smokeloader | cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d

General

Target

61cb66b049958cb48db0f5b33f96ae4f.exe
Size

311KB
MD5

61cb66b049958cb48db0f5b33f96ae4f
SHA1

ab128a4c170927bc46f28977ac26f1d1264bd6e2
SHA256

cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d
SHA512

01d8bf2c755b6314c342b4e3733042dbe164dbd01e5cbae46306acb1cc9ff252342e70a40dff069f84d6f55bb56055933e5a2c491bada862fadf227728420f1f

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

3036
Suspicious use of SetThreadContext 1 IoCs

Processes:

61cb66b049958cb48db0f5b33f96ae4f.exe

description pid process target process

PID 3016 set thread context of 2764 3016 61cb66b049958cb48db0f5b33f96ae4f.exe 61cb66b049958cb48db0f5b33f96ae4f.exe

pid	process
3036

description	pid	process	target process
PID 3016 set thread context of 2764	3016	61cb66b049958cb48db0f5b33f96ae4f.exe	61cb66b049958cb48db0f5b33f96ae4f.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

61cb66b049958cb48db0f5b33f96ae4f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	61cb66b049958cb48db0f5b33f96ae4f.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	61cb66b049958cb48db0f5b33f96ae4f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	61cb66b049958cb48db0f5b33f96ae4f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

61cb66b049958cb48db0f5b33f96ae4f.exe

pid	process
2764	61cb66b049958cb48db0f5b33f96ae4f.exe
2764	61cb66b049958cb48db0f5b33f96ae4f.exe
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3036
Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

61cb66b049958cb48db0f5b33f96ae4f.exe

pid process

2764 61cb66b049958cb48db0f5b33f96ae4f.exe
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3036

pid	process
3036

pid	process
3036

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

61cb66b049958cb48db0f5b33f96ae4f.exe

description	pid	process	target process
PID 3016 wrote to memory of 2764	3016	61cb66b049958cb48db0f5b33f96ae4f.exe	61cb66b049958cb48db0f5b33f96ae4f.exe
PID 3016 wrote to memory of 2764	3016	61cb66b049958cb48db0f5b33f96ae4f.exe	61cb66b049958cb48db0f5b33f96ae4f.exe
PID 3016 wrote to memory of 2764	3016	61cb66b049958cb48db0f5b33f96ae4f.exe	61cb66b049958cb48db0f5b33f96ae4f.exe
PID 3016 wrote to memory of 2764	3016	61cb66b049958cb48db0f5b33f96ae4f.exe	61cb66b049958cb48db0f5b33f96ae4f.exe
PID 3016 wrote to memory of 2764	3016	61cb66b049958cb48db0f5b33f96ae4f.exe	61cb66b049958cb48db0f5b33f96ae4f.exe
PID 3016 wrote to memory of 2764	3016	61cb66b049958cb48db0f5b33f96ae4f.exe	61cb66b049958cb48db0f5b33f96ae4f.exe
PID 3036 wrote to memory of 1108	3036		explorer.exe
PID 3036 wrote to memory of 1108	3036		explorer.exe
PID 3036 wrote to memory of 1108	3036		explorer.exe
PID 3036 wrote to memory of 1108	3036		explorer.exe
PID 3036 wrote to memory of 3680	3036		explorer.exe
PID 3036 wrote to memory of 3680	3036		explorer.exe
PID 3036 wrote to memory of 3680	3036		explorer.exe
PID 3036 wrote to memory of 3636	3036		explorer.exe
PID 3036 wrote to memory of 3636	3036		explorer.exe
PID 3036 wrote to memory of 3636	3036		explorer.exe
PID 3036 wrote to memory of 3636	3036		explorer.exe
PID 3036 wrote to memory of 3720	3036		explorer.exe
PID 3036 wrote to memory of 3720	3036		explorer.exe
PID 3036 wrote to memory of 3720	3036		explorer.exe
PID 3036 wrote to memory of 1164	3036		explorer.exe
PID 3036 wrote to memory of 1164	3036		explorer.exe
PID 3036 wrote to memory of 1164	3036		explorer.exe
PID 3036 wrote to memory of 1164	3036		explorer.exe
PID 3036 wrote to memory of 788	3036		explorer.exe
PID 3036 wrote to memory of 788	3036		explorer.exe
PID 3036 wrote to memory of 788	3036		explorer.exe
PID 3036 wrote to memory of 2132	3036		explorer.exe
PID 3036 wrote to memory of 2132	3036		explorer.exe
PID 3036 wrote to memory of 2132	3036		explorer.exe
PID 3036 wrote to memory of 2132	3036		explorer.exe
PID 3036 wrote to memory of 3960	3036		explorer.exe
PID 3036 wrote to memory of 3960	3036		explorer.exe
PID 3036 wrote to memory of 3960	3036		explorer.exe
PID 3036 wrote to memory of 1248	3036		explorer.exe
PID 3036 wrote to memory of 1248	3036		explorer.exe
PID 3036 wrote to memory of 1248	3036		explorer.exe
PID 3036 wrote to memory of 1248	3036		explorer.exe

C:\Users\Admin\AppData\Local\Temp\61cb66b049958cb48db0f5b33f96ae4f.exe
"C:\Users\Admin\AppData\Local\Temp\61cb66b049958cb48db0f5b33f96ae4f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Local\Temp\61cb66b049958cb48db0f5b33f96ae4f.exe
"C:\Users\Admin\AppData\Local\Temp\61cb66b049958cb48db0f5b33f96ae4f.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2764

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1108

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3680

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3636

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3720

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1164

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:788

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2132

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3960

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/788-135-0x0000000000950000-0x000000000095C000-memory.dmp

Filesize
48KB

Download
memory/788-134-0x0000000000960000-0x0000000000966000-memory.dmp

Filesize
24KB

Download
memory/788-133-0x0000000000000000-mapping.dmp

Download
memory/1108-118-0x0000000000000000-mapping.dmp

Download
memory/1108-120-0x0000000000C00000-0x0000000000C6B000-memory.dmp

Filesize
428KB

Download
memory/1108-119-0x0000000000C70000-0x0000000000CE4000-memory.dmp

Filesize
464KB

Download
memory/1164-132-0x00000000007C0000-0x00000000007C9000-memory.dmp

Filesize
36KB

Download
memory/1164-131-0x00000000007D0000-0x00000000007D5000-memory.dmp

Filesize
20KB

Download
memory/1164-130-0x0000000000000000-mapping.dmp

Download
memory/1248-142-0x0000000000000000-mapping.dmp

Download
memory/1248-144-0x0000000000500000-0x0000000000509000-memory.dmp

Filesize
36KB

Download
memory/1248-143-0x0000000000510000-0x0000000000515000-memory.dmp

Filesize
20KB

Download
memory/2132-137-0x0000000000BD0000-0x0000000000BD4000-memory.dmp

Filesize
16KB

Download
memory/2132-138-0x0000000000BC0000-0x0000000000BC9000-memory.dmp

Filesize
36KB

Download
memory/2132-136-0x0000000000000000-mapping.dmp

Download
memory/2764-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2764-115-0x0000000000402E1A-mapping.dmp

Download
memory/3016-116-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/3036-117-0x00000000006A0000-0x00000000006B6000-memory.dmp

Filesize
88KB

Download
memory/3636-126-0x0000000000580000-0x000000000058B000-memory.dmp

Filesize
44KB

Download
memory/3636-125-0x0000000000590000-0x0000000000597000-memory.dmp

Filesize
28KB

Download
memory/3636-124-0x0000000000000000-mapping.dmp

Download
memory/3680-121-0x0000000000000000-mapping.dmp

Download
memory/3680-122-0x0000000000AF0000-0x0000000000AF7000-memory.dmp

Filesize
28KB

Download
memory/3680-123-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

Filesize
48KB

Download
memory/3720-129-0x00000000001B0000-0x00000000001BF000-memory.dmp

Filesize
60KB

Download
memory/3720-128-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/3720-127-0x0000000000000000-mapping.dmp

Download
memory/3960-139-0x0000000000000000-mapping.dmp

Download
memory/3960-140-0x00000000009E0000-0x00000000009E5000-memory.dmp

Filesize
20KB

Download
memory/3960-141-0x00000000009D0000-0x00000000009D9000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads