smokeloader | 178fb69c394a6d86a3695acbb025bc2f3be31dea683ee6e5016af0566eef8111

Analysis

max time kernel
150s
max time network
147s
platform
windows10_x64
resource
win10v20201028
submitted
10-03-2021 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ed271e10ba37319d01d44acd33489a7.exe
Size

284KB
MD5

5ed271e10ba37319d01d44acd33489a7
SHA1

7130a850b50d5fccc1401f57ad95cac863a02062
SHA256

178fb69c394a6d86a3695acbb025bc2f3be31dea683ee6e5016af0566eef8111
SHA512

882d1adf9f2513d5578a72dcc50f0ef510def30c2c1ed0af5f051752e299a72be79c48660038aa852a39007c8286c6ea2ba2886cf0d8e4a859573faedf1ca27f

Score

10^/10

smokeloader vidar backdoor discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://jibw.top/

http://lakf.top/

http://yapv.top/

http://pqdb.top/

http://bpqx.top/

http://gyuw.top/

http://vafc.top/

http://qgam.top/

http://viio.top/

http://chpp.top/

http://csji.top/

http://xxql.top/

http://vtxa.top/

http://ggoz.top/

http://crpa.top/

http://vuss.top/

http://coal.top/

http://fymm.top/

http://roaf.top/

http://aeus.top/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Executes dropped EXE 4 IoCs

pid	Process
3860	83BC.exe
2092	83BC.exe
4492	5.exe
2052	83BC.exe

Deletes itself 1 IoCs

pid	Process
3128	Process not Found

Loads dropped DLL 3 IoCs

pid	Process
4692	5ed271e10ba37319d01d44acd33489a7.exe
4492	5.exe
4492	5.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4052	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1f4c770b-4986-4077-8605-89271a4909d1\\83BC.exe\" --AutoStart"	83BC.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	api.2ip.ua
31	api.2ip.ua
25	api.2ip.ua

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5ed271e10ba37319d01d44acd33489a7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5ed271e10ba37319d01d44acd33489a7.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5ed271e10ba37319d01d44acd33489a7.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1572	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1060	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	83BC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	83BC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4692	5ed271e10ba37319d01d44acd33489a7.exe
4692	5ed271e10ba37319d01d44acd33489a7.exe
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found
3128	Process not Found

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4692	5ed271e10ba37319d01d44acd33489a7.exe
3128	Process not Found
3128	Process not Found

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3128	Process not Found
Token: SeCreatePagefilePrivilege	3128	Process not Found
Token: SeShutdownPrivilege	3128	Process not Found
Token: SeCreatePagefilePrivilege	3128	Process not Found
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeShutdownPrivilege	3128	Process not Found
Token: SeCreatePagefilePrivilege	3128	Process not Found

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 3860	3128	Process not Found	78
PID 3128 wrote to memory of 3860	3128	Process not Found	78
PID 3128 wrote to memory of 3860	3128	Process not Found	78
PID 3128 wrote to memory of 3220	3128	Process not Found	79
PID 3128 wrote to memory of 3220	3128	Process not Found	79
PID 3128 wrote to memory of 3220	3128	Process not Found	79
PID 3128 wrote to memory of 3220	3128	Process not Found	79
PID 3860 wrote to memory of 4052	3860	83BC.exe	80
PID 3860 wrote to memory of 4052	3860	83BC.exe	80
PID 3860 wrote to memory of 4052	3860	83BC.exe	80
PID 3860 wrote to memory of 2092	3860	83BC.exe	81
PID 3860 wrote to memory of 2092	3860	83BC.exe	81
PID 3860 wrote to memory of 2092	3860	83BC.exe	81
PID 2092 wrote to memory of 4492	2092	83BC.exe	83
PID 2092 wrote to memory of 4492	2092	83BC.exe	83
PID 2092 wrote to memory of 4492	2092	83BC.exe	83
PID 4492 wrote to memory of 4576	4492	5.exe	84
PID 4492 wrote to memory of 4576	4492	5.exe	84
PID 4492 wrote to memory of 4576	4492	5.exe	84
PID 4576 wrote to memory of 1060	4576	cmd.exe	86
PID 4576 wrote to memory of 1060	4576	cmd.exe	86
PID 4576 wrote to memory of 1060	4576	cmd.exe	86
PID 4576 wrote to memory of 1572	4576	cmd.exe	88
PID 4576 wrote to memory of 1572	4576	cmd.exe	88
PID 4576 wrote to memory of 1572	4576	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\5ed271e10ba37319d01d44acd33489a7.exe
"C:\Users\Admin\AppData\Local\Temp\5ed271e10ba37319d01d44acd33489a7.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4692

C:\Users\Admin\AppData\Local\Temp\83BC.exe
C:\Users\Admin\AppData\Local\Temp\83BC.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3860
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\1f4c770b-4986-4077-8605-89271a4909d1" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  PID:4052
- C:\Users\Admin\AppData\Local\Temp\83BC.exe
  "C:\Users\Admin\AppData\Local\Temp\83BC.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Users\Admin\AppData\Local\5292010b-e843-4231-a185-7f89f508ceb4\5.exe
    "C:\Users\Admin\AppData\Local\5292010b-e843-4231-a185-7f89f508ceb4\5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\5292010b-e843-4231-a185-7f89f508ceb4\5.exe" & del C:\ProgramData\*.dll & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4576
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im 5.exe /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        5⤵
        Delays execution with timeout.exe
        
        PID:1572

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3220

C:\Users\Admin\AppData\Local\1f4c770b-4986-4077-8605-89271a4909d1\83BC.exe
C:\Users\Admin\AppData\Local\1f4c770b-4986-4077-8605-89271a4909d1\83BC.exe --Task
1⤵
- Executes dropped EXE
PID:2052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2092-20-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/2092-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3128-6-0x0000000000B30000-0x0000000000B46000-memory.dmp

Filesize
88KB

Download
memory/3220-11-0x0000000000730000-0x0000000000738000-memory.dmp

Filesize
32KB

Download
memory/3220-12-0x0000000000720000-0x000000000072B000-memory.dmp

Filesize
44KB

Download
memory/3860-14-0x0000000003260000-0x000000000337A000-memory.dmp

Filesize
1.1MB

Download
memory/3860-13-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/3860-15-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4692-2-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/4692-4-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4692-3-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download