Vr.rar

General
Target

0x000300000001ac9e-134.exe

Filesize

311KB

Completed

25-11-2020 10:47

Score
10 /10
MD5

fdde60834af109d71f4c7d28b865c8a1

SHA1

4f721105161b74e07b5ccd762d32932989bfb03a

SHA256

b0296c0000c40d59a268b223015872d7e57c427358b5e95d1bd6e4ac40dd0f87

Malware Config

Extracted

Family smokeloader
Version 2019
C2

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

http://10022020test61-service1002012510022020.website/

http://10022020test51-service1002012510022020.xyz/

http://10022020test41-service100201pro2510022020.ru/

http://10022020yest31-service100201rus2510022020.ru/

http://10022020rest21-service1002012510022020.eu/

http://10022020test11-service1002012510022020.press/

http://10022020newfolder4561-service1002012510022020.ru/

http://10022020rustest213-service1002012510022020.ru/

http://10022020test281-service1002012510022020.ru/

http://10022020test261-service1002012510022020.space/

http://10022020yomtest251-service1002012510022020.ru/

http://10022020yirtest231-service1002012510022020.ru/

rc4.i32
rc4.i32
Signatures 10

Filter: none

Discovery
  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

  • Deletes itself

    Reported IOCs

    pidprocess
    1204
  • Loads dropped DLL
    0x000300000001ac9e-134.exe

    Reported IOCs

    pidprocess
    5640x000300000001ac9e-134.exe
  • Suspicious use of SetThreadContext
    0x000300000001ac9e-134.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1056 set thread context of 56410560x000300000001ac9e-134.exe0x000300000001ac9e-134.exe
  • Checks SCSI registry key(s)
    0x000300000001ac9e-134.exe

    Description

    SCSI information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI0x000300000001ac9e-134.exe
    Key enumerated\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI0x000300000001ac9e-134.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI0x000300000001ac9e-134.exe
  • Suspicious behavior: EnumeratesProcesses

    Reported IOCs

    pidprocess
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
    1204
  • Suspicious behavior: MapViewOfSection
    0x000300000001ac9e-134.exe

    Reported IOCs

    pidprocess
    5640x000300000001ac9e-134.exe
  • Suspicious use of FindShellTrayWindow

    Reported IOCs

    pidprocess
    1204
    1204
    1204
    1204
  • Suspicious use of SendNotifyMessage

    Reported IOCs

    pidprocess
    1204
    1204
    1204
    1204
  • Suspicious use of WriteProcessMemory
    0x000300000001ac9e-134.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1056 wrote to memory of 56410560x000300000001ac9e-134.exe0x000300000001ac9e-134.exe
    PID 1056 wrote to memory of 56410560x000300000001ac9e-134.exe0x000300000001ac9e-134.exe
    PID 1056 wrote to memory of 56410560x000300000001ac9e-134.exe0x000300000001ac9e-134.exe
    PID 1056 wrote to memory of 56410560x000300000001ac9e-134.exe0x000300000001ac9e-134.exe
    PID 1056 wrote to memory of 56410560x000300000001ac9e-134.exe0x000300000001ac9e-134.exe
    PID 1056 wrote to memory of 56410560x000300000001ac9e-134.exe0x000300000001ac9e-134.exe
    PID 1056 wrote to memory of 56410560x000300000001ac9e-134.exe0x000300000001ac9e-134.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9e-134.exe
    "C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9e-134.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9e-134.exe
      "C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9e-134.exe"
      Loads dropped DLL
      Checks SCSI registry key(s)
      Suspicious behavior: MapViewOfSection
      PID:564
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • \Users\Admin\AppData\Local\Temp\4DD3.tmp

                          MD5

                          d124f55b9393c976963407dff51ffa79

                          SHA1

                          2c7bbedd79791bfb866898c85b504186db610b5d

                          SHA256

                          ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

                          SHA512

                          278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

                        • memory/564-2-0x0000000000400000-0x000000000040C000-memory.dmp

                        • memory/564-3-0x0000000000402A38-mapping.dmp

                        • memory/1056-0-0x00000000060B0000-0x00000000060C1000-memory.dmp

                        • memory/1056-1-0x00000000060B0000-0x00000000060C1000-memory.dmp

                        • memory/1204-5-0x00000000039C0000-0x00000000039D7000-memory.dmp