smokeloader | 757387e6946c157cc37f67cf0a0e94af671b4a4bd498291390d878cc04cfa790

General

Target

65d0653f5eec54a9a01b4d76c35c6c74.exe
Size

319KB
MD5

65d0653f5eec54a9a01b4d76c35c6c74
SHA1

10ac383cdad3a41f09ee9ac8c36365224ea6f826
SHA256

757387e6946c157cc37f67cf0a0e94af671b4a4bd498291390d878cc04cfa790
SHA512

64061718229cba439c7fd3795112b436375c70865d7ec23370693863410079ac6e5dbf2ef09c366878e712b8c4ecf20a797cd1c9bddfd12d34710f5ed6998eb1

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

F2B8.exe

pid process

1820 F2B8.exe
Deletes itself 1 IoCs

Processes:

pid process

1380
Suspicious use of SetThreadContext 1 IoCs

Processes:

65d0653f5eec54a9a01b4d76c35c6c74.exe

description pid process target process

PID 1888 set thread context of 240 1888 65d0653f5eec54a9a01b4d76c35c6c74.exe 65d0653f5eec54a9a01b4d76c35c6c74.exe

pid	process
1820	F2B8.exe

pid	process
1380

description	pid	process	target process
PID 1888 set thread context of 240	1888	65d0653f5eec54a9a01b4d76c35c6c74.exe	65d0653f5eec54a9a01b4d76c35c6c74.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

65d0653f5eec54a9a01b4d76c35c6c74.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	65d0653f5eec54a9a01b4d76c35c6c74.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	65d0653f5eec54a9a01b4d76c35c6c74.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	65d0653f5eec54a9a01b4d76c35c6c74.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

65d0653f5eec54a9a01b4d76c35c6c74.exe

pid	process
240	65d0653f5eec54a9a01b4d76c35c6c74.exe
240	65d0653f5eec54a9a01b4d76c35c6c74.exe
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1380
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

65d0653f5eec54a9a01b4d76c35c6c74.exe

pid process

240 65d0653f5eec54a9a01b4d76c35c6c74.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1380
1380
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1380
1380

pid	process
1380

pid	process
1380
1380

pid	process
1380
1380

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

65d0653f5eec54a9a01b4d76c35c6c74.exe

description	pid	process	target process
PID 1888 wrote to memory of 240	1888	65d0653f5eec54a9a01b4d76c35c6c74.exe	65d0653f5eec54a9a01b4d76c35c6c74.exe
PID 1888 wrote to memory of 240	1888	65d0653f5eec54a9a01b4d76c35c6c74.exe	65d0653f5eec54a9a01b4d76c35c6c74.exe
PID 1888 wrote to memory of 240	1888	65d0653f5eec54a9a01b4d76c35c6c74.exe	65d0653f5eec54a9a01b4d76c35c6c74.exe
PID 1888 wrote to memory of 240	1888	65d0653f5eec54a9a01b4d76c35c6c74.exe	65d0653f5eec54a9a01b4d76c35c6c74.exe
PID 1888 wrote to memory of 240	1888	65d0653f5eec54a9a01b4d76c35c6c74.exe	65d0653f5eec54a9a01b4d76c35c6c74.exe
PID 1888 wrote to memory of 240	1888	65d0653f5eec54a9a01b4d76c35c6c74.exe	65d0653f5eec54a9a01b4d76c35c6c74.exe
PID 1888 wrote to memory of 240	1888	65d0653f5eec54a9a01b4d76c35c6c74.exe	65d0653f5eec54a9a01b4d76c35c6c74.exe
PID 1380 wrote to memory of 1820	1380		F2B8.exe
PID 1380 wrote to memory of 1820	1380		F2B8.exe
PID 1380 wrote to memory of 1820	1380		F2B8.exe
PID 1380 wrote to memory of 1820	1380		F2B8.exe

C:\Users\Admin\AppData\Local\Temp\65d0653f5eec54a9a01b4d76c35c6c74.exe
"C:\Users\Admin\AppData\Local\Temp\65d0653f5eec54a9a01b4d76c35c6c74.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1888

C:\Users\Admin\AppData\Local\Temp\65d0653f5eec54a9a01b4d76c35c6c74.exe
"C:\Users\Admin\AppData\Local\Temp\65d0653f5eec54a9a01b4d76c35c6c74.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:240

C:\Users\Admin\AppData\Local\Temp\F2B8.exe
C:\Users\Admin\AppData\Local\Temp\F2B8.exe
1⤵
- Executes dropped EXE
PID:1820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F2B8.exe
MD5
fd9fc94584fb5ac78a730d4949954558

SHA1
1f64cab1b889016aca4e11fbaa0367ab21dc2911

SHA256
8a55a056761f76c48027e1c2f7a4146f451d36908d84f83ef9b95051d35b9f44

SHA512
af47179ed313cb5791c59118b79a831313f1a9995e6b3f57a88c1928ba248cfc6d38bbd916ab35bd368627a08a5eda961f0e91396173f615860d088d382bf981

Download Submit
memory/240-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/240-57-0x0000000000402F47-mapping.dmp

Download
memory/240-58-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/1380-60-0x0000000002640000-0x0000000002656000-memory.dmp

Filesize
88KB

Download
memory/1820-61-0x0000000000000000-mapping.dmp

Download
memory/1888-55-0x0000000000308000-0x0000000000319000-memory.dmp

Filesize
68KB

Download
memory/1888-59-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads