smokeloader | 716821b6b210a9c8ae93af80ea648edd2ff944e6221e9900ff805c7df41731c0

General

Target

00426f4b3edf4a8c0d512222d5257696.exe
Size

146KB
MD5

00426f4b3edf4a8c0d512222d5257696
SHA1

84de454a9c3910e50048d7555c5836271d638216
SHA256

716821b6b210a9c8ae93af80ea648edd2ff944e6221e9900ff805c7df41731c0
SHA512

8649faa52f0235c4e07db005cc451fc2ef29cde922899d739ff409d2c8ed6c18c329cd2f349328333c56e3a2bf0686562cb0098f72089a8e98cc4e3386f5905d

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://naghenrietti1.top/

http://kimballiett2.top/

http://xadriettany3.top/

http://jebeccallis4.top/

http://nityanneron5.top/

http://umayaniela6.top/

http://lynettaram7.top/

http://sadineyalas8.top/

http://geenaldencia9.top/

http://aradysiusep10.top/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 2 IoCs

Processes:

civsiwhcivsiwh

pid process

1900 civsiwh
856 civsiwh
Deletes itself 1 IoCs

Processes:

pid process

1428

pid	process
1900	civsiwh
856	civsiwh

pid	process
1428

Suspicious use of SetThreadContext 2 IoCs

Processes:

00426f4b3edf4a8c0d512222d5257696.execivsiwh

description	pid	process	target process
PID 1164 set thread context of 1120	1164	00426f4b3edf4a8c0d512222d5257696.exe	00426f4b3edf4a8c0d512222d5257696.exe
PID 1900 set thread context of 856	1900	civsiwh	civsiwh

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

00426f4b3edf4a8c0d512222d5257696.execivsiwh

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	00426f4b3edf4a8c0d512222d5257696.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	00426f4b3edf4a8c0d512222d5257696.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	00426f4b3edf4a8c0d512222d5257696.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	civsiwh
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	civsiwh
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	civsiwh

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

00426f4b3edf4a8c0d512222d5257696.exe

pid	process
1120	00426f4b3edf4a8c0d512222d5257696.exe
1120	00426f4b3edf4a8c0d512222d5257696.exe
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1428
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

00426f4b3edf4a8c0d512222d5257696.execivsiwh

pid process

1120 00426f4b3edf4a8c0d512222d5257696.exe
856 civsiwh
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

pid process

1428
1428
1428
1428
1428
1428
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

pid process

1428
1428
1428
1428
1428
1428

pid	process
1428

pid	process
1428
1428
1428
1428
1428
1428

pid	process
1428
1428
1428
1428
1428
1428

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

00426f4b3edf4a8c0d512222d5257696.exetaskeng.execivsiwh

description	pid	process	target process
PID 1164 wrote to memory of 1120	1164	00426f4b3edf4a8c0d512222d5257696.exe	00426f4b3edf4a8c0d512222d5257696.exe
PID 1164 wrote to memory of 1120	1164	00426f4b3edf4a8c0d512222d5257696.exe	00426f4b3edf4a8c0d512222d5257696.exe
PID 1164 wrote to memory of 1120	1164	00426f4b3edf4a8c0d512222d5257696.exe	00426f4b3edf4a8c0d512222d5257696.exe
PID 1164 wrote to memory of 1120	1164	00426f4b3edf4a8c0d512222d5257696.exe	00426f4b3edf4a8c0d512222d5257696.exe
PID 1164 wrote to memory of 1120	1164	00426f4b3edf4a8c0d512222d5257696.exe	00426f4b3edf4a8c0d512222d5257696.exe
PID 1164 wrote to memory of 1120	1164	00426f4b3edf4a8c0d512222d5257696.exe	00426f4b3edf4a8c0d512222d5257696.exe
PID 1164 wrote to memory of 1120	1164	00426f4b3edf4a8c0d512222d5257696.exe	00426f4b3edf4a8c0d512222d5257696.exe
PID 952 wrote to memory of 1900	952	taskeng.exe	civsiwh
PID 952 wrote to memory of 1900	952	taskeng.exe	civsiwh
PID 952 wrote to memory of 1900	952	taskeng.exe	civsiwh
PID 952 wrote to memory of 1900	952	taskeng.exe	civsiwh
PID 1900 wrote to memory of 856	1900	civsiwh	civsiwh
PID 1900 wrote to memory of 856	1900	civsiwh	civsiwh
PID 1900 wrote to memory of 856	1900	civsiwh	civsiwh
PID 1900 wrote to memory of 856	1900	civsiwh	civsiwh
PID 1900 wrote to memory of 856	1900	civsiwh	civsiwh
PID 1900 wrote to memory of 856	1900	civsiwh	civsiwh
PID 1900 wrote to memory of 856	1900	civsiwh	civsiwh

C:\Users\Admin\AppData\Local\Temp\00426f4b3edf4a8c0d512222d5257696.exe
"C:\Users\Admin\AppData\Local\Temp\00426f4b3edf4a8c0d512222d5257696.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\AppData\Local\Temp\00426f4b3edf4a8c0d512222d5257696.exe
"C:\Users\Admin\AppData\Local\Temp\00426f4b3edf4a8c0d512222d5257696.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1120

C:\Windows\system32\taskeng.exe
taskeng.exe {26D17E51-E615-4108-8495-9A6B0173D5A9} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:952

C:\Users\Admin\AppData\Roaming\civsiwh
C:\Users\Admin\AppData\Roaming\civsiwh
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Roaming\civsiwh
C:\Users\Admin\AppData\Roaming\civsiwh
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\civsiwh
MD5
00426f4b3edf4a8c0d512222d5257696

SHA1
84de454a9c3910e50048d7555c5836271d638216

SHA256
716821b6b210a9c8ae93af80ea648edd2ff944e6221e9900ff805c7df41731c0

SHA512
8649faa52f0235c4e07db005cc451fc2ef29cde922899d739ff409d2c8ed6c18c329cd2f349328333c56e3a2bf0686562cb0098f72089a8e98cc4e3386f5905d

Download Submit
C:\Users\Admin\AppData\Roaming\civsiwh
MD5
00426f4b3edf4a8c0d512222d5257696

SHA1
84de454a9c3910e50048d7555c5836271d638216

SHA256
716821b6b210a9c8ae93af80ea648edd2ff944e6221e9900ff805c7df41731c0

SHA512
8649faa52f0235c4e07db005cc451fc2ef29cde922899d739ff409d2c8ed6c18c329cd2f349328333c56e3a2bf0686562cb0098f72089a8e98cc4e3386f5905d

Download Submit
C:\Users\Admin\AppData\Roaming\civsiwh
MD5
00426f4b3edf4a8c0d512222d5257696

SHA1
84de454a9c3910e50048d7555c5836271d638216

SHA256
716821b6b210a9c8ae93af80ea648edd2ff944e6221e9900ff805c7df41731c0

SHA512
8649faa52f0235c4e07db005cc451fc2ef29cde922899d739ff409d2c8ed6c18c329cd2f349328333c56e3a2bf0686562cb0098f72089a8e98cc4e3386f5905d

Download Submit
memory/856-62-0x0000000000402FA5-mapping.dmp

Download
memory/1120-53-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1120-54-0x0000000000402FA5-mapping.dmp

Download
memory/1120-55-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1164-56-0x00000000003A0000-0x00000000003A9000-memory.dmp

Filesize
36KB

Download
memory/1428-57-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/1428-65-0x0000000003C70000-0x0000000003C86000-memory.dmp

Filesize
88KB

Download
memory/1900-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads