Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal
Indicators of Compromise (IoC)

SmokeLoader contacted server:
 	hxxp[://]serverlogs295[.]xyz/statweb255/index[.]php 
	hxxp[://]servblog475[.]cfd/statweb255/index[.]php
	hxxp[://]demblog797[.]xyz/statweb255/index[.]php
	hxxp[://]admlogs457[.]cfd/statweb255/index[.]php
	hxxp[://]blogmstat599[.]xyz/statweb255/index[.]php
	hxxp[://]bloglogs757[.]cfd/statweb255/index[.]php
	hxxp[://]pzh1966[.]com/statweb255/index[.]php
	hxxp[://]mxblog77.cfd/777/

	4684aa8ab09a70d0e25139286e1178c02b15920b - Trojan.Win32.SMOKELOADER.YXEIEZ
	f995ec5d88afab30f9efb62ea3b30e1e1b62cdc3 – Ransom. MSIL.AGENDA.THJCOBD
	05bf016c137230bfdc6eaae95b75a56aff76799d – Ransom. MSIL.AGENDA.THJCOBD

	Bdf33e2ba85f35ea86fb016620371fe80855fe68 - Trojan.Win32.SMOKELOADER.YXEIIZ
	16b776ff80f08105b362f9bc76c73a21c51664c2 - Trojan.MSIL.NETXLOADER.THDBABE
	1399e63d4662076eeed3b4498c2f958c611a4387 - Trojan.MSIL.NETXLOADER.THDBABE

MITRE ATT&CK TTPs
Tactic						Technique						ID
Initial Access					Valid Accounts: Default Accounts			T1078.001
						Phishing						T1566

Execution					Command and Scripting Interpreter: PowerShell		T1059.001

Defense Evasion					Access Token Manipulation: Create Process with Token	T1134.002
						Obfuscated Files or Information				T1027
						Obfuscated Files or Information: Dynamic API Resolution	T1027.007
						Execution Guardrails					T1480
						Debugger Evasion					T1622
						Virtualization/Sandbox Evasion: System Checks		T1622
						Process Injection					T1055
						Masquerading						T1036
						Indicator Removal on Host				T1070
Discovery					Process Discovery					T1057
						Application Window Discovery				T1057

Command and Control				Application Layer Protocol: Web Protocol		T1071.001
						Encrypted Channel: Symmetric Cryptography		T1573.001

Impact						Data Encrypted for Impact				T1486
						Inhibit System Recovery					T1490