Skip to content

Hide Navigation Hide TOC

Smoke Loader (81f41bae-2ba9-4cec-9613-776be71645ca)

This small application is used to download other malware. What makes the bot interesting are various tricks that it uses for deception and self protection.

Cluster A Galaxy A Cluster B Galaxy B Level
Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0) Malware Smoke Loader (81f41bae-2ba9-4cec-9613-776be71645ca) Tool 1
SmokeLoader (ba91d713-c36e-4d98-9fb7-e16496a69eec) Malpedia Smoke Loader (81f41bae-2ba9-4cec-9613-776be71645ca) Tool 1
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0) Malware 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0) Malware 2
Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0) Malware 2
Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0) Malware Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004) Attack Pattern 2
Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0) Malware Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0) Malware 2
Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0) Malware Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 2
Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0) Malware SmokeLoader (ba91d713-c36e-4d98-9fb7-e16496a69eec) Malpedia 2
Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0) Malware System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 2
Smoke Loader - S0226 (0c824410-58ff-49b2-9cf2-1c96b182bdf0) Malware Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 2
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 3
Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004) Attack Pattern Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 3
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 3
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 3
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 3