smokeloader | b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680

General

Target

b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe
Size

159KB
MD5

14ed6526c66d169e798f55666d404de6
SHA1

b1ce8fba4b4dd56f73f33daf27805c8bff59f80c
SHA256

b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680
SHA512

53f39f8c57ca9e8f323939e678a7fd4fb24d49dab7a985d48e19d032a93496a98a2ae33565bb8d0ff6e829d7f32fe7491dd4845c9ed3ddf3503cec6c4e2f76e4

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

4439.exe4439.exe49F6.exe50AE.exe

pid process

3468 4439.exe
2100 4439.exe
1512 49F6.exe
2460 50AE.exe
Deletes itself 1 IoCs

Processes:

pid process

1920

pid	process
3468	4439.exe
2100	4439.exe
1512	49F6.exe
2460	50AE.exe

pid	process
1920

Suspicious use of SetThreadContext 2 IoCs

Processes:

b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe4439.exe

description	pid	process	target process
PID 2744 set thread context of 1656	2744	b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe	b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe
PID 3468 set thread context of 2100	3468	4439.exe	4439.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe4439.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4439.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4439.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4439.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe

pid	process
1656	b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe
1656	b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe

pid process

1656 b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	1920
Token: SeCreatePagefilePrivilege	1920
Token: SeShutdownPrivilege	1920
Token: SeCreatePagefilePrivilege	1920
Token: SeShutdownPrivilege	1920
Token: SeCreatePagefilePrivilege	1920
Token: SeShutdownPrivilege	1920
Token: SeCreatePagefilePrivilege	1920
Token: SeShutdownPrivilege	1920
Token: SeCreatePagefilePrivilege	1920

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe4439.exe49F6.exe

description	pid	process	target process
PID 2744 wrote to memory of 1656	2744	b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe	b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe
PID 2744 wrote to memory of 1656	2744	b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe	b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe
PID 2744 wrote to memory of 1656	2744	b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe	b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe
PID 2744 wrote to memory of 1656	2744	b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe	b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe
PID 2744 wrote to memory of 1656	2744	b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe	b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe
PID 2744 wrote to memory of 1656	2744	b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe	b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe
PID 1920 wrote to memory of 3468	1920		4439.exe
PID 1920 wrote to memory of 3468	1920		4439.exe
PID 1920 wrote to memory of 3468	1920		4439.exe
PID 3468 wrote to memory of 2100	3468	4439.exe	4439.exe
PID 3468 wrote to memory of 2100	3468	4439.exe	4439.exe
PID 3468 wrote to memory of 2100	3468	4439.exe	4439.exe
PID 3468 wrote to memory of 2100	3468	4439.exe	4439.exe
PID 3468 wrote to memory of 2100	3468	4439.exe	4439.exe
PID 3468 wrote to memory of 2100	3468	4439.exe	4439.exe
PID 1920 wrote to memory of 1512	1920		49F6.exe
PID 1920 wrote to memory of 1512	1920		49F6.exe
PID 1920 wrote to memory of 1512	1920		49F6.exe
PID 1512 wrote to memory of 700	1512	49F6.exe	49F6.exe
PID 1512 wrote to memory of 700	1512	49F6.exe	49F6.exe
PID 1512 wrote to memory of 700	1512	49F6.exe	49F6.exe
PID 1920 wrote to memory of 2460	1920		50AE.exe
PID 1920 wrote to memory of 2460	1920		50AE.exe
PID 1920 wrote to memory of 2460	1920		50AE.exe
PID 1920 wrote to memory of 1260	1920		5439.exe
PID 1920 wrote to memory of 1260	1920		5439.exe

C:\Users\Admin\AppData\Local\Temp\b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe
"C:\Users\Admin\AppData\Local\Temp\b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2744

C:\Users\Admin\AppData\Local\Temp\b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe
"C:\Users\Admin\AppData\Local\Temp\b12d114be98904ce453c97d9814e15f5147142412952b17711d6fd487f45a680.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1656

C:\Users\Admin\AppData\Local\Temp\4439.exe
C:\Users\Admin\AppData\Local\Temp\4439.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3468

C:\Users\Admin\AppData\Local\Temp\4439.exe
C:\Users\Admin\AppData\Local\Temp\4439.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2100

C:\Users\Admin\AppData\Local\Temp\49F6.exe
C:\Users\Admin\AppData\Local\Temp\49F6.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512

C:\Users\Admin\AppData\Local\Temp\49F6.exe
C:\Users\Admin\AppData\Local\Temp\49F6.exe
2⤵
PID:700

C:\Users\Admin\AppData\Local\Temp\50AE.exe
C:\Users\Admin\AppData\Local\Temp\50AE.exe
1⤵
- Executes dropped EXE
PID:2460

C:\Users\Admin\AppData\Local\Temp\5439.exe
C:\Users\Admin\AppData\Local\Temp\5439.exe
1⤵
PID:1260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4439.exe
MD5
c76db0c0032f058497d6e55363464cfd

SHA1
436ae5b05b4a42977bf1f415e52b13fe2192b025

SHA256
68b90031cf6d8870b5719281dbfd45c97db2b8b0e696ea5f997c8de57b54dd7f

SHA512
97507117a5fa43f51663ad13d7357e8e82293d63e9d840a6db7b8c76dcdffb7d03b902a50d70b396b8e92656ff3193dd79b3a07392254748fe94acb8c2aa62a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\4439.exe
MD5
c76db0c0032f058497d6e55363464cfd

SHA1
436ae5b05b4a42977bf1f415e52b13fe2192b025

SHA256
68b90031cf6d8870b5719281dbfd45c97db2b8b0e696ea5f997c8de57b54dd7f

SHA512
97507117a5fa43f51663ad13d7357e8e82293d63e9d840a6db7b8c76dcdffb7d03b902a50d70b396b8e92656ff3193dd79b3a07392254748fe94acb8c2aa62a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\4439.exe
MD5
c76db0c0032f058497d6e55363464cfd

SHA1
436ae5b05b4a42977bf1f415e52b13fe2192b025

SHA256
68b90031cf6d8870b5719281dbfd45c97db2b8b0e696ea5f997c8de57b54dd7f

SHA512
97507117a5fa43f51663ad13d7357e8e82293d63e9d840a6db7b8c76dcdffb7d03b902a50d70b396b8e92656ff3193dd79b3a07392254748fe94acb8c2aa62a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\49F6.exe
MD5
5115e5dab211559a85cd0154e8100f53

SHA1
347800b72ac53ec6e2c87e433763b20282a2c06d

SHA256
ef156fb3a203fe197d89d63e2ea7805a1b9af505dfff5a58532dbfe34e7aabaa

SHA512
d03e58376be1e299a6da57a28ed5db176999baded713aa54ddb59cf8c82b97e8c0b028ce07bddb6989c7c77e518e151e112dde2f1d5244ac2572e4371fa68c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\49F6.exe
MD5
5115e5dab211559a85cd0154e8100f53

SHA1
347800b72ac53ec6e2c87e433763b20282a2c06d

SHA256
ef156fb3a203fe197d89d63e2ea7805a1b9af505dfff5a58532dbfe34e7aabaa

SHA512
d03e58376be1e299a6da57a28ed5db176999baded713aa54ddb59cf8c82b97e8c0b028ce07bddb6989c7c77e518e151e112dde2f1d5244ac2572e4371fa68c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\50AE.exe
MD5
df13fac0d8b182e4d8b9a02ba87a9571

SHA1
b2187debc6fde96e08d5014ce4f1af5cf568bce5

SHA256
af64f5b2b6c4cc63b0ca4bb48f369eba1629886d85e289a469a5c9612c4a5ee3

SHA512
bc842a80509bda8afff6e12f5b5c64ccf7f1d7360f99f63cebbc1f21936a15487ec16bde3c2acff22c49ebcedf5c426621d6f69503f4968aacc8e75611e3a816

Download Submit
C:\Users\Admin\AppData\Local\Temp\50AE.exe
MD5
df13fac0d8b182e4d8b9a02ba87a9571

SHA1
b2187debc6fde96e08d5014ce4f1af5cf568bce5

SHA256
af64f5b2b6c4cc63b0ca4bb48f369eba1629886d85e289a469a5c9612c4a5ee3

SHA512
bc842a80509bda8afff6e12f5b5c64ccf7f1d7360f99f63cebbc1f21936a15487ec16bde3c2acff22c49ebcedf5c426621d6f69503f4968aacc8e75611e3a816

Download Submit
memory/1260-143-0x0000000000000000-mapping.dmp

Download
memory/1512-131-0x0000000000000000-mapping.dmp

Download
memory/1512-138-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/1512-139-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/1512-137-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/1512-136-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/1512-134-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1656-121-0x0000000000402F47-mapping.dmp

Download
memory/1656-120-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1920-122-0x0000000000CE0000-0x0000000000CF6000-memory.dmp

Filesize
88KB

Download
memory/2100-127-0x0000000000402F47-mapping.dmp

Download
memory/2460-140-0x0000000000000000-mapping.dmp

Download
memory/2744-119-0x0000000002B70000-0x0000000002C1E000-memory.dmp

Filesize
696KB

Download
memory/2744-118-0x0000000002B70000-0x0000000002C1E000-memory.dmp

Filesize
696KB

Download
memory/3468-123-0x0000000000000000-mapping.dmp

Download
memory/3468-130-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/3468-129-0x00000000001E0000-0x00000000001E8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads