smokeloader | 47ec411eab0aa15619f24caa6256ed4ca5cfc695a26f5b71830b53b07c22b05b

General

Target

8696a4269e30ddb34a7e0e84629ede03.exe
Size

278KB
MD5

8696a4269e30ddb34a7e0e84629ede03
SHA1

125198e1f636ef118e468145d02e801a3ffe2a97
SHA256

47ec411eab0aa15619f24caa6256ed4ca5cfc695a26f5b71830b53b07c22b05b
SHA512

481ae35ec056de3c08ae167e7b2fea9352c82a7cd47ebbc46047270e1a0f518b3feece8ad6900d0a5ac5ca1b44c80da0e916504809e93e176933931d940cad96

Score

10^/10

smokeloader backdoor collection trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://rsuehfidvdkfvk.top/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

3044

pid	process
3044

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8696a4269e30ddb34a7e0e84629ede03.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8696a4269e30ddb34a7e0e84629ede03.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8696a4269e30ddb34a7e0e84629ede03.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8696a4269e30ddb34a7e0e84629ede03.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8696a4269e30ddb34a7e0e84629ede03.exe

pid	process
2904	8696a4269e30ddb34a7e0e84629ede03.exe
2904	8696a4269e30ddb34a7e0e84629ede03.exe
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3044

pid	process
3044

Suspicious behavior: MapViewOfSection 27 IoCs

Processes:

8696a4269e30ddb34a7e0e84629ede03.exe

pid	process
2904	8696a4269e30ddb34a7e0e84629ede03.exe
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

description	pid	target process
PID 3044 wrote to memory of 3968	3044	explorer.exe
PID 3044 wrote to memory of 3968	3044	explorer.exe
PID 3044 wrote to memory of 3968	3044	explorer.exe
PID 3044 wrote to memory of 3968	3044	explorer.exe
PID 3044 wrote to memory of 1216	3044	explorer.exe
PID 3044 wrote to memory of 1216	3044	explorer.exe
PID 3044 wrote to memory of 1216	3044	explorer.exe
PID 3044 wrote to memory of 1480	3044	explorer.exe
PID 3044 wrote to memory of 1480	3044	explorer.exe
PID 3044 wrote to memory of 1480	3044	explorer.exe
PID 3044 wrote to memory of 1480	3044	explorer.exe
PID 3044 wrote to memory of 1484	3044	explorer.exe
PID 3044 wrote to memory of 1484	3044	explorer.exe
PID 3044 wrote to memory of 1484	3044	explorer.exe
PID 3044 wrote to memory of 1484	3044	explorer.exe
PID 3044 wrote to memory of 4004	3044	explorer.exe
PID 3044 wrote to memory of 4004	3044	explorer.exe
PID 3044 wrote to memory of 4004	3044	explorer.exe
PID 3044 wrote to memory of 1000	3044	explorer.exe
PID 3044 wrote to memory of 1000	3044	explorer.exe
PID 3044 wrote to memory of 1000	3044	explorer.exe
PID 3044 wrote to memory of 1000	3044	explorer.exe
PID 3044 wrote to memory of 888	3044	explorer.exe
PID 3044 wrote to memory of 888	3044	explorer.exe
PID 3044 wrote to memory of 888	3044	explorer.exe
PID 3044 wrote to memory of 1284	3044	explorer.exe
PID 3044 wrote to memory of 1284	3044	explorer.exe
PID 3044 wrote to memory of 1284	3044	explorer.exe
PID 3044 wrote to memory of 1284	3044	explorer.exe
PID 3044 wrote to memory of 2300	3044	explorer.exe
PID 3044 wrote to memory of 2300	3044	explorer.exe
PID 3044 wrote to memory of 2300	3044	explorer.exe
PID 3044 wrote to memory of 2324	3044	explorer.exe
PID 3044 wrote to memory of 2324	3044	explorer.exe
PID 3044 wrote to memory of 2324	3044	explorer.exe
PID 3044 wrote to memory of 2324	3044	explorer.exe
PID 3044 wrote to memory of 1364	3044	explorer.exe
PID 3044 wrote to memory of 1364	3044	explorer.exe
PID 3044 wrote to memory of 1364	3044	explorer.exe
PID 3044 wrote to memory of 1364	3044	explorer.exe
PID 3044 wrote to memory of 2856	3044	explorer.exe
PID 3044 wrote to memory of 2856	3044	explorer.exe
PID 3044 wrote to memory of 2856	3044	explorer.exe
PID 3044 wrote to memory of 2108	3044	explorer.exe
PID 3044 wrote to memory of 2108	3044	explorer.exe
PID 3044 wrote to memory of 2108	3044	explorer.exe
PID 3044 wrote to memory of 2108	3044	explorer.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\8696a4269e30ddb34a7e0e84629ede03.exe
"C:\Users\Admin\AppData\Local\Temp\8696a4269e30ddb34a7e0e84629ede03.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2904

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3968

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1216

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1480

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1484

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4004

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1000

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:888

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1284

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2300

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2324

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1364

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2856

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/888-140-0x0000000000000000-mapping.dmp

Download
memory/888-142-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

Filesize
48KB

Download
memory/888-141-0x0000000000BC0000-0x0000000000BC6000-memory.dmp

Filesize
24KB

Download
memory/1000-137-0x0000000000000000-mapping.dmp

Download
memory/1000-139-0x0000000002E30000-0x0000000002E39000-memory.dmp

Filesize
36KB

Download
memory/1000-138-0x0000000002E40000-0x0000000002E45000-memory.dmp

Filesize
20KB

Download
memory/1216-123-0x0000000000000000-mapping.dmp

Download
memory/1216-126-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1216-127-0x0000000000100000-0x000000000010C000-memory.dmp

Filesize
48KB

Download
memory/1284-143-0x0000000000000000-mapping.dmp

Download
memory/1284-145-0x0000000002DA0000-0x0000000002DA9000-memory.dmp

Filesize
36KB

Download
memory/1284-144-0x0000000002DB0000-0x0000000002DB4000-memory.dmp

Filesize
16KB

Download
memory/1364-152-0x0000000000000000-mapping.dmp

Download
memory/1364-153-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/1364-154-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/1480-130-0x0000000002A00000-0x0000000002A09000-memory.dmp

Filesize
36KB

Download
memory/1480-128-0x0000000000000000-mapping.dmp

Download
memory/1480-129-0x0000000002A10000-0x0000000002A14000-memory.dmp

Filesize
16KB

Download
memory/1484-132-0x0000000002A10000-0x0000000002A17000-memory.dmp

Filesize
28KB

Download
memory/1484-133-0x0000000002A00000-0x0000000002A0B000-memory.dmp

Filesize
44KB

Download
memory/1484-131-0x0000000000000000-mapping.dmp

Download
memory/2108-160-0x00000000027B0000-0x00000000027BB000-memory.dmp

Filesize
44KB

Download
memory/2108-159-0x00000000027C0000-0x00000000027C8000-memory.dmp

Filesize
32KB

Download
memory/2108-158-0x0000000000000000-mapping.dmp

Download
memory/2300-147-0x00000000004B0000-0x00000000004B5000-memory.dmp

Filesize
20KB

Download
memory/2300-146-0x0000000000000000-mapping.dmp

Download
memory/2300-148-0x00000000004A0000-0x00000000004A9000-memory.dmp

Filesize
36KB

Download
memory/2324-149-0x0000000000000000-mapping.dmp

Download
memory/2324-150-0x0000000000230000-0x0000000000252000-memory.dmp

Filesize
136KB

Download
memory/2324-151-0x0000000000200000-0x0000000000227000-memory.dmp

Filesize
156KB

Download
memory/2856-156-0x0000000000390000-0x0000000000397000-memory.dmp

Filesize
28KB

Download
memory/2856-155-0x0000000000000000-mapping.dmp

Download
memory/2856-157-0x0000000000380000-0x000000000038D000-memory.dmp

Filesize
52KB

Download
memory/2904-120-0x0000000000400000-0x0000000001FCC000-memory.dmp

Filesize
27.8MB

Download
memory/2904-119-0x0000000001FD0000-0x000000000207E000-memory.dmp

Filesize
696KB

Download
memory/3044-121-0x0000000000910000-0x0000000000926000-memory.dmp

Filesize
88KB

Download
memory/3968-124-0x0000000003340000-0x00000000033B4000-memory.dmp

Filesize
464KB

Download
memory/3968-122-0x0000000000000000-mapping.dmp

Download
memory/3968-125-0x00000000032D0000-0x000000000333B000-memory.dmp

Filesize
428KB

Download
memory/4004-136-0x0000000000540000-0x000000000054F000-memory.dmp

Filesize
60KB

Download
memory/4004-134-0x0000000000000000-mapping.dmp

Download
memory/4004-135-0x0000000000550000-0x0000000000559000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads