{
	"id": "6444d4d6-77d0-4173-bd7b-2e2828cdf790",
	"created_at": "2026-04-06T00:10:56.83764Z",
	"updated_at": "2026-04-10T03:21:41.343764Z",
	"deleted_at": null,
	"sha1_hash": "c5d1f735febbc27f2d12d358f92096ddd27e0f21",
	"title": "Attackers Exploit DLL Hijacking to Bypass SmartScreen | SOC Prime",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 32664,
	"plain_text": "Attackers Exploit DLL Hijacking to Bypass SmartScreen | SOC\r\nPrime\r\nBy Eugene Tkachenko\r\nPublished: 2018-05-11 · Archived: 2026-04-05 21:21:30 UTC\r\nDelaware, USA – May 11, 2018 – DLL Hijacking technique has long been known remaining effective enough to\r\nbypass some of the security solutions, so attackers used it in new malware. ElvenPath analyzed banking trojan\r\nN40, used in a recent campaign against Chilean banks. This malware is the evolved Brazilian banking trojan used\r\nin attacks last fall. Adversaries can use it to gain access to an infected system, steal credentials and valuable data,\r\nas well as to replace bitcoin wallet in victim’s clipboard. Trojan uses unusual techniques to avoid detection by\r\nsecurity tools. To bypass Windows SmartScreen, the first stage malware drops the legitimate WMnat.exe file to\r\nthe attacked system, then saves to the same folder shfolder.dll, which in fact is N40 trojan renamed and signed\r\nwith a digital certificate purchased in the Black market. After that, the downloader runs WMnat.exe that loads\r\ntrojan into memory, and Windows SmartScreen only detects execution of a legitimate application. Malware\r\nbypasses many signature-based anti-virus solutions, uses real-time string decoding techniques to hide in system\r\nmemory and uses non-standard ports to communicate with Command \u0026 Control servers.\r\nThe researchers did not mention how the attackers spread N40 banking trojan but noted that threat actors behind\r\nthis campaign are successful, and this evolved malware is efficient against standard solutions used in the banking\r\nsector. To detect exploiting of DLL Hijacking technique, you can use ArcSight with File Hash Analytics use case,\r\nwhich can quickly find files with the same name, but different hashes.\r\nSource: https://socprime.com/en/news/attackers-exploit-dll-hijacking-to-bypass-smartscreen/\r\nhttps://socprime.com/en/news/attackers-exploit-dll-hijacking-to-bypass-smartscreen/\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://socprime.com/en/news/attackers-exploit-dll-hijacking-to-bypass-smartscreen/"
	],
	"report_names": [
		"attackers-exploit-dll-hijacking-to-bypass-smartscreen"
	],
	"threat_actors": [],
	"ts_created_at": 1775434256,
	"ts_updated_at": 1775791301,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c5d1f735febbc27f2d12d358f92096ddd27e0f21.pdf",
		"text": "https://archive.orkl.eu/c5d1f735febbc27f2d12d358f92096ddd27e0f21.txt",
		"img": "https://archive.orkl.eu/c5d1f735febbc27f2d12d358f92096ddd27e0f21.jpg"
	}
}