smokeloader | 4580788872756f0af096dd29d72e5d2dc84d42215ed197d817c0255edbefb486

General

Target

x2BFjy8SRtdIV0VKlMSL7WDQ.exe
Size

194KB
MD5

ced17a3bd52eab4a5105c0e58945b9de
SHA1

8a49a9f44a9940f768f3c6c23fe568b9c56554c5
SHA256

4580788872756f0af096dd29d72e5d2dc84d42215ed197d817c0255edbefb486
SHA512

4ffeadbafda3574b5bd4f49bf39d2e053fb14f80c49d23807f595bad57364c11b948ffe371f0c263b52717b6dd6abe2e30a242d453aaf8154fa32c171cf5841e

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 2 IoCs

Processes:

avsieduavsiedu

pid process

624 avsiedu
676 avsiedu
Deletes itself 1 IoCs

Processes:

pid process

1212

pid	process
624	avsiedu
676	avsiedu

pid	process
1212

Suspicious use of SetThreadContext 2 IoCs

Processes:

x2BFjy8SRtdIV0VKlMSL7WDQ.exeavsiedu

description	pid	process	target process
PID 1240 set thread context of 1976	1240	x2BFjy8SRtdIV0VKlMSL7WDQ.exe	x2BFjy8SRtdIV0VKlMSL7WDQ.exe
PID 624 set thread context of 676	624	avsiedu	avsiedu

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

avsiedux2BFjy8SRtdIV0VKlMSL7WDQ.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	avsiedu
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	avsiedu
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	avsiedu
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	x2BFjy8SRtdIV0VKlMSL7WDQ.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	x2BFjy8SRtdIV0VKlMSL7WDQ.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	x2BFjy8SRtdIV0VKlMSL7WDQ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

x2BFjy8SRtdIV0VKlMSL7WDQ.exe

pid	process
1976	x2BFjy8SRtdIV0VKlMSL7WDQ.exe
1976	x2BFjy8SRtdIV0VKlMSL7WDQ.exe
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1212
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

x2BFjy8SRtdIV0VKlMSL7WDQ.exeavsiedu

pid process

1976 x2BFjy8SRtdIV0VKlMSL7WDQ.exe
676 avsiedu
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1212
1212
1212
1212
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1212
1212
1212
1212

pid	process
1212

pid	process
1212
1212
1212
1212

pid	process
1212
1212
1212
1212

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

x2BFjy8SRtdIV0VKlMSL7WDQ.exetaskeng.exeavsiedu

description	pid	process	target process
PID 1240 wrote to memory of 1976	1240	x2BFjy8SRtdIV0VKlMSL7WDQ.exe	x2BFjy8SRtdIV0VKlMSL7WDQ.exe
PID 1240 wrote to memory of 1976	1240	x2BFjy8SRtdIV0VKlMSL7WDQ.exe	x2BFjy8SRtdIV0VKlMSL7WDQ.exe
PID 1240 wrote to memory of 1976	1240	x2BFjy8SRtdIV0VKlMSL7WDQ.exe	x2BFjy8SRtdIV0VKlMSL7WDQ.exe
PID 1240 wrote to memory of 1976	1240	x2BFjy8SRtdIV0VKlMSL7WDQ.exe	x2BFjy8SRtdIV0VKlMSL7WDQ.exe
PID 1240 wrote to memory of 1976	1240	x2BFjy8SRtdIV0VKlMSL7WDQ.exe	x2BFjy8SRtdIV0VKlMSL7WDQ.exe
PID 1240 wrote to memory of 1976	1240	x2BFjy8SRtdIV0VKlMSL7WDQ.exe	x2BFjy8SRtdIV0VKlMSL7WDQ.exe
PID 1240 wrote to memory of 1976	1240	x2BFjy8SRtdIV0VKlMSL7WDQ.exe	x2BFjy8SRtdIV0VKlMSL7WDQ.exe
PID 276 wrote to memory of 624	276	taskeng.exe	avsiedu
PID 276 wrote to memory of 624	276	taskeng.exe	avsiedu
PID 276 wrote to memory of 624	276	taskeng.exe	avsiedu
PID 276 wrote to memory of 624	276	taskeng.exe	avsiedu
PID 624 wrote to memory of 676	624	avsiedu	avsiedu
PID 624 wrote to memory of 676	624	avsiedu	avsiedu
PID 624 wrote to memory of 676	624	avsiedu	avsiedu
PID 624 wrote to memory of 676	624	avsiedu	avsiedu
PID 624 wrote to memory of 676	624	avsiedu	avsiedu
PID 624 wrote to memory of 676	624	avsiedu	avsiedu
PID 624 wrote to memory of 676	624	avsiedu	avsiedu

C:\Users\Admin\AppData\Local\Temp\x2BFjy8SRtdIV0VKlMSL7WDQ.exe
"C:\Users\Admin\AppData\Local\Temp\x2BFjy8SRtdIV0VKlMSL7WDQ.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1240

C:\Users\Admin\AppData\Local\Temp\x2BFjy8SRtdIV0VKlMSL7WDQ.exe
"C:\Users\Admin\AppData\Local\Temp\x2BFjy8SRtdIV0VKlMSL7WDQ.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1976

C:\Windows\system32\taskeng.exe
taskeng.exe {5A22CB79-F073-4F41-AF66-DD6C3809BF99} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:276

C:\Users\Admin\AppData\Roaming\avsiedu
C:\Users\Admin\AppData\Roaming\avsiedu
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Roaming\avsiedu
C:\Users\Admin\AppData\Roaming\avsiedu
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\avsiedu
MD5
ced17a3bd52eab4a5105c0e58945b9de

SHA1
8a49a9f44a9940f768f3c6c23fe568b9c56554c5

SHA256
4580788872756f0af096dd29d72e5d2dc84d42215ed197d817c0255edbefb486

SHA512
4ffeadbafda3574b5bd4f49bf39d2e053fb14f80c49d23807f595bad57364c11b948ffe371f0c263b52717b6dd6abe2e30a242d453aaf8154fa32c171cf5841e

Download Submit
C:\Users\Admin\AppData\Roaming\avsiedu
MD5
ced17a3bd52eab4a5105c0e58945b9de

SHA1
8a49a9f44a9940f768f3c6c23fe568b9c56554c5

SHA256
4580788872756f0af096dd29d72e5d2dc84d42215ed197d817c0255edbefb486

SHA512
4ffeadbafda3574b5bd4f49bf39d2e053fb14f80c49d23807f595bad57364c11b948ffe371f0c263b52717b6dd6abe2e30a242d453aaf8154fa32c171cf5841e

Download Submit
C:\Users\Admin\AppData\Roaming\avsiedu
MD5
ced17a3bd52eab4a5105c0e58945b9de

SHA1
8a49a9f44a9940f768f3c6c23fe568b9c56554c5

SHA256
4580788872756f0af096dd29d72e5d2dc84d42215ed197d817c0255edbefb486

SHA512
4ffeadbafda3574b5bd4f49bf39d2e053fb14f80c49d23807f595bad57364c11b948ffe371f0c263b52717b6dd6abe2e30a242d453aaf8154fa32c171cf5841e

Download Submit
memory/624-66-0x0000000000000000-mapping.dmp

Download
memory/676-69-0x0000000000402E1A-mapping.dmp

Download
memory/1212-64-0x0000000003840000-0x0000000003856000-memory.dmp

Filesize
88KB

Download
memory/1212-72-0x0000000003AD0000-0x0000000003AE6000-memory.dmp

Filesize
88KB

Download
memory/1240-63-0x0000000000230000-0x000000000023A000-memory.dmp

Filesize
40KB

Download
memory/1976-62-0x0000000074D91000-0x0000000074D93000-memory.dmp

Filesize
8KB

Download
memory/1976-61-0x0000000000402E1A-mapping.dmp

Download
memory/1976-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads