smokeloader | ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59

General

Target

ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe
Size

317KB
MD5

72107e63998474995c0f78051ccce035
SHA1

ec3141bc5957149ff0aa67482295856a7cb3821b
SHA256

ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59
SHA512

0b503af0733040b2df5ce117065bc6c00f7475a9082782bc6e6911396ee3746d6de31736fdc9acd5a4d292ff98a14541d452c7ff6695f950e72ec34a214a35ca

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

3032

pid	process
3032

Suspicious use of SetThreadContext 1 IoCs

Processes:

ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe

description	pid	process	target process
PID 2512 set thread context of 3156	2512	ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe	ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe

pid	process
3156	ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe
3156	ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3032
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe

pid process

3156 ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe

pid	process
3032

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe

description	pid	process	target process
PID 2512 wrote to memory of 3156	2512	ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe	ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe
PID 2512 wrote to memory of 3156	2512	ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe	ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe
PID 2512 wrote to memory of 3156	2512	ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe	ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe
PID 2512 wrote to memory of 3156	2512	ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe	ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe
PID 2512 wrote to memory of 3156	2512	ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe	ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe
PID 2512 wrote to memory of 3156	2512	ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe	ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe

C:\Users\Admin\AppData\Local\Temp\ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe
"C:\Users\Admin\AppData\Local\Temp\ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2512

C:\Users\Admin\AppData\Local\Temp\ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe
"C:\Users\Admin\AppData\Local\Temp\ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2512-115-0x0000000000030000-0x0000000000038000-memory.dmp

Filesize
32KB

Download
memory/2512-116-0x0000000000460000-0x000000000050E000-memory.dmp

Filesize
696KB

Download
memory/3032-119-0x0000000001060000-0x0000000001076000-memory.dmp

Filesize
88KB

Download
memory/3156-117-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3156-118-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads