Overview

overview

10

Static

static

36f662b3c9...69.exe

windows7_x64

10

36f662b3c9...69.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • submitted
    01-01-1970 00:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    36f662b3c9a54c0c2427602f1463eb69.exe

  • Size

    185KB

  • MD5

    36f662b3c9a54c0c2427602f1463eb69

  • SHA1

    7e46615097282ac51ef08d3e4ac7d65ce6684a07

  • SHA256

    d836a03e0b7eeabbc971de7d3e6fcc11bf06e13e633d11118c7429b3abb3c4ed

  • SHA512

    35b60c6da50b94484a77f40c3446beb1d5562128f5585731a09328140c68c7b57f1727cc0783b439dafb5660c93ca1bd4e1c3f443261545aaa9b22c0de9a1599

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://gejajoo7.top/

http://sysaheu9.top/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\36f662b3c9a54c0c2427602f1463eb69.exe
    "C:\Users\Admin\AppData\Local\Temp\36f662b3c9a54c0c2427602f1463eb69.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:820
    • C:\Users\Admin\AppData\Local\Temp\36f662b3c9a54c0c2427602f1463eb69.exe
      "C:\Users\Admin\AppData\Local\Temp\36f662b3c9a54c0c2427602f1463eb69.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/820-59-0x0000000000230000-0x0000000000239000-memory.dmp
    Filesize

    36KB

    Download
  • memory/820-58-0x0000000000220000-0x0000000000228000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1176-56-0x0000000000402EE8-mapping.dmp
    Download
  • memory/1176-55-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download
  • memory/1176-57-0x0000000075821000-0x0000000075823000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1216-60-0x0000000002B00000-0x0000000002B16000-memory.dmp
    Filesize

    88KB

    Download