Overview

overview

10

Static

static

membin.exe

windows7_x64

10

membin.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    10-01-2021 05:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    membin.exe

  • Size

    68KB

  • MD5

    6cbf9d6d3c60014c52e25c3c6ac3897e

  • SHA1

    89d5c32bfbd07a43217b59118bd603947b91394e

  • SHA256

    391a0255cb43f87a85d4ccbf764e6d261775fc2be791df2ed6fd9a1a3a3e6e76

  • SHA512

    474480299b6428b1ffde64b950054ba27c175c852b420e1c0af66d8fb70c9b232edf955827b8abe62b82462044b79df4e31352ea3fe96bcf4d6f029d2629a3f3

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Extracted

Family

smokeloader

Version

2019

C2

https://dwajfjaiakdnsandks.com/

https://djsadoiasidnasnf.com/

https://jfsfkjsdfksfjsjafas.com/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2616 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\membin.exe
    "C:\Users\Admin\AppData\Local\Temp\membin.exe"
    1⤵
    • Loads dropped DLL
    • Checks SCSI registry key(s)
    • Suspicious behavior: MapViewOfSection
    PID:1924
  • \??\c:\windows\system32\regsvr32.EXE
    c:\windows\system32\regsvr32.EXE /s /n /u /i:"C:\Users\Admin\AppData\Roaming\vticiuw" scrobj
    1⤵
      PID:3576
    • C:\Users\Admin\AppData\Roaming\rjscefg
      C:/Users/Admin/AppData/Roaming/rjscefg
      1⤵
      • Executes dropped EXE
      PID:940

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\210A.tmp
      MD5

      50741b3f2d7debf5d2bed63d88404029

      SHA1

      56210388a627b926162b36967045be06ffb1aad3

      SHA256

      f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

      SHA512

      fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

      Download Submit
    • C:\Users\Admin\AppData\Roaming\rjscefg
      MD5

      6cbf9d6d3c60014c52e25c3c6ac3897e

      SHA1

      89d5c32bfbd07a43217b59118bd603947b91394e

      SHA256

      391a0255cb43f87a85d4ccbf764e6d261775fc2be791df2ed6fd9a1a3a3e6e76

      SHA512

      474480299b6428b1ffde64b950054ba27c175c852b420e1c0af66d8fb70c9b232edf955827b8abe62b82462044b79df4e31352ea3fe96bcf4d6f029d2629a3f3

      Download Submit
    • C:\Users\Admin\AppData\Roaming\rjscefg
      MD5

      6cbf9d6d3c60014c52e25c3c6ac3897e

      SHA1

      89d5c32bfbd07a43217b59118bd603947b91394e

      SHA256

      391a0255cb43f87a85d4ccbf764e6d261775fc2be791df2ed6fd9a1a3a3e6e76

      SHA512

      474480299b6428b1ffde64b950054ba27c175c852b420e1c0af66d8fb70c9b232edf955827b8abe62b82462044b79df4e31352ea3fe96bcf4d6f029d2629a3f3

      Download Submit
    • C:\Users\Admin\AppData\Roaming\vticiuw
      MD5

      e92cbf24eabb5fcaef448f167c22f368

      SHA1

      8b57340c52cff0b9af661509135416969d2c85df

      SHA256

      acce1e0f30bf731da04a4d9e783b9a674d62bee31bdc0dc00393420758511844

      SHA512

      a72e47cde6237482116a4751b4370f92dc597d3a2e764e6cb913066e18f275c8eec7b87fd3be130bbf397d13d13bd7b4970ab51b310e9bd4619453a7950f7e0b

      Download Submit
    • \Users\Admin\AppData\Local\Temp\210A.tmp
      MD5

      50741b3f2d7debf5d2bed63d88404029

      SHA1

      56210388a627b926162b36967045be06ffb1aad3

      SHA256

      f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

      SHA512

      fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

      Download Submit
    • memory/3000-3-0x0000000001280000-0x0000000001296000-memory.dmp
      Filesize

      88KB

      Download