smokeloader | c2cb62e9291d6dc8dc9fdf0064de10045eb7995c2e8b197ac9cddf7932a662b8

General

Target

3987760559955d73718fc2b9637f02eb.exe
Size

247KB
MD5

3987760559955d73718fc2b9637f02eb
SHA1

a8eccbffb25f81c40623215e5c356d133c64032e
SHA256

c2cb62e9291d6dc8dc9fdf0064de10045eb7995c2e8b197ac9cddf7932a662b8
SHA512

46c51f190f73f091e0638afb04dd4d7818d8ab6675c42786ec52aefa314450296857cee4462d468d2cdebfd4d88ecc15d8dbe8828f300133d20008f3e43a2b9d

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

C255.exeSmartClock.exeEFEF.exe

pid process

1928 C255.exe
956 SmartClock.exe
1416 EFEF.exe
Deletes itself 1 IoCs

Processes:

pid process

1300
Drops startup file 1 IoCs

Processes:

C255.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk C255.exe
Loads dropped DLL 3 IoCs

Processes:

C255.exe

pid process

1928 C255.exe
1928 C255.exe
1928 C255.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1928	C255.exe
956	SmartClock.exe
1416	EFEF.exe

pid	process
1300

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	C255.exe

pid	process
1928	C255.exe
1928	C255.exe
1928	C255.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3987760559955d73718fc2b9637f02eb.exeEFEF.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3987760559955d73718fc2b9637f02eb.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3987760559955d73718fc2b9637f02eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	EFEF.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	EFEF.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	EFEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3987760559955d73718fc2b9637f02eb.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

956 SmartClock.exe

pid	process
956	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3987760559955d73718fc2b9637f02eb.exe

pid	process
1592	3987760559955d73718fc2b9637f02eb.exe
1592	3987760559955d73718fc2b9637f02eb.exe
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1300
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3987760559955d73718fc2b9637f02eb.exe

pid process

1592 3987760559955d73718fc2b9637f02eb.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1300
1300
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1300
1300
1300
1300

pid	process
1300

pid	process
1300
1300

pid	process
1300
1300
1300
1300

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

C255.exe

description	pid	process	target process
PID 1300 wrote to memory of 1928	1300		C255.exe
PID 1300 wrote to memory of 1928	1300		C255.exe
PID 1300 wrote to memory of 1928	1300		C255.exe
PID 1300 wrote to memory of 1928	1300		C255.exe
PID 1928 wrote to memory of 956	1928	C255.exe	SmartClock.exe
PID 1928 wrote to memory of 956	1928	C255.exe	SmartClock.exe
PID 1928 wrote to memory of 956	1928	C255.exe	SmartClock.exe
PID 1928 wrote to memory of 956	1928	C255.exe	SmartClock.exe
PID 1300 wrote to memory of 1416	1300		EFEF.exe
PID 1300 wrote to memory of 1416	1300		EFEF.exe
PID 1300 wrote to memory of 1416	1300		EFEF.exe
PID 1300 wrote to memory of 1416	1300		EFEF.exe

C:\Users\Admin\AppData\Local\Temp\3987760559955d73718fc2b9637f02eb.exe
"C:\Users\Admin\AppData\Local\Temp\3987760559955d73718fc2b9637f02eb.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1592

C:\Users\Admin\AppData\Local\Temp\C255.exe
C:\Users\Admin\AppData\Local\Temp\C255.exe
1⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:956

C:\Users\Admin\AppData\Local\Temp\EFEF.exe
C:\Users\Admin\AppData\Local\Temp\EFEF.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C255.exe

MD5
42c6347146452117ae98dad4f06d6953

SHA1
a113372acb37913a34e6d6e46c4b84004b3286aa

SHA256
ea5a184fe57e1c2926bfc4b228ee0d338a66754779c665735b1176d3904ef399

SHA512
d9b508bad5accab933ce6a961f2e46aa00b3b8c70c0233515271b32c6ee7be47141e3563a0c4b58354793b8fbe4e6da628a6890243695a047badf79691889da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C255.exe

MD5
42c6347146452117ae98dad4f06d6953

SHA1
a113372acb37913a34e6d6e46c4b84004b3286aa

SHA256
ea5a184fe57e1c2926bfc4b228ee0d338a66754779c665735b1176d3904ef399

SHA512
d9b508bad5accab933ce6a961f2e46aa00b3b8c70c0233515271b32c6ee7be47141e3563a0c4b58354793b8fbe4e6da628a6890243695a047badf79691889da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EFEF.exe

MD5
86c76df3f0feed13d6ad6f9155156369

SHA1
330e82600381f68d6f6914b50b451b6c59901b26

SHA256
4dc4954990ef29b8b1b66f23cd475d375cc759b2aabbfdde761abaafef975baf

SHA512
078e22f7c6109abf532591dc429d6a58255a192c3a70324b769e5f2b79549d0814fa2330693484dccdc27427ef25526b5db4f3b574c521bed0ae27eadada789c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk

MD5
0f2ad680804d76fcdcf2f7b1da480105

SHA1
9ba9798f3396c294fde4ca5d832f078bcdc357b7

SHA256
4b9ad6f585f391d83637c00cd0421391aa1b1f5d786b99bb5100ff1115a12b59

SHA512
e866ea64c9244f3c0cf0a89c0c13961688dccb1163a8d18307c89b9d070ed575903a463ca2fa82ad6973a70b4882959ae5869cfb6426ec1ee3860e77ca14da04

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
42c6347146452117ae98dad4f06d6953

SHA1
a113372acb37913a34e6d6e46c4b84004b3286aa

SHA256
ea5a184fe57e1c2926bfc4b228ee0d338a66754779c665735b1176d3904ef399

SHA512
d9b508bad5accab933ce6a961f2e46aa00b3b8c70c0233515271b32c6ee7be47141e3563a0c4b58354793b8fbe4e6da628a6890243695a047badf79691889da5

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
42c6347146452117ae98dad4f06d6953

SHA1
a113372acb37913a34e6d6e46c4b84004b3286aa

SHA256
ea5a184fe57e1c2926bfc4b228ee0d338a66754779c665735b1176d3904ef399

SHA512
d9b508bad5accab933ce6a961f2e46aa00b3b8c70c0233515271b32c6ee7be47141e3563a0c4b58354793b8fbe4e6da628a6890243695a047badf79691889da5

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
42c6347146452117ae98dad4f06d6953

SHA1
a113372acb37913a34e6d6e46c4b84004b3286aa

SHA256
ea5a184fe57e1c2926bfc4b228ee0d338a66754779c665735b1176d3904ef399

SHA512
d9b508bad5accab933ce6a961f2e46aa00b3b8c70c0233515271b32c6ee7be47141e3563a0c4b58354793b8fbe4e6da628a6890243695a047badf79691889da5

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
42c6347146452117ae98dad4f06d6953

SHA1
a113372acb37913a34e6d6e46c4b84004b3286aa

SHA256
ea5a184fe57e1c2926bfc4b228ee0d338a66754779c665735b1176d3904ef399

SHA512
d9b508bad5accab933ce6a961f2e46aa00b3b8c70c0233515271b32c6ee7be47141e3563a0c4b58354793b8fbe4e6da628a6890243695a047badf79691889da5

Download Submit
memory/956-73-0x000000000091B000-0x000000000099B000-memory.dmp

Filesize
512KB

Download
memory/956-68-0x0000000000000000-mapping.dmp

Download
memory/956-75-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1300-59-0x0000000002180000-0x0000000002196000-memory.dmp

Filesize
88KB

Download
memory/1416-81-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1416-80-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1416-78-0x000000000050B000-0x0000000000514000-memory.dmp

Filesize
36KB

Download
memory/1416-76-0x0000000000000000-mapping.dmp

Download
memory/1592-56-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1592-57-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download
memory/1592-58-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1592-55-0x000000000059B000-0x00000000005A4000-memory.dmp

Filesize
36KB

Download
memory/1928-72-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1928-71-0x0000000000310000-0x00000000003A1000-memory.dmp

Filesize
580KB

Download
memory/1928-62-0x00000000005BB000-0x000000000063B000-memory.dmp

Filesize
512KB

Download
memory/1928-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads