Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0)

Smoke Loader is a malicious bot application that can be used to load other malware. Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. (Citation: Malwarebytes SmokeLoader 2016) (Citation: Microsoft Dofoil 2018)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4)	Attack Pattern	Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0)	Malware	1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0)	Malware	1
Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	1
Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	1
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0)	Malware	1
Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	1
Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	1
Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0)	Malware	Smoke Loader (81f41bae-2ba9-4cec-9613-776be71645ca)	Tool	1
Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0)	Malware	Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004)	Attack Pattern	1
Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0)	Malware	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	1
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0)	Malware	1
Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0)	Malware	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	1
Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0)	Malware	SmokeLoader (ba91d713-c36e-4d98-9fb7-e16496a69eec)	Malpedia	1
Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0)	Malware	System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	1
Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0)	Malware	Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	1
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	2
SmokeLoader (ba91d713-c36e-4d98-9fb7-e16496a69eec)	Malpedia	Smoke Loader (81f41bae-2ba9-4cec-9613-776be71645ca)	Tool	2
Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004)	Attack Pattern	Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	2
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	2