smokeloader | 9abc00865e3487cfa3e4f41ec68082c292cba5690f96e53c8c2818a58c64493e

Analysis

max time kernel
41s
max time network
10s
platform
windows7_x64
resource
win7v200430
submitted
17-06-2020 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cb9e63f6f46eefcb7747a42117b2a28.exe
Size

32KB
MD5

3cb9e63f6f46eefcb7747a42117b2a28
SHA1

a9c5a3cba0ed357520a27116e98986abacffd76b
SHA256

418c7c294982186c2315c6a78524a38a6901310366261342952eea826d55927e
SHA512

1600db2fbaaca9726902c4d647e167dd4f337f013475357a80b853c650cbe9527984ea9cfd1b028ae6cb855070c6b29b8302bbaf0cd895db42e0ebbaf824ffda

Score

10^/10

trojan backdoor smokeloader

Malware Config

Extracted

Family

smokeloader

Version

2018

http://185.35.137.147/mlp/

rc4.i32

Signatures

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

3cb9e63f6f46eefcb7747a42117b2a28.exe

pid process

1412 3cb9e63f6f46eefcb7747a42117b2a28.exe
1412 3cb9e63f6f46eefcb7747a42117b2a28.exe

pid	process
1412	3cb9e63f6f46eefcb7747a42117b2a28.exe
1412	3cb9e63f6f46eefcb7747a42117b2a28.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3cb9e63f6f46eefcb7747a42117b2a28.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3cb9e63f6f46eefcb7747a42117b2a28.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	3cb9e63f6f46eefcb7747a42117b2a28.exe

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

C:\Users\Admin\AppData\Local\Temp\3cb9e63f6f46eefcb7747a42117b2a28.exe
"C:\Users\Admin\AppData\Local\Temp\3cb9e63f6f46eefcb7747a42117b2a28.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Maps connected drives based on registry
PID:1412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1212-2-0x0000000003DE0000-0x0000000003DE1000-memory.dmp

Filesize
4KB

Download
memory/1412-0-0x00000000001A0000-0x00000000001B5000-memory.dmp

Filesize
84KB

Download