smokeloader | fcd5108f0532d742e5f0d658075a37c85b3c930c233b7ed62a0651af6490087f

Analysis

max time kernel
170s
max time network
170s
platform
windows10_x64
resource
win10-en-20211208
submitted
25-01-2022 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcd5108f0532d742e5f0d658075a37c85b3c930c233b7ed62a0651af6490087f.exe
Size

263KB
MD5

f1b7c56664118bb64f20bca95feef924
SHA1

dd06ebdf274c4957842a88adc17bd435934d2e95
SHA256

fcd5108f0532d742e5f0d658075a37c85b3c930c233b7ed62a0651af6490087f
SHA512

72e493e3981c9aa87dcf6e5f9674b88c58926aef05a1bcc4c3dd33d2b5689ca9d84a0aa89f5dd623c3c8e6563e2b7e7999119ec30d277e103ab727de636adcc9

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

https://oakland-studio.video/search.php

https://seattle-university.video/search.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

3024

pid	process
3024

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fcd5108f0532d742e5f0d658075a37c85b3c930c233b7ed62a0651af6490087f.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fcd5108f0532d742e5f0d658075a37c85b3c930c233b7ed62a0651af6490087f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fcd5108f0532d742e5f0d658075a37c85b3c930c233b7ed62a0651af6490087f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fcd5108f0532d742e5f0d658075a37c85b3c930c233b7ed62a0651af6490087f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fcd5108f0532d742e5f0d658075a37c85b3c930c233b7ed62a0651af6490087f.exe

pid	process
3808	fcd5108f0532d742e5f0d658075a37c85b3c930c233b7ed62a0651af6490087f.exe
3808	fcd5108f0532d742e5f0d658075a37c85b3c930c233b7ed62a0651af6490087f.exe
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3024
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

fcd5108f0532d742e5f0d658075a37c85b3c930c233b7ed62a0651af6490087f.exe

pid process

3808 fcd5108f0532d742e5f0d658075a37c85b3c930c233b7ed62a0651af6490087f.exe

pid	process
3024

C:\Users\Admin\AppData\Local\Temp\fcd5108f0532d742e5f0d658075a37c85b3c930c233b7ed62a0651af6490087f.exe
"C:\Users\Admin\AppData\Local\Temp\fcd5108f0532d742e5f0d658075a37c85b3c930c233b7ed62a0651af6490087f.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3024-121-0x00000000012D0000-0x00000000012E6000-memory.dmp

Filesize
88KB

Download
memory/3808-118-0x0000000000030000-0x0000000000038000-memory.dmp

Filesize
32KB

Download
memory/3808-119-0x0000000000450000-0x000000000059A000-memory.dmp

Filesize
1.3MB

Download
memory/3808-120-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download