smokeloader | c97f7b2a1d29e6ab8e802c3c814e1962452a9ab375a0f0c13ef6d4e4edefe9c2

General

Target

e32070f84919d59178bd08cfd39c9a4f.exe
Size

317KB
MD5

e32070f84919d59178bd08cfd39c9a4f
SHA1

f02c69af0907b7c7c434b23c6aa7746901ce4d05
SHA256

c97f7b2a1d29e6ab8e802c3c814e1962452a9ab375a0f0c13ef6d4e4edefe9c2
SHA512

d119b278fa397d3bc73c5ccdb8443bf1124e13e84f02ef00e22f3e33f4ffcb5b11dc0e3473265c56488086058360101c389d5fc4e65ecbebe66d0b388d9c0512

Score

10^/10

smokeloader vidar 408 backdoor evasion stealer suricata themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

rc4.i32

Extracted

Family

vidar

Version

39.7

Botnet

408

C2

https://shpak125.tumblr.com/

Attributes

profile_id
408

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1072-74-0x0000000000220000-0x00000000002BD000-memory.dmp	family_vidar
behavioral1/memory/1072-81-0x0000000000400000-0x00000000004C3000-memory.dmp	family_vidar

Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

93F6.exeB08B.exeB453.exeBE14.exeC102.exeCE0E.exe

pid process

568 93F6.exe
1072 B08B.exe
1060 B453.exe
1880 BE14.exe
1604 C102.exe
564 CE0E.exe

pid	process
568	93F6.exe
1072	B08B.exe
1060	B453.exe
1880	BE14.exe
1604	C102.exe
564	CE0E.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CE0E.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CE0E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CE0E.exe

Deletes itself 1 IoCs

Processes:

pid process

1224

pid	process
1224

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\CE0E.exe	themida
behavioral1/memory/564-90-0x00000000011B0000-0x00000000011B1000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

CE0E.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CE0E.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

CE0E.exe

pid process

564 CE0E.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

e32070f84919d59178bd08cfd39c9a4f.exe

description pid process target process

PID 1996 set thread context of 1220 1996 e32070f84919d59178bd08cfd39c9a4f.exe e32070f84919d59178bd08cfd39c9a4f.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CE0E.exe

pid	process
564	CE0E.exe

description	pid	process	target process
PID 1996 set thread context of 1220	1996	e32070f84919d59178bd08cfd39c9a4f.exe	e32070f84919d59178bd08cfd39c9a4f.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e32070f84919d59178bd08cfd39c9a4f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e32070f84919d59178bd08cfd39c9a4f.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e32070f84919d59178bd08cfd39c9a4f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e32070f84919d59178bd08cfd39c9a4f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e32070f84919d59178bd08cfd39c9a4f.exe

pid	process
1220	e32070f84919d59178bd08cfd39c9a4f.exe
1220	e32070f84919d59178bd08cfd39c9a4f.exe
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1224
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

e32070f84919d59178bd08cfd39c9a4f.exe

pid process

1220 e32070f84919d59178bd08cfd39c9a4f.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1224
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1224
1224
1224
1224
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1224
1224
1224
1224
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

93F6.exe

pid process

568 93F6.exe

pid	process
1224

description	pid	process
Token: SeShutdownPrivilege	1224

pid	process
1224
1224
1224
1224

pid	process
1224
1224
1224
1224

pid	process
568	93F6.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

e32070f84919d59178bd08cfd39c9a4f.exe

description	pid	process	target process
PID 1996 wrote to memory of 1220	1996	e32070f84919d59178bd08cfd39c9a4f.exe	e32070f84919d59178bd08cfd39c9a4f.exe
PID 1996 wrote to memory of 1220	1996	e32070f84919d59178bd08cfd39c9a4f.exe	e32070f84919d59178bd08cfd39c9a4f.exe
PID 1996 wrote to memory of 1220	1996	e32070f84919d59178bd08cfd39c9a4f.exe	e32070f84919d59178bd08cfd39c9a4f.exe
PID 1996 wrote to memory of 1220	1996	e32070f84919d59178bd08cfd39c9a4f.exe	e32070f84919d59178bd08cfd39c9a4f.exe
PID 1996 wrote to memory of 1220	1996	e32070f84919d59178bd08cfd39c9a4f.exe	e32070f84919d59178bd08cfd39c9a4f.exe
PID 1996 wrote to memory of 1220	1996	e32070f84919d59178bd08cfd39c9a4f.exe	e32070f84919d59178bd08cfd39c9a4f.exe
PID 1996 wrote to memory of 1220	1996	e32070f84919d59178bd08cfd39c9a4f.exe	e32070f84919d59178bd08cfd39c9a4f.exe
PID 1224 wrote to memory of 568	1224		93F6.exe
PID 1224 wrote to memory of 568	1224		93F6.exe
PID 1224 wrote to memory of 568	1224		93F6.exe
PID 1224 wrote to memory of 568	1224		93F6.exe
PID 1224 wrote to memory of 1072	1224		B08B.exe
PID 1224 wrote to memory of 1072	1224		B08B.exe
PID 1224 wrote to memory of 1072	1224		B08B.exe
PID 1224 wrote to memory of 1072	1224		B08B.exe
PID 1224 wrote to memory of 1060	1224		B453.exe
PID 1224 wrote to memory of 1060	1224		B453.exe
PID 1224 wrote to memory of 1060	1224		B453.exe
PID 1224 wrote to memory of 1060	1224		B453.exe
PID 1224 wrote to memory of 1880	1224		BE14.exe
PID 1224 wrote to memory of 1880	1224		BE14.exe
PID 1224 wrote to memory of 1880	1224		BE14.exe
PID 1224 wrote to memory of 1880	1224		BE14.exe
PID 1224 wrote to memory of 1604	1224		C102.exe
PID 1224 wrote to memory of 1604	1224		C102.exe
PID 1224 wrote to memory of 1604	1224		C102.exe
PID 1224 wrote to memory of 1604	1224		C102.exe
PID 1224 wrote to memory of 564	1224		CE0E.exe
PID 1224 wrote to memory of 564	1224		CE0E.exe
PID 1224 wrote to memory of 564	1224		CE0E.exe
PID 1224 wrote to memory of 564	1224		CE0E.exe
PID 1224 wrote to memory of 564	1224		CE0E.exe
PID 1224 wrote to memory of 564	1224		CE0E.exe
PID 1224 wrote to memory of 564	1224		CE0E.exe
PID 1224 wrote to memory of 1740	1224		DAFA.exe
PID 1224 wrote to memory of 1740	1224		DAFA.exe
PID 1224 wrote to memory of 1740	1224		DAFA.exe
PID 1224 wrote to memory of 1740	1224		DAFA.exe
PID 1224 wrote to memory of 1740	1224		DAFA.exe
PID 1224 wrote to memory of 1740	1224		DAFA.exe
PID 1224 wrote to memory of 1740	1224		DAFA.exe

C:\Users\Admin\AppData\Local\Temp\e32070f84919d59178bd08cfd39c9a4f.exe
"C:\Users\Admin\AppData\Local\Temp\e32070f84919d59178bd08cfd39c9a4f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\e32070f84919d59178bd08cfd39c9a4f.exe
"C:\Users\Admin\AppData\Local\Temp\e32070f84919d59178bd08cfd39c9a4f.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1220

C:\Users\Admin\AppData\Local\Temp\93F6.exe
C:\Users\Admin\AppData\Local\Temp\93F6.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:568

C:\Users\Admin\AppData\Local\Temp\B08B.exe
C:\Users\Admin\AppData\Local\Temp\B08B.exe
1⤵
- Executes dropped EXE
PID:1072

C:\Users\Admin\AppData\Local\Temp\B453.exe
C:\Users\Admin\AppData\Local\Temp\B453.exe
1⤵
- Executes dropped EXE
PID:1060

C:\Users\Admin\AppData\Local\Temp\BE14.exe
C:\Users\Admin\AppData\Local\Temp\BE14.exe
1⤵
- Executes dropped EXE
PID:1880

C:\Users\Admin\AppData\Local\Temp\C102.exe
C:\Users\Admin\AppData\Local\Temp\C102.exe
1⤵
- Executes dropped EXE
PID:1604

C:\Users\Admin\AppData\Local\Temp\CE0E.exe
C:\Users\Admin\AppData\Local\Temp\CE0E.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:564

C:\Users\Admin\AppData\Local\Temp\DAFA.exe
C:\Users\Admin\AppData\Local\Temp\DAFA.exe
1⤵
PID:1740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\93F6.exe
MD5
a69e12607d01237460808fa1709e5e86

SHA1
4a12f82aee1c90e70cdf6be863ce1a749c8ae411

SHA256
188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

SHA512
7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\B08B.exe
MD5
e3b131c40069c79c78ac5f63533e6e8c

SHA1
4100151e35bcd09c0e6192e15ace9a237cfa9d6d

SHA256
208517f209dab917900fe71d28f52aab4fa43c6443d906da9aedddf6c5aaf07a

SHA512
862b58b65075e7feeafb1bb26426fcd253513f6831426f84d464632163d8adfa2ebd9cdd50dc4d27bd0e81d3737a0472a5349108ad5bd90c7bc0832a27d5150f

Download Submit
C:\Users\Admin\AppData\Local\Temp\B453.exe
MD5
efcd1876a1e120794eaf59ca2469ab9c

SHA1
60b7f29f8ffb82dac8b6f0c6d5a31ec11df682b8

SHA256
2944952348c7d345f2205f72497251a03e3713298b561519f65d682728151012

SHA512
821ddf53dfec8ca5e3b9eb803ae389e1d72fc7c2f639fd5c937106bb32e0a9068eb1102cbce874599fbf81899c67c0b118a0521046f809e2e1f6fd356aa8980f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BE14.exe
MD5
efcd1876a1e120794eaf59ca2469ab9c

SHA1
60b7f29f8ffb82dac8b6f0c6d5a31ec11df682b8

SHA256
2944952348c7d345f2205f72497251a03e3713298b561519f65d682728151012

SHA512
821ddf53dfec8ca5e3b9eb803ae389e1d72fc7c2f639fd5c937106bb32e0a9068eb1102cbce874599fbf81899c67c0b118a0521046f809e2e1f6fd356aa8980f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C102.exe
MD5
efcd1876a1e120794eaf59ca2469ab9c

SHA1
60b7f29f8ffb82dac8b6f0c6d5a31ec11df682b8

SHA256
2944952348c7d345f2205f72497251a03e3713298b561519f65d682728151012

SHA512
821ddf53dfec8ca5e3b9eb803ae389e1d72fc7c2f639fd5c937106bb32e0a9068eb1102cbce874599fbf81899c67c0b118a0521046f809e2e1f6fd356aa8980f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE0E.exe
MD5
a1278cca92f8f83bc136b8c551e06cad

SHA1
6ba4fc48d0267e859dfe284c02d5eef600578ded

SHA256
bf48d9da3846be2cfb8134eb21718d88d210c35d5638ba42bb84999479f816a6

SHA512
421c7f05b8d151916d9318eb32bd1ab36004e7491c7edc962f019bc5c9822b9cabf89ea7a8d2d6bf3bc883bc0bf87cc44d1a924460731db6f9c9f33ac0bcc982

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
memory/564-84-0x0000000000000000-mapping.dmp

Download
memory/564-90-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/568-65-0x0000000000000000-mapping.dmp

Download
memory/1060-70-0x0000000000000000-mapping.dmp

Download
memory/1060-78-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/1072-74-0x0000000000220000-0x00000000002BD000-memory.dmp

Filesize
628KB

Download
memory/1072-81-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1072-68-0x0000000000000000-mapping.dmp

Download
memory/1220-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1220-62-0x0000000000402E1A-mapping.dmp

Download
memory/1220-63-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/1224-64-0x0000000002AB0000-0x0000000002AC6000-memory.dmp

Filesize
88KB

Download
memory/1604-87-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1604-79-0x0000000000000000-mapping.dmp

Download
memory/1740-89-0x0000000000000000-mapping.dmp

Download
memory/1880-75-0x0000000000000000-mapping.dmp

Download
memory/1996-60-0x00000000001B0000-0x00000000001BA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads