smokeloader | 47c2ec67d40d8e342db29823981ab4539c758486d30d00bd15106acdb39a96cc

General

Target

42c9365b1284d5e5e95be8c82e3eb480.exe
Size

271KB
MD5

42c9365b1284d5e5e95be8c82e3eb480
SHA1

af966c6db72acf8ccdab4d39f7f328043c3ad592
SHA256

47c2ec67d40d8e342db29823981ab4539c758486d30d00bd15106acdb39a96cc
SHA512

b5fd84c5fc5b2fa94227f9732af2b5ced856349f37a1a1175a3bcd4065a016bc5c129b8e52ade6ec8bfe2c7a11f5bd2a0af527cb6901320f7e2136b81022a660

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://nahbleiben.at/upload/

http://noblecreativeaz.com/upload/

http://tvqaq.cn/upload/

http://recmaster.ru/upload/

http://sovels.ru/upload/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

FA27.exe18FE.exe

pid process

1816 FA27.exe
1676 18FE.exe
Deletes itself 1 IoCs

Processes:

pid process

1224

pid	process
1816	FA27.exe
1676	18FE.exe

pid	process
1224

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

42c9365b1284d5e5e95be8c82e3eb480.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	42c9365b1284d5e5e95be8c82e3eb480.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	42c9365b1284d5e5e95be8c82e3eb480.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	42c9365b1284d5e5e95be8c82e3eb480.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

42c9365b1284d5e5e95be8c82e3eb480.exe

pid	process
944	42c9365b1284d5e5e95be8c82e3eb480.exe
944	42c9365b1284d5e5e95be8c82e3eb480.exe
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1224
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

42c9365b1284d5e5e95be8c82e3eb480.exe

pid process

944 42c9365b1284d5e5e95be8c82e3eb480.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1224
1224
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1224
1224

pid	process
1224

pid	process
1224
1224

pid	process
1224
1224

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

description	pid	target process
PID 1224 wrote to memory of 1816	1224	FA27.exe
PID 1224 wrote to memory of 1816	1224	FA27.exe
PID 1224 wrote to memory of 1816	1224	FA27.exe
PID 1224 wrote to memory of 1816	1224	FA27.exe
PID 1224 wrote to memory of 1676	1224	18FE.exe
PID 1224 wrote to memory of 1676	1224	18FE.exe
PID 1224 wrote to memory of 1676	1224	18FE.exe
PID 1224 wrote to memory of 1676	1224	18FE.exe

C:\Users\Admin\AppData\Local\Temp\42c9365b1284d5e5e95be8c82e3eb480.exe
"C:\Users\Admin\AppData\Local\Temp\42c9365b1284d5e5e95be8c82e3eb480.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:944

C:\Users\Admin\AppData\Local\Temp\FA27.exe
C:\Users\Admin\AppData\Local\Temp\FA27.exe
1⤵
- Executes dropped EXE
PID:1816

C:\Users\Admin\AppData\Local\Temp\18FE.exe
C:\Users\Admin\AppData\Local\Temp\18FE.exe
1⤵
- Executes dropped EXE
PID:1676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\18FE.exe
MD5
f8151b5d4c4e62166a8c2e914f54cbb7

SHA1
ee9da83f51b904db29d14847a013c4cff7ea6711

SHA256
7d3b2e91c3cfb16df02f63b973c69a2047b8031295a49e4fffa0fad3dba975f0

SHA512
0e141cee03549a768d284381bd8751b3b3b18805bffa1ada7e4a7c44c3d50fae190d6a4d82ddaee76c82f2a853190549a2d6d1f3a3fdfef425cff3499933b084

Download Submit
C:\Users\Admin\AppData\Local\Temp\FA27.exe
MD5
f8151b5d4c4e62166a8c2e914f54cbb7

SHA1
ee9da83f51b904db29d14847a013c4cff7ea6711

SHA256
7d3b2e91c3cfb16df02f63b973c69a2047b8031295a49e4fffa0fad3dba975f0

SHA512
0e141cee03549a768d284381bd8751b3b3b18805bffa1ada7e4a7c44c3d50fae190d6a4d82ddaee76c82f2a853190549a2d6d1f3a3fdfef425cff3499933b084

Download Submit
memory/944-55-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/944-58-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/944-56-0x0000000075F91000-0x0000000075F93000-memory.dmp

Filesize
8KB

Download
memory/944-57-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/1224-59-0x0000000002A30000-0x0000000002A46000-memory.dmp

Filesize
88KB

Download
memory/1676-62-0x0000000000000000-mapping.dmp

Download
memory/1676-69-0x0000000000400000-0x0000000002C53000-memory.dmp

Filesize
40.3MB

Download
memory/1816-60-0x0000000000000000-mapping.dmp

Download
memory/1816-66-0x0000000000400000-0x0000000002C53000-memory.dmp

Filesize
40.3MB

Download
memory/1816-65-0x00000000046C0000-0x00000000047BA000-memory.dmp

Filesize
1000KB

Download
memory/1816-64-0x00000000044D0000-0x00000000045B2000-memory.dmp

Filesize
904KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads