Vr.rar

General
Target

0x000300000001ac99-126.exe

Filesize

300KB

Completed

25-11-2020 10:47

Score
10 /10
MD5

ca58d4cf4a5e0725f844c8eae3f8ae67

SHA1

fbce92619ce23f4594846f2f789e513dab9f3239

SHA256

0e3774d65577253a820f1ee272d7a0c96e4c6a869ef8f749fe7f83d2fc49f054

Malware Config

Extracted

Family smokeloader
Version 2020
C2

http://vintrsi.com/upload/

http://woatdert.com/upload/

http://waruse.com/upload/

rc4.i32
rc4.i32
Signatures 8

Filter: none

Discovery
  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

  • Deletes itself

    Reported IOCs

    pidprocess
    1248
  • Loads dropped DLL
    0x000300000001ac99-126.exe

    Reported IOCs

    pidprocess
    16880x000300000001ac99-126.exe
  • Checks SCSI registry key(s)
    0x000300000001ac99-126.exe

    Description

    SCSI information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key enumerated\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI0x000300000001ac99-126.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI0x000300000001ac99-126.exe
    Key queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI0x000300000001ac99-126.exe
  • Suspicious behavior: EnumeratesProcesses
    0x000300000001ac99-126.exe

    Reported IOCs

    pidprocess
    16880x000300000001ac99-126.exe
    16880x000300000001ac99-126.exe
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
    1248
  • Suspicious behavior: MapViewOfSection
    0x000300000001ac99-126.exe

    Reported IOCs

    pidprocess
    16880x000300000001ac99-126.exe
  • Suspicious use of FindShellTrayWindow

    Reported IOCs

    pidprocess
    1248
    1248
    1248
    1248
  • Suspicious use of SendNotifyMessage

    Reported IOCs

    pidprocess
    1248
    1248
    1248
    1248
Processes 1
  • C:\Users\Admin\AppData\Local\Temp\0x000300000001ac99-126.exe
    "C:\Users\Admin\AppData\Local\Temp\0x000300000001ac99-126.exe"
    Loads dropped DLL
    Checks SCSI registry key(s)
    Suspicious behavior: EnumeratesProcesses
    Suspicious behavior: MapViewOfSection
    PID:1688
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • \Users\Admin\AppData\Local\Temp\CC4F.tmp

                          MD5

                          d124f55b9393c976963407dff51ffa79

                          SHA1

                          2c7bbedd79791bfb866898c85b504186db610b5d

                          SHA256

                          ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

                          SHA512

                          278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

                        • memory/1248-2-0x0000000003C30000-0x0000000003C46000-memory.dmp

                        • memory/1688-0-0x0000000005F30000-0x0000000005F41000-memory.dmp