smokeloader | eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead

General

Target

eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exe
Size

318KB
MD5

f81e5b1e0ef3f521ddb57d5cafb9e8f8
SHA1

5a4a821e5e890c637c0c2f92c453260f66de31b9
SHA256

eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead
SHA512

4b78154430ba83acf82726558ecfbdc73bd0a334b0d72318034f3347bae166bb1aa08f578d04f25b0a98636fff3748fe5a68c9fadbada199eeffe652c7dd9742

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 2 IoCs

Processes:

hjwirajhjwiraj

pid process

4072 hjwiraj
4068 hjwiraj
Deletes itself 1 IoCs

Processes:

pid process

2892

pid	process
4072	hjwiraj
4068	hjwiraj

pid	process
2892

Suspicious use of SetThreadContext 2 IoCs

Processes:

eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exehjwiraj

description	pid	process	target process
PID 2608 set thread context of 3732	2608	eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exe	eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exe
PID 4072 set thread context of 4068	4072	hjwiraj	hjwiraj

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

hjwirajeb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hjwiraj
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hjwiraj
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hjwiraj

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exe

pid	process
3732	eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exe
3732	eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exe
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892
2892

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2892
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exehjwiraj

pid process

3732 eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exe
4068 hjwiraj
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 2892
Token: SeCreatePagefilePrivilege 2892

pid	process
2892

description	pid	process
Token: SeShutdownPrivilege	2892
Token: SeCreatePagefilePrivilege	2892

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exehjwiraj

description	pid	process	target process
PID 2608 wrote to memory of 3732	2608	eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exe	eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exe
PID 2608 wrote to memory of 3732	2608	eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exe	eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exe
PID 2608 wrote to memory of 3732	2608	eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exe	eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exe
PID 2608 wrote to memory of 3732	2608	eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exe	eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exe
PID 2608 wrote to memory of 3732	2608	eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exe	eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exe
PID 2608 wrote to memory of 3732	2608	eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exe	eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exe
PID 4072 wrote to memory of 4068	4072	hjwiraj	hjwiraj
PID 4072 wrote to memory of 4068	4072	hjwiraj	hjwiraj
PID 4072 wrote to memory of 4068	4072	hjwiraj	hjwiraj
PID 4072 wrote to memory of 4068	4072	hjwiraj	hjwiraj
PID 4072 wrote to memory of 4068	4072	hjwiraj	hjwiraj
PID 4072 wrote to memory of 4068	4072	hjwiraj	hjwiraj

C:\Users\Admin\AppData\Local\Temp\eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exe
"C:\Users\Admin\AppData\Local\Temp\eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2608

C:\Users\Admin\AppData\Local\Temp\eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exe
"C:\Users\Admin\AppData\Local\Temp\eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3732

C:\Users\Admin\AppData\Roaming\hjwiraj
C:\Users\Admin\AppData\Roaming\hjwiraj
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4072

C:\Users\Admin\AppData\Roaming\hjwiraj
C:\Users\Admin\AppData\Roaming\hjwiraj
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\hjwiraj
MD5
f81e5b1e0ef3f521ddb57d5cafb9e8f8

SHA1
5a4a821e5e890c637c0c2f92c453260f66de31b9

SHA256
eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead

SHA512
4b78154430ba83acf82726558ecfbdc73bd0a334b0d72318034f3347bae166bb1aa08f578d04f25b0a98636fff3748fe5a68c9fadbada199eeffe652c7dd9742

Download Submit
C:\Users\Admin\AppData\Roaming\hjwiraj
MD5
f81e5b1e0ef3f521ddb57d5cafb9e8f8

SHA1
5a4a821e5e890c637c0c2f92c453260f66de31b9

SHA256
eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead

SHA512
4b78154430ba83acf82726558ecfbdc73bd0a334b0d72318034f3347bae166bb1aa08f578d04f25b0a98636fff3748fe5a68c9fadbada199eeffe652c7dd9742

Download Submit
C:\Users\Admin\AppData\Roaming\hjwiraj
MD5
f81e5b1e0ef3f521ddb57d5cafb9e8f8

SHA1
5a4a821e5e890c637c0c2f92c453260f66de31b9

SHA256
eb604fbd5f3d1fb21f3da7d10c4aa3f368607c918a811aad49f4f19354fe2ead

SHA512
4b78154430ba83acf82726558ecfbdc73bd0a334b0d72318034f3347bae166bb1aa08f578d04f25b0a98636fff3748fe5a68c9fadbada199eeffe652c7dd9742

Download Submit
memory/2608-119-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2608-120-0x00000000004A0000-0x00000000004A9000-memory.dmp

Filesize
36KB

Download
memory/2892-122-0x0000000000F50000-0x0000000000F66000-memory.dmp

Filesize
88KB

Download
memory/2892-128-0x0000000001160000-0x0000000001176000-memory.dmp

Filesize
88KB

Download
memory/3732-118-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3732-121-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4068-127-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads