Vr.rar
0x000300000001ac9e-134.exe
311KB
25-11-2020 10:47
fdde60834af109d71f4c7d28b865c8a1
4f721105161b74e07b5ccd762d32932989bfb03a
b0296c0000c40d59a268b223015872d7e57c427358b5e95d1bd6e4ac40dd0f87
Extracted
| Family | smokeloader |
| Version | 2019 |
| C2 |
http://10022020newfolder1002002131-service1002.space/ http://10022020newfolder1002002231-service1002.space/ http://10022020newfolder3100231-service1002.space/ http://10022020newfolder1002002431-service1002.space/ http://10022020newfolder1002002531-service1002.space/ http://10022020newfolder33417-01242510022020.space/ http://10022020test125831-service1002012510022020.space/ http://10022020test136831-service1002012510022020.space/ http://10022020test147831-service1002012510022020.space/ http://10022020test146831-service1002012510022020.space/ http://10022020test134831-service1002012510022020.space/ http://10022020est213531-service100201242510022020.ru/ http://10022020yes1t3481-service1002012510022020.ru/ http://10022020test13561-service1002012510022020.su/ http://10022020test14781-service1002012510022020.info/ http://10022020test13461-service1002012510022020.net/ http://10022020test15671-service1002012510022020.tech/ http://10022020test12671-service1002012510022020.online/ http://10022020utest1341-service1002012510022020.ru/ http://10022020uest71-service100201dom2510022020.ru/ http://10022020test61-service1002012510022020.website/ http://10022020test51-service1002012510022020.xyz/ http://10022020test41-service100201pro2510022020.ru/ http://10022020yest31-service100201rus2510022020.ru/ http://10022020rest21-service1002012510022020.eu/ http://10022020test11-service1002012510022020.press/ http://10022020newfolder4561-service1002012510022020.ru/ http://10022020rustest213-service1002012510022020.ru/ http://10022020test281-service1002012510022020.ru/ http://10022020test261-service1002012510022020.space/ http://10022020yomtest251-service1002012510022020.ru/ http://10022020yirtest231-service1002012510022020.ru/ |
| rc4.i32 |
|
| rc4.i32 |
|
Filter: none
-
SmokeLoader
Description
Modular backdoor trojan in use since 2014.
Tags
-
Deletes itself
Reported IOCs
pid process 1204 -
Loads dropped DLL0x000300000001ac9e-134.exe
Reported IOCs
pid process 564 0x000300000001ac9e-134.exe -
Suspicious use of SetThreadContext0x000300000001ac9e-134.exe
Reported IOCs
description pid process target process PID 1056 set thread context of 564 1056 0x000300000001ac9e-134.exe 0x000300000001ac9e-134.exe -
Checks SCSI registry key(s)0x000300000001ac9e-134.exe
Description
SCSI information is often read in order to detect sandboxing environments.
TTPs
Reported IOCs
description ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0x000300000001ac9e-134.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0x000300000001ac9e-134.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0x000300000001ac9e-134.exe -
Suspicious behavior: EnumeratesProcesses
Reported IOCs
pid process 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 -
Suspicious behavior: MapViewOfSection0x000300000001ac9e-134.exe
Reported IOCs
pid process 564 0x000300000001ac9e-134.exe -
Suspicious use of FindShellTrayWindow
Reported IOCs
pid process 1204 1204 1204 1204 -
Suspicious use of SendNotifyMessage
Reported IOCs
pid process 1204 1204 1204 1204 -
Suspicious use of WriteProcessMemory0x000300000001ac9e-134.exe
Reported IOCs
description pid process target process PID 1056 wrote to memory of 564 1056 0x000300000001ac9e-134.exe 0x000300000001ac9e-134.exe PID 1056 wrote to memory of 564 1056 0x000300000001ac9e-134.exe 0x000300000001ac9e-134.exe PID 1056 wrote to memory of 564 1056 0x000300000001ac9e-134.exe 0x000300000001ac9e-134.exe PID 1056 wrote to memory of 564 1056 0x000300000001ac9e-134.exe 0x000300000001ac9e-134.exe PID 1056 wrote to memory of 564 1056 0x000300000001ac9e-134.exe 0x000300000001ac9e-134.exe PID 1056 wrote to memory of 564 1056 0x000300000001ac9e-134.exe 0x000300000001ac9e-134.exe PID 1056 wrote to memory of 564 1056 0x000300000001ac9e-134.exe 0x000300000001ac9e-134.exe
-
C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9e-134.exePID:1056"C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9e-134.exe"Suspicious use of SetThreadContextSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9e-134.exePID:564"C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9e-134.exe"Loads dropped DLLChecks SCSI registry key(s)Suspicious behavior: MapViewOfSection
-
\Users\Admin\AppData\Local\Temp\4DD3.tmp
MD5d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
memory/564-2-0x0000000000400000-0x000000000040C000-memory.dmp
-
memory/564-3-0x0000000000402A38-mapping.dmp
-
memory/1056-0-0x00000000060B0000-0x00000000060C1000-memory.dmp
-
memory/1056-1-0x00000000060B0000-0x00000000060C1000-memory.dmp
-
memory/1204-5-0x00000000039C0000-0x00000000039D7000-memory.dmp