smokeloader | 464998f5bf7c3490936b638d9b6431813aebc947080efe2dc6eb5a495588abab

Analysis

max time kernel
150s
max time network
117s
platform
windows10_x64
resource
win10v20201028
submitted
04-03-2021 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cd77b95_extracted.exe
Size

34KB
MD5

e21003354956dac75332fe47f41edce3
SHA1

2c24803bc69bc42d4cc04e8e238b88706a0e9fa7
SHA256

464998f5bf7c3490936b638d9b6431813aebc947080efe2dc6eb5a495588abab
SHA512

f4bf4fde08a2dbc12399c20131a24f656a71774674ac74b9a79911d67423b903fff0b35da19a0ff544f3145169f7a5ac378d706d1aa3ec364fd2237743feb679

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://lookupsky.net/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

2640
Loads dropped DLL 1 IoCs

Processes:

5cd77b95_extracted.exe

pid process

4780 5cd77b95_extracted.exe

pid	process
2640

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5cd77b95_extracted.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5cd77b95_extracted.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5cd77b95_extracted.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5cd77b95_extracted.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5cd77b95_extracted.exe

pid	process
4780	5cd77b95_extracted.exe
4780	5cd77b95_extracted.exe
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

5cd77b95_extracted.exe

pid process

4780 5cd77b95_extracted.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

2640

pid	process
2640

C:\Users\Admin\AppData\Local\Temp\5cd77b95_extracted.exe
"C:\Users\Admin\AppData\Local\Temp\5cd77b95_extracted.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\44DA.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
memory/2640-3-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download