Behavioral Report

Resubmissions

01-11-2020 15:20

201101-6gnva6fyd2 10

01-11-2020 15:16

201101-dvbselbzxx 10

Analysis

max time kernel
77s
max time network
136s
platform
windows10_x64
resource
win10v20201028
submitted
01-11-2020 15:16

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

2020-11-01_21-26-29.bin.exe
Size

234KB
MD5

dd22d3a34781601ebbe3020b7cd33356
SHA1

567dd97232f0cf9ecec13f82ff894d9c9ee0d013
SHA256

33fe9bbda8cc1dbaa70e85a203fb6a0ec2a82ce2edb0c5ac585be620e8b8a1b0
SHA512

c6c4d353a76b1a0c35791c58935ec426d3d67c2133cffb5332c5ab71c5424f5ba1acf398fd210285676f5b838646192791f67a8edceddfa7e4b0722cbef39316

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family	smokeloader
Version	2020
C2	http://etasuklavish.today/ http://mragyzmachnobesdi.today/ http://kimchinikuzims.today/ http://slacvostinrius.today/ http://straponuliusyn.today/ http://grammmdinss.today/ http://viprasputinsd.chimkent.su/ http://lupadypa.dagestan.su/ http://stoknolimchin.exnet.su/ http://musaroprovadnikov.live/ http://teemforyourexprensiti.life/ http://stolkgolmishutich.termez.su/ http://roompampamgandish.wtf/ http://etasuklavish.today/ http://mragyzmachnobesdi.today/ http://kimchinikuzims.today/ http://slacvostinrius.today/ http://straponuliusyn.today/ http://grammmdinss.today/ http://viprasputinsd.chimkent.su/ http://lupadypa.dagestan.su/ http://stoknolimchin.exnet.su/ http://musaroprovadnikov.live/ http://teemforyourexprensiti.life/ http://stolkgolmishutich.termez.su/ http://roompampamgandish.wtf/
rc4.i32
rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE ⋅ 1 IoCs

Processes:

C4CC.tmp.exe

pid process

2012 C4CC.tmp.exe
Deletes itself ⋅ 1 IoCs

Processes:

pid process

3016
Loads dropped DLL ⋅ 1 IoCs

Processes:

2020-11-01_21-26-29.bin.exe

pid process

492 2020-11-01_21-26-29.bin.exe

pid	process
2012	C4CC.tmp.exe

pid	process
3016

Checks SCSI registry key(s) ⋅ 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

TTPs:

Query Registry Peripheral Device Discovery System Information Discovery

Processes:

2020-11-01_21-26-29.bin.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2020-11-01_21-26-29.bin.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2020-11-01_21-26-29.bin.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2020-11-01_21-26-29.bin.exe

Suspicious behavior: EnumeratesProcesses ⋅ 1256 IoCs

Processes:

2020-11-01_21-26-29.bin.exe

pid	process
492	2020-11-01_21-26-29.bin.exe
492	2020-11-01_21-26-29.bin.exe
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016

Suspicious behavior: MapViewOfSection ⋅ 1 IoCs

Processes:

2020-11-01_21-26-29.bin.exe

pid process

492 2020-11-01_21-26-29.bin.exe
Suspicious use of UnmapMainImage ⋅ 1 IoCs

Processes:

pid process

3016

pid	process
3016

Suspicious use of WriteProcessMemory ⋅ 3 IoCs

Processes:

description	pid	target process
PID 3016 wrote to memory of 2012	3016	C4CC.tmp.exe
PID 3016 wrote to memory of 2012	3016	C4CC.tmp.exe
PID 3016 wrote to memory of 2012	3016	C4CC.tmp.exe

C:\Users\Admin\AppData\Local\Temp\2020-11-01_21-26-29.bin.exe

"C:\Users\Admin\AppData\Local\Temp\2020-11-01_21-26-29.bin.exe"

Loads dropped DLL
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection

PID:492

C:\Users\Admin\AppData\Local\Temp\C4CC.tmp.exe

C:\Users\Admin\AppData\Local\Temp\C4CC.tmp.exe

Executes dropped EXE

PID:2012

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\Temp\C4CC.tmp.exe
MD5
379a349d07c3868fdaadc8e3ec12b599

SHA1
8d2baed856232fc0f52a3ba30109aeac50034ed7

SHA256
1546dcf0f1d4721adc53ddeb7b66dbe800f21050621972afb975577f49e7bff4

SHA512
954840bfbb391e6f7f3f672a723b335124c73eb93fe4cf738866175bfd6e5167e3206a6cb5a0039a1ccca9e6a2519b3e1eb761dcc85ffccf6e20864e6385159a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4CC.tmp.exe
MD5
379a349d07c3868fdaadc8e3ec12b599

SHA1
8d2baed856232fc0f52a3ba30109aeac50034ed7

SHA256
1546dcf0f1d4721adc53ddeb7b66dbe800f21050621972afb975577f49e7bff4

SHA512
954840bfbb391e6f7f3f672a723b335124c73eb93fe4cf738866175bfd6e5167e3206a6cb5a0039a1ccca9e6a2519b3e1eb761dcc85ffccf6e20864e6385159a

Download Submit
\Users\Admin\AppData\Local\Temp\2F6.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
memory/492-0-0x00000000025B4000-0x00000000025B5000-memory.dmp

Download
memory/492-1-0x0000000004080000-0x0000000004081000-memory.dmp

Download
memory/2012-4-0x0000000000000000-mapping.dmp

Download
memory/2012-7-0x0000000002404000-0x0000000002405000-memory.dmp

Download
memory/2012-8-0x0000000004020000-0x0000000004021000-memory.dmp

Download
memory/3016-3-0x0000000000E30000-0x0000000000E46000-memory.dmp

Download