smokeloader | 73e71254b57fbc49f7e55767aee9ff95507630171bbda89b5adf1907bc802279

Analysis

max time kernel
151s
max time network
121s
platform
windows10_x64
resource
win10v20210408
submitted
29-08-2021 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

566285f0bda34708c0f19e42f6d23929.exe
Size

143KB
MD5

566285f0bda34708c0f19e42f6d23929
SHA1

503bee4aeec4972757c079527a2e0af7bdc84b3a
SHA256

73e71254b57fbc49f7e55767aee9ff95507630171bbda89b5adf1907bc802279
SHA512

f98d64ed8f4b2cccae95a3baff21285e75dfb42baaa5d935893dc5809ca8b81c39eab32aaef16844998e57b22b450e4085ef09460f730e09eca17b9c3021306f

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Deletes itself 1 IoCs

Processes:

pid	Process
2988

Suspicious use of SetThreadContext 1 IoCs

Processes:

566285f0bda34708c0f19e42f6d23929.exe

description	pid	Process	procid_target
PID 568 set thread context of 3788	568	566285f0bda34708c0f19e42f6d23929.exe	77

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

566285f0bda34708c0f19e42f6d23929.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	566285f0bda34708c0f19e42f6d23929.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	566285f0bda34708c0f19e42f6d23929.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	566285f0bda34708c0f19e42f6d23929.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

566285f0bda34708c0f19e42f6d23929.exe

pid	Process
3788	566285f0bda34708c0f19e42f6d23929.exe
3788	566285f0bda34708c0f19e42f6d23929.exe
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
2988

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

566285f0bda34708c0f19e42f6d23929.exe

pid	Process
3788	566285f0bda34708c0f19e42f6d23929.exe
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
2988

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

566285f0bda34708c0f19e42f6d23929.exe

description	pid	Process	procid_target
PID 568 wrote to memory of 3788	568	566285f0bda34708c0f19e42f6d23929.exe	77
PID 568 wrote to memory of 3788	568	566285f0bda34708c0f19e42f6d23929.exe	77
PID 568 wrote to memory of 3788	568	566285f0bda34708c0f19e42f6d23929.exe	77
PID 568 wrote to memory of 3788	568	566285f0bda34708c0f19e42f6d23929.exe	77
PID 568 wrote to memory of 3788	568	566285f0bda34708c0f19e42f6d23929.exe	77
PID 568 wrote to memory of 3788	568	566285f0bda34708c0f19e42f6d23929.exe	77
PID 2988 wrote to memory of 3032	2988		79
PID 2988 wrote to memory of 3032	2988		79
PID 2988 wrote to memory of 3032	2988		79
PID 2988 wrote to memory of 3032	2988		79
PID 2988 wrote to memory of 1252	2988		80
PID 2988 wrote to memory of 1252	2988		80
PID 2988 wrote to memory of 1252	2988		80
PID 2988 wrote to memory of 3904	2988		81
PID 2988 wrote to memory of 3904	2988		81
PID 2988 wrote to memory of 3904	2988		81
PID 2988 wrote to memory of 3904	2988		81
PID 2988 wrote to memory of 1504	2988		82
PID 2988 wrote to memory of 1504	2988		82
PID 2988 wrote to memory of 1504	2988		82
PID 2988 wrote to memory of 3692	2988		83
PID 2988 wrote to memory of 3692	2988		83
PID 2988 wrote to memory of 3692	2988		83
PID 2988 wrote to memory of 3692	2988		83
PID 2988 wrote to memory of 760	2988		84
PID 2988 wrote to memory of 760	2988		84
PID 2988 wrote to memory of 760	2988		84
PID 2988 wrote to memory of 4052	2988		85
PID 2988 wrote to memory of 4052	2988		85
PID 2988 wrote to memory of 4052	2988		85
PID 2988 wrote to memory of 4052	2988		85
PID 2988 wrote to memory of 844	2988		86
PID 2988 wrote to memory of 844	2988		86
PID 2988 wrote to memory of 844	2988		86
PID 2988 wrote to memory of 3916	2988		87
PID 2988 wrote to memory of 3916	2988		87
PID 2988 wrote to memory of 3916	2988		87
PID 2988 wrote to memory of 3916	2988		87

C:\Users\Admin\AppData\Local\Temp\566285f0bda34708c0f19e42f6d23929.exe
"C:\Users\Admin\AppData\Local\Temp\566285f0bda34708c0f19e42f6d23929.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:568
- C:\Users\Admin\AppData\Local\Temp\566285f0bda34708c0f19e42f6d23929.exe
  "C:\Users\Admin\AppData\Local\Temp\566285f0bda34708c0f19e42f6d23929.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3788

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3032

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1252

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3904

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1504

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3692

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:760

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4052

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:844

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/568-116-0x0000000001E60000-0x0000000001FAA000-memory.dmp

Filesize
1.3MB

Download
memory/760-133-0x0000000000000000-mapping.dmp

Download
memory/760-134-0x0000000000920000-0x0000000000926000-memory.dmp

Filesize
24KB

Download
memory/760-135-0x0000000000910000-0x000000000091C000-memory.dmp

Filesize
48KB

Download
memory/844-140-0x0000000000730000-0x0000000000735000-memory.dmp

Filesize
20KB

Download
memory/844-141-0x0000000000720000-0x0000000000729000-memory.dmp

Filesize
36KB

Download
memory/844-139-0x0000000000000000-mapping.dmp

Download
memory/1252-121-0x0000000000000000-mapping.dmp

Download
memory/1252-122-0x00000000008D0000-0x00000000008D7000-memory.dmp

Filesize
28KB

Download
memory/1252-123-0x00000000008C0000-0x00000000008CC000-memory.dmp

Filesize
48KB

Download
memory/1504-127-0x0000000000000000-mapping.dmp

Download
memory/1504-129-0x0000000000CA0000-0x0000000000CAF000-memory.dmp

Filesize
60KB

Download
memory/1504-128-0x0000000000CB0000-0x0000000000CB9000-memory.dmp

Filesize
36KB

Download
memory/2988-117-0x0000000000B70000-0x0000000000B86000-memory.dmp

Filesize
88KB

Download
memory/3032-118-0x0000000000000000-mapping.dmp

Download
memory/3032-120-0x0000000002A80000-0x0000000002AEB000-memory.dmp

Filesize
428KB

Download
memory/3032-119-0x0000000002AF0000-0x0000000002B64000-memory.dmp

Filesize
464KB

Download
memory/3692-131-0x00000000027C0000-0x00000000027C5000-memory.dmp

Filesize
20KB

Download
memory/3692-130-0x0000000000000000-mapping.dmp

Download
memory/3692-132-0x00000000027B0000-0x00000000027B9000-memory.dmp

Filesize
36KB

Download
memory/3788-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3788-115-0x0000000000402FAB-mapping.dmp

Download
memory/3904-125-0x0000000000200000-0x0000000000207000-memory.dmp

Filesize
28KB

Download
memory/3904-126-0x00000000001F0000-0x00000000001FB000-memory.dmp

Filesize
44KB

Download
memory/3904-124-0x0000000000000000-mapping.dmp

Download
memory/3916-142-0x0000000000000000-mapping.dmp

Download
memory/3916-143-0x0000000002D50000-0x0000000002D55000-memory.dmp

Filesize
20KB

Download
memory/3916-144-0x0000000002D40000-0x0000000002D49000-memory.dmp

Filesize
36KB

Download
memory/4052-138-0x00000000027F0000-0x00000000027F9000-memory.dmp

Filesize
36KB

Download
memory/4052-137-0x0000000002A00000-0x0000000002A04000-memory.dmp

Filesize
16KB

Download
memory/4052-136-0x0000000000000000-mapping.dmp

Download