Smoke Loader is a malicious bot application that can be used to load other malware.Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins.  
|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols||
Smoke Loader uses HTTP for C2.
|Enterprise||T1547||.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder||
Smoke Loader adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload.
|Enterprise||T1059||.005||Command and Scripting Interpreter: Visual Basic||
Smoke Loader adds a Visual Basic script in the Startup folder to deploy the payload.
|Enterprise||T1555||.003||Credentials from Password Stores: Credentials from Web Browsers||
Smoke Loader searches for credentials stored from web browsers.
|Enterprise||T1140||Deobfuscate/Decode Files or Information||
Smoke Loader deobfuscates its code.
|Enterprise||T1114||.001||Email Collection: Local Email Collection||
Smoke Loader searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives, etc.).
|Enterprise||T1083||File and Directory Discovery||
Smoke Loader recursively searches through directories for files.
|Enterprise||T1105||Ingress Tool Transfer||
Smoke Loader downloads a new version of itself once it has installed. It also downloads additional plugins.
|Enterprise||T1027||Obfuscated Files or Information||
Smoke Loader uses a simple one-byte XOR method to obfuscate values in the malware.
Smoke Loader injects into the Internet Explorer process.
Smoke Loader spawns a new copy of c:\windows\syswow64\explorer.exe and then replaces the executable code in memory with malware.
|Enterprise||T1053||.005||Scheduled Task/Job: Scheduled Task||
Smoke Loader launches a scheduled task.
|Enterprise||T1552||.001||Unsecured Credentials: Credentials In Files||
Smoke Loader searches for files named logins.json to parse for credentials.
|Enterprise||T1497||.001||Virtualization/Sandbox Evasion: System Checks||
Smoke Loader scans processes to perform anti-VM checks.