasion discovery execution trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Targets

- Target
  
  9af40d7dbe70e708bc2fc5cdf500f7f5389210ed8813f006ac342d6983dcd2ac.hta
- Size
  
  206KB
- MD5
  
  1d7fd9405d04f45b7623ceea3602ac1a
- SHA1
  
  20d6bad0c83ace824ca2c962b9a16f6b2ff0afbb
- SHA256
  
  9af40d7dbe70e708bc2fc5cdf500f7f5389210ed8813f006ac342d6983dcd2ac
- SHA512
  
  c5ef145291e6a971497ccc1225b7ad369ea798164acdfdd03a1760cd5c435868feef43727df870cf3cb8e7d40c1046f7ae6aad0a825328148553aaa517936161
- SSDEEP
  
  48:4FhWsTR/F7gNqXfjH3BrGi3JX3Brmi3Jl7uW2ZxzBKI72VVVrsBAte0oNz3Brs3K:43F97ftlvFHGxtl2VfrJ4a+pM/Q
Score

10^/10

defense_evasion discovery execution smokeloader backdoor trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Smokeloader family
  smokeloader
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Evasion via Device Credential Deployment
  defense_evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasiondiscoveryexecution

behavioral2

smokeloaderbackdoordefense_evasiondiscoveryexecutiontrojan