Extracted

• • Target

    begoodforeverythinggreatthingsformebetterforgood.hta

  • Size

    108KB

  • MD5

    b7bd51ea4a3cbb85901f5e467009beaa

  • SHA1

    2daa4cd4c7eca9c42ff00e7d1a4e027f55b836bc

  • SHA256

    4d919faa895db3832df86d7ef8509c11140718904f7957d0e6d44b830827f073

  • SHA512

    0d30af8454e5a74674e4f971e40a7c7781d0c29d48c25dd327b7bccad07f6208db24a078d8e03c07ae2bac7ac3ceba01b67668f7b3108456406c7a258fced032

  • SSDEEP

    384:Fipci1dZ2FGFZrZi9qiA/zRj6TiezFSw4M7333j333V333x333kD333n33P333UM:zFLFSwkGpe1zOhVadsRZ4

  Score

  10^/10

  defense_evasiondiscoveryexecutionsmokeloaderbackdoortrojan

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Smokeloader family

    smokeloader

  • Blocklisted process makes network request

  • Evasion via Device Credential Deployment

    defense_evasionexecution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Suspicious use of SetThreadContext

  behavioral1behavioral2