smokeloader | 879f63c384febbffc5845be57df9c7ef33234b584f8059a38a3f4aafa2bc37e9

General

Target

30e58538e3ddab70cc1edda521bfbba6.exe
Size

233KB
MD5

30e58538e3ddab70cc1edda521bfbba6
SHA1

862591b95d16216f74b6b197de4f4740a881ccb8
SHA256

879f63c384febbffc5845be57df9c7ef33234b584f8059a38a3f4aafa2bc37e9
SHA512

08de8cf30f6061c3f4057d617e2e8bc4be5e24a1b5a339d29bfa9655682f0f7f07301866436309a368a0af8efc4f6682d63532105ec62aff4b96c73504d26703

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 2 IoCs

Processes:

tjrasfwtjrasfw

pid process

4032 tjrasfw
4136 tjrasfw
Deletes itself 1 IoCs

Processes:

pid process

3008
Loads dropped DLL 1 IoCs

Processes:

30e58538e3ddab70cc1edda521bfbba6.exe

pid process

5072 30e58538e3ddab70cc1edda521bfbba6.exe

pid	process
4032	tjrasfw
4136	tjrasfw

pid	process
3008

Suspicious use of SetThreadContext 2 IoCs

Processes:

30e58538e3ddab70cc1edda521bfbba6.exetjrasfw

description	pid	process	target process
PID 4448 set thread context of 5072	4448	30e58538e3ddab70cc1edda521bfbba6.exe	30e58538e3ddab70cc1edda521bfbba6.exe
PID 4032 set thread context of 4136	4032	tjrasfw	tjrasfw

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

30e58538e3ddab70cc1edda521bfbba6.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	30e58538e3ddab70cc1edda521bfbba6.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	30e58538e3ddab70cc1edda521bfbba6.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	30e58538e3ddab70cc1edda521bfbba6.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

30e58538e3ddab70cc1edda521bfbba6.exe

pid	process
5072	30e58538e3ddab70cc1edda521bfbba6.exe
5072	30e58538e3ddab70cc1edda521bfbba6.exe
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3008
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

30e58538e3ddab70cc1edda521bfbba6.exe

pid process

5072 30e58538e3ddab70cc1edda521bfbba6.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 3008
Token: SeCreatePagefilePrivilege 3008
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3008

pid	process
3008

description	pid	process
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008

pid	process
3008

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

30e58538e3ddab70cc1edda521bfbba6.exetjrasfw

description	pid	process	target process
PID 4448 wrote to memory of 5072	4448	30e58538e3ddab70cc1edda521bfbba6.exe	30e58538e3ddab70cc1edda521bfbba6.exe
PID 4448 wrote to memory of 5072	4448	30e58538e3ddab70cc1edda521bfbba6.exe	30e58538e3ddab70cc1edda521bfbba6.exe
PID 4448 wrote to memory of 5072	4448	30e58538e3ddab70cc1edda521bfbba6.exe	30e58538e3ddab70cc1edda521bfbba6.exe
PID 4448 wrote to memory of 5072	4448	30e58538e3ddab70cc1edda521bfbba6.exe	30e58538e3ddab70cc1edda521bfbba6.exe
PID 4448 wrote to memory of 5072	4448	30e58538e3ddab70cc1edda521bfbba6.exe	30e58538e3ddab70cc1edda521bfbba6.exe
PID 4448 wrote to memory of 5072	4448	30e58538e3ddab70cc1edda521bfbba6.exe	30e58538e3ddab70cc1edda521bfbba6.exe
PID 4032 wrote to memory of 4136	4032	tjrasfw	tjrasfw
PID 4032 wrote to memory of 4136	4032	tjrasfw	tjrasfw
PID 4032 wrote to memory of 4136	4032	tjrasfw	tjrasfw
PID 4032 wrote to memory of 4136	4032	tjrasfw	tjrasfw
PID 4032 wrote to memory of 4136	4032	tjrasfw	tjrasfw
PID 4032 wrote to memory of 4136	4032	tjrasfw	tjrasfw

C:\Users\Admin\AppData\Local\Temp\30e58538e3ddab70cc1edda521bfbba6.exe
"C:\Users\Admin\AppData\Local\Temp\30e58538e3ddab70cc1edda521bfbba6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4448

C:\Users\Admin\AppData\Local\Temp\30e58538e3ddab70cc1edda521bfbba6.exe
"C:\Users\Admin\AppData\Local\Temp\30e58538e3ddab70cc1edda521bfbba6.exe"
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5072

C:\Users\Admin\AppData\Roaming\tjrasfw
C:\Users\Admin\AppData\Roaming\tjrasfw
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4032

C:\Users\Admin\AppData\Roaming\tjrasfw
C:\Users\Admin\AppData\Roaming\tjrasfw
2⤵
- Executes dropped EXE
PID:4136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AE30.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
C:\Users\Admin\AppData\Roaming\tjrasfw
MD5
30e58538e3ddab70cc1edda521bfbba6

SHA1
862591b95d16216f74b6b197de4f4740a881ccb8

SHA256
879f63c384febbffc5845be57df9c7ef33234b584f8059a38a3f4aafa2bc37e9

SHA512
08de8cf30f6061c3f4057d617e2e8bc4be5e24a1b5a339d29bfa9655682f0f7f07301866436309a368a0af8efc4f6682d63532105ec62aff4b96c73504d26703

Download Submit
C:\Users\Admin\AppData\Roaming\tjrasfw
MD5
30e58538e3ddab70cc1edda521bfbba6

SHA1
862591b95d16216f74b6b197de4f4740a881ccb8

SHA256
879f63c384febbffc5845be57df9c7ef33234b584f8059a38a3f4aafa2bc37e9

SHA512
08de8cf30f6061c3f4057d617e2e8bc4be5e24a1b5a339d29bfa9655682f0f7f07301866436309a368a0af8efc4f6682d63532105ec62aff4b96c73504d26703

Download Submit
C:\Users\Admin\AppData\Roaming\tjrasfw
MD5
30e58538e3ddab70cc1edda521bfbba6

SHA1
862591b95d16216f74b6b197de4f4740a881ccb8

SHA256
879f63c384febbffc5845be57df9c7ef33234b584f8059a38a3f4aafa2bc37e9

SHA512
08de8cf30f6061c3f4057d617e2e8bc4be5e24a1b5a339d29bfa9655682f0f7f07301866436309a368a0af8efc4f6682d63532105ec62aff4b96c73504d26703

Download Submit
\Users\Admin\AppData\Local\Temp\AE30.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
memory/3008-118-0x0000000000660000-0x0000000000677000-memory.dmp

Filesize
92KB

Download
memory/4032-125-0x0000000002B80000-0x0000000002CCA000-memory.dmp

Filesize
1.3MB

Download
memory/4136-122-0x0000000000402F68-mapping.dmp

Download
memory/4448-117-0x0000000002C70000-0x0000000002DBA000-memory.dmp

Filesize
1.3MB

Download
memory/5072-114-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5072-115-0x0000000000402F68-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads