smokeloader | c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24

General

Target

c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
Size

139KB
MD5

3e201fc20a90e669990e2994d2114b83
SHA1

24bfc9636c793e7ceb309b08e319b2d925a080bd
SHA256

c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24
SHA512

4dae9203c1003ca32600d153d7a9f08fa3c50d7c665ee81d4d7608d8f47354e48493d4bb39af2a3259c7882ca0ba38f4db52033b0df3ddf4321cb7118b228591

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://naghenrietti1.top/

http://kimballiett2.top/

http://xadriettany3.top/

http://jebeccallis4.top/

http://nityanneron5.top/

http://umayaniela6.top/

http://lynettaram7.top/

http://sadineyalas8.top/

http://geenaldencia9.top/

http://aradysiusep10.top/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 2 IoCs

Processes:

rrbfjwhrrbfjwh

pid process

1400 rrbfjwh
1632 rrbfjwh
Deletes itself 1 IoCs

Processes:

pid process

1228

pid	process
1400	rrbfjwh
1632	rrbfjwh

pid	process
1228

Suspicious use of SetThreadContext 2 IoCs

Processes:

c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exerrbfjwh

description	pid	process	target process
PID 1592 set thread context of 956	1592	c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe	c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
PID 1400 set thread context of 1632	1400	rrbfjwh	rrbfjwh

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rrbfjwhc8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rrbfjwh
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rrbfjwh
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rrbfjwh

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe

pid	process
956	c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
956	c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1228
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exerrbfjwh

pid process

956 c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
1632 rrbfjwh
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1228
Token: SeShutdownPrivilege 1228
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

pid process

1228
1228
1228
1228
1228
1228
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

pid process

1228
1228
1228
1228
1228
1228

pid	process
1228

description	pid	process
Token: SeShutdownPrivilege	1228
Token: SeShutdownPrivilege	1228

pid	process
1228
1228
1228
1228
1228
1228

pid	process
1228
1228
1228
1228
1228
1228

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exetaskeng.exerrbfjwhtaskeng.exe

description	pid	process	target process
PID 1592 wrote to memory of 956	1592	c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe	c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
PID 1592 wrote to memory of 956	1592	c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe	c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
PID 1592 wrote to memory of 956	1592	c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe	c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
PID 1592 wrote to memory of 956	1592	c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe	c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
PID 1592 wrote to memory of 956	1592	c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe	c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
PID 1592 wrote to memory of 956	1592	c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe	c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
PID 1592 wrote to memory of 956	1592	c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe	c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
PID 1992 wrote to memory of 1400	1992	taskeng.exe	rrbfjwh
PID 1992 wrote to memory of 1400	1992	taskeng.exe	rrbfjwh
PID 1992 wrote to memory of 1400	1992	taskeng.exe	rrbfjwh
PID 1992 wrote to memory of 1400	1992	taskeng.exe	rrbfjwh
PID 1400 wrote to memory of 1632	1400	rrbfjwh	rrbfjwh
PID 1400 wrote to memory of 1632	1400	rrbfjwh	rrbfjwh
PID 1400 wrote to memory of 1632	1400	rrbfjwh	rrbfjwh
PID 1400 wrote to memory of 1632	1400	rrbfjwh	rrbfjwh
PID 1400 wrote to memory of 1632	1400	rrbfjwh	rrbfjwh
PID 1400 wrote to memory of 1632	1400	rrbfjwh	rrbfjwh
PID 1400 wrote to memory of 1632	1400	rrbfjwh	rrbfjwh
PID 1904 wrote to memory of 1384	1904	taskeng.exe	default-browser-agent.exe
PID 1904 wrote to memory of 1384	1904	taskeng.exe	default-browser-agent.exe
PID 1904 wrote to memory of 1384	1904	taskeng.exe	default-browser-agent.exe

C:\Users\Admin\AppData\Local\Temp\c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
"C:\Users\Admin\AppData\Local\Temp\c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Local\Temp\c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
"C:\Users\Admin\AppData\Local\Temp\c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:956

C:\Windows\system32\taskeng.exe
taskeng.exe {4C70E113-7879-45EF-9F8A-8DDCEDC99E1E} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Roaming\rrbfjwh
C:\Users\Admin\AppData\Roaming\rrbfjwh
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Roaming\rrbfjwh
C:\Users\Admin\AppData\Roaming\rrbfjwh
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1632

C:\Windows\system32\taskeng.exe
taskeng.exe {16492704-EB3D-4162-A770-77DAA80EC853} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:316

C:\Windows\system32\taskeng.exe
taskeng.exe {DA89C77D-6D9A-4B6B-A16E-50B3C3237678} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Program Files\Mozilla Firefox\default-browser-agent.exe
"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task
2⤵
PID:1384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\rrbfjwh
MD5
3e201fc20a90e669990e2994d2114b83

SHA1
24bfc9636c793e7ceb309b08e319b2d925a080bd

SHA256
c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24

SHA512
4dae9203c1003ca32600d153d7a9f08fa3c50d7c665ee81d4d7608d8f47354e48493d4bb39af2a3259c7882ca0ba38f4db52033b0df3ddf4321cb7118b228591

Download Submit
C:\Users\Admin\AppData\Roaming\rrbfjwh
MD5
3e201fc20a90e669990e2994d2114b83

SHA1
24bfc9636c793e7ceb309b08e319b2d925a080bd

SHA256
c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24

SHA512
4dae9203c1003ca32600d153d7a9f08fa3c50d7c665ee81d4d7608d8f47354e48493d4bb39af2a3259c7882ca0ba38f4db52033b0df3ddf4321cb7118b228591

Download Submit
C:\Users\Admin\AppData\Roaming\rrbfjwh
MD5
3e201fc20a90e669990e2994d2114b83

SHA1
24bfc9636c793e7ceb309b08e319b2d925a080bd

SHA256
c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24

SHA512
4dae9203c1003ca32600d153d7a9f08fa3c50d7c665ee81d4d7608d8f47354e48493d4bb39af2a3259c7882ca0ba38f4db52033b0df3ddf4321cb7118b228591

Download Submit
memory/956-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/956-55-0x0000000000402FA5-mapping.dmp

Download
memory/956-56-0x0000000076391000-0x0000000076393000-memory.dmp

Filesize
8KB

Download
memory/1228-58-0x0000000002A90000-0x0000000002AA6000-memory.dmp

Filesize
88KB

Download
memory/1228-66-0x0000000002BB0000-0x0000000002BC6000-memory.dmp

Filesize
88KB

Download
memory/1384-67-0x0000000000000000-mapping.dmp

Download
memory/1400-60-0x0000000000000000-mapping.dmp

Download
memory/1592-57-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1632-63-0x0000000000402FA5-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads