smokeloader | 3632bc3aa58008650c9633e908804b5db470311e8e6de3a08a8ca598327b2a41

General

Target

pub3.exe
Size

335KB
MD5

e34cba52b1206c828978872b9338f430
SHA1

7b03d09434b98a479c8b3e84a2abf990e3918b93
SHA256

3632bc3aa58008650c9633e908804b5db470311e8e6de3a08a8ca598327b2a41
SHA512

62ece1d4a19e5572fb2a2af9c9810f56fa95e9449b4133a5ce4635e928c237de48bdac0b480ef70c7a59ba0f287bd409ab618b1e4ffe557b41070a5cd16d1353

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

B717.exeSmartClock.exesrhvfhusrhvfhu

pid process

420 B717.exe
2188 SmartClock.exe
1120 srhvfhu
1416 srhvfhu
Deletes itself 1 IoCs

Processes:

pid process

3024
Drops startup file 1 IoCs

Processes:

B717.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk B717.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
420	B717.exe
2188	SmartClock.exe
1120	srhvfhu
1416	srhvfhu

pid	process
3024

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	B717.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub3.exesrhvfhusrhvfhu

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	srhvfhu
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	srhvfhu
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	srhvfhu
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	srhvfhu
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	srhvfhu
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	srhvfhu

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

2188 SmartClock.exe

pid	process
2188	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub3.exe

pid	process
4004	pub3.exe
4004	pub3.exe
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3024
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

pub3.exesrhvfhusrhvfhu

pid process

4004 pub3.exe
1120 srhvfhu
1416 srhvfhu

pid	process
3024

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

B717.exe

description	pid	process	target process
PID 3024 wrote to memory of 420	3024		B717.exe
PID 3024 wrote to memory of 420	3024		B717.exe
PID 3024 wrote to memory of 420	3024		B717.exe
PID 420 wrote to memory of 2188	420	B717.exe	SmartClock.exe
PID 420 wrote to memory of 2188	420	B717.exe	SmartClock.exe
PID 420 wrote to memory of 2188	420	B717.exe	SmartClock.exe

C:\Users\Admin\AppData\Local\Temp\pub3.exe
"C:\Users\Admin\AppData\Local\Temp\pub3.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4004

C:\Users\Admin\AppData\Local\Temp\B717.exe
C:\Users\Admin\AppData\Local\Temp\B717.exe
1⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:420

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:2188

C:\Users\Admin\AppData\Roaming\srhvfhu
C:\Users\Admin\AppData\Roaming\srhvfhu
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1120

C:\Users\Admin\AppData\Roaming\srhvfhu
C:\Users\Admin\AppData\Roaming\srhvfhu
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B717.exe
MD5
b4eb5c1faab823e30e812e87148e9c81

SHA1
2e000a1a5ed4acf644d6d609ed3e62b19564f40d

SHA256
bd560f1a82e35d2187916d2e43ec360c9ecf1189f3c3ffa0fb659ca55b1f1e16

SHA512
4bc3b2a9844619c2fea89ee25e48d63e7372bf0243262718d428d25a3159c557a707feaef268cbbc3a2189b42fd3bdabdf3a059c6e008d6f1b318f17948251cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\B717.exe
MD5
b4eb5c1faab823e30e812e87148e9c81

SHA1
2e000a1a5ed4acf644d6d609ed3e62b19564f40d

SHA256
bd560f1a82e35d2187916d2e43ec360c9ecf1189f3c3ffa0fb659ca55b1f1e16

SHA512
4bc3b2a9844619c2fea89ee25e48d63e7372bf0243262718d428d25a3159c557a707feaef268cbbc3a2189b42fd3bdabdf3a059c6e008d6f1b318f17948251cf

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
b4eb5c1faab823e30e812e87148e9c81

SHA1
2e000a1a5ed4acf644d6d609ed3e62b19564f40d

SHA256
bd560f1a82e35d2187916d2e43ec360c9ecf1189f3c3ffa0fb659ca55b1f1e16

SHA512
4bc3b2a9844619c2fea89ee25e48d63e7372bf0243262718d428d25a3159c557a707feaef268cbbc3a2189b42fd3bdabdf3a059c6e008d6f1b318f17948251cf

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
b4eb5c1faab823e30e812e87148e9c81

SHA1
2e000a1a5ed4acf644d6d609ed3e62b19564f40d

SHA256
bd560f1a82e35d2187916d2e43ec360c9ecf1189f3c3ffa0fb659ca55b1f1e16

SHA512
4bc3b2a9844619c2fea89ee25e48d63e7372bf0243262718d428d25a3159c557a707feaef268cbbc3a2189b42fd3bdabdf3a059c6e008d6f1b318f17948251cf

Download Submit
C:\Users\Admin\AppData\Roaming\srhvfhu
MD5
e34cba52b1206c828978872b9338f430

SHA1
7b03d09434b98a479c8b3e84a2abf990e3918b93

SHA256
3632bc3aa58008650c9633e908804b5db470311e8e6de3a08a8ca598327b2a41

SHA512
62ece1d4a19e5572fb2a2af9c9810f56fa95e9449b4133a5ce4635e928c237de48bdac0b480ef70c7a59ba0f287bd409ab618b1e4ffe557b41070a5cd16d1353

Download Submit
C:\Users\Admin\AppData\Roaming\srhvfhu
MD5
e34cba52b1206c828978872b9338f430

SHA1
7b03d09434b98a479c8b3e84a2abf990e3918b93

SHA256
3632bc3aa58008650c9633e908804b5db470311e8e6de3a08a8ca598327b2a41

SHA512
62ece1d4a19e5572fb2a2af9c9810f56fa95e9449b4133a5ce4635e928c237de48bdac0b480ef70c7a59ba0f287bd409ab618b1e4ffe557b41070a5cd16d1353

Download Submit
C:\Users\Admin\AppData\Roaming\srhvfhu
MD5
e34cba52b1206c828978872b9338f430

SHA1
7b03d09434b98a479c8b3e84a2abf990e3918b93

SHA256
3632bc3aa58008650c9633e908804b5db470311e8e6de3a08a8ca598327b2a41

SHA512
62ece1d4a19e5572fb2a2af9c9810f56fa95e9449b4133a5ce4635e928c237de48bdac0b480ef70c7a59ba0f287bd409ab618b1e4ffe557b41070a5cd16d1353

Download Submit
memory/420-119-0x0000000000000000-mapping.dmp

Download
memory/420-122-0x0000000000871000-0x00000000008F1000-memory.dmp

Filesize
512KB

Download
memory/420-124-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/420-123-0x00000000005F0000-0x000000000073A000-memory.dmp

Filesize
1.3MB

Download
memory/1120-134-0x0000000000400000-0x0000000000883000-memory.dmp

Filesize
4.5MB

Download
memory/1120-133-0x0000000000AF1000-0x0000000000B02000-memory.dmp

Filesize
68KB

Download
memory/1416-137-0x0000000000B14000-0x0000000000B24000-memory.dmp

Filesize
64KB

Download
memory/1416-138-0x0000000000400000-0x0000000000883000-memory.dmp

Filesize
4.5MB

Download
memory/2188-128-0x0000000000831000-0x00000000008B1000-memory.dmp

Filesize
512KB

Download
memory/2188-129-0x00000000005F0000-0x0000000000681000-memory.dmp

Filesize
580KB

Download
memory/2188-130-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/2188-125-0x0000000000000000-mapping.dmp

Download
memory/3024-118-0x00000000007A0000-0x00000000007B6000-memory.dmp

Filesize
88KB

Download
memory/3024-135-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/3024-139-0x0000000002580000-0x0000000002596000-memory.dmp

Filesize
88KB

Download
memory/4004-116-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/4004-117-0x0000000000400000-0x0000000000883000-memory.dmp

Filesize
4.5MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads