smokeloader | 73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e

General

Target

73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exe
Size

145KB
MD5

7e2087a79b5fc0cfcc5561f65940ecbf
SHA1

52c9cbabe18d53a72297d026e63f81e9741dec7f
SHA256

73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e
SHA512

d197d34b19bb4682e97ccd68b617763a80d326faaa7d3730812bf5318d0785ce10568faf538703b29b561d7a1a37e5ad0a2b9fb36a7685ddd9558611983e4c63

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://naghenrietti1.top/

http://kimballiett2.top/

http://xadriettany3.top/

http://jebeccallis4.top/

http://nityanneron5.top/

http://umayaniela6.top/

http://lynettaram7.top/

http://sadineyalas8.top/

http://geenaldencia9.top/

http://aradysiusep10.top/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 2 IoCs

Processes:

facjjbrfacjjbr

pid process

3680 facjjbr
540 facjjbr
Deletes itself 1 IoCs

Processes:

pid process

3048

pid	process
3680	facjjbr
540	facjjbr

pid	process
3048

Suspicious use of SetThreadContext 2 IoCs

Processes:

73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exefacjjbr

description	pid	process	target process
PID 4648 set thread context of 4668	4648	73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exe	73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exe
PID 3680 set thread context of 540	3680	facjjbr	facjjbr

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

facjjbr73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	facjjbr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	facjjbr
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	facjjbr

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exe

pid	process
4668	73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exe
4668	73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exe
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3048
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exefacjjbr

pid process

4668 73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exe
540 facjjbr

pid	process
3048

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

pid process

3048
3048
3048
3048
3048
3048
3048
3048

pid	process
3048
3048
3048
3048
3048
3048
3048
3048

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exefacjjbr

description	pid	process	target process
PID 4648 wrote to memory of 4668	4648	73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exe	73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exe
PID 4648 wrote to memory of 4668	4648	73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exe	73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exe
PID 4648 wrote to memory of 4668	4648	73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exe	73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exe
PID 4648 wrote to memory of 4668	4648	73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exe	73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exe
PID 4648 wrote to memory of 4668	4648	73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exe	73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exe
PID 4648 wrote to memory of 4668	4648	73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exe	73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exe
PID 3680 wrote to memory of 540	3680	facjjbr	facjjbr
PID 3680 wrote to memory of 540	3680	facjjbr	facjjbr
PID 3680 wrote to memory of 540	3680	facjjbr	facjjbr
PID 3680 wrote to memory of 540	3680	facjjbr	facjjbr
PID 3680 wrote to memory of 540	3680	facjjbr	facjjbr
PID 3680 wrote to memory of 540	3680	facjjbr	facjjbr

C:\Users\Admin\AppData\Local\Temp\73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exe
"C:\Users\Admin\AppData\Local\Temp\73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4648

C:\Users\Admin\AppData\Local\Temp\73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exe
"C:\Users\Admin\AppData\Local\Temp\73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4668

C:\Users\Admin\AppData\Roaming\facjjbr
C:\Users\Admin\AppData\Roaming\facjjbr
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3680

C:\Users\Admin\AppData\Roaming\facjjbr
C:\Users\Admin\AppData\Roaming\facjjbr
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\facjjbr
MD5
7e2087a79b5fc0cfcc5561f65940ecbf

SHA1
52c9cbabe18d53a72297d026e63f81e9741dec7f

SHA256
73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e

SHA512
d197d34b19bb4682e97ccd68b617763a80d326faaa7d3730812bf5318d0785ce10568faf538703b29b561d7a1a37e5ad0a2b9fb36a7685ddd9558611983e4c63

Download Submit
C:\Users\Admin\AppData\Roaming\facjjbr
MD5
7e2087a79b5fc0cfcc5561f65940ecbf

SHA1
52c9cbabe18d53a72297d026e63f81e9741dec7f

SHA256
73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e

SHA512
d197d34b19bb4682e97ccd68b617763a80d326faaa7d3730812bf5318d0785ce10568faf538703b29b561d7a1a37e5ad0a2b9fb36a7685ddd9558611983e4c63

Download Submit
C:\Users\Admin\AppData\Roaming\facjjbr
MD5
7e2087a79b5fc0cfcc5561f65940ecbf

SHA1
52c9cbabe18d53a72297d026e63f81e9741dec7f

SHA256
73c9bb2632bfa7f213c3147a0840a893bf66bae988bf1d02a54c9098a202692e

SHA512
d197d34b19bb4682e97ccd68b617763a80d326faaa7d3730812bf5318d0785ce10568faf538703b29b561d7a1a37e5ad0a2b9fb36a7685ddd9558611983e4c63

Download Submit
memory/540-121-0x0000000000402FA5-mapping.dmp

Download
memory/3048-117-0x0000000000AA0000-0x0000000000AB6000-memory.dmp

Filesize
88KB

Download
memory/3048-124-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/3680-123-0x00000000004B0000-0x00000000005FA000-memory.dmp

Filesize
1.3MB

Download
memory/4648-114-0x0000000000590000-0x0000000000599000-memory.dmp

Filesize
36KB

Download
memory/4668-115-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4668-116-0x0000000000402FA5-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads