smokeloader | 6ff62169824c40354932fd738f8ef29389486bdbd62ff2e277a65cad7b6cbf17

General

Target

6ff62169824c40354932fd738f8ef29389486bdbd62ff2e277a65cad7b6cbf17.exe
Size

317KB
MD5

7b2b9f625b16b277c67f5b567aa47b13
SHA1

cc66eaa9615e3eb1c3726bcb693557ad17b3eedc
SHA256

6ff62169824c40354932fd738f8ef29389486bdbd62ff2e277a65cad7b6cbf17
SHA512

88aa5ee7cef3d905aa9f4c22f7864e6c3622d627a6c526ff01e48fe8f2e0cccce92a060520bf17cfc163e72cc81bd16fb07039417354d954bc3c7f9cf364106c

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://abpa.at/upload/

http://emaratghajari.com/upload/

http://d7qw.cn/upload/

http://alumik-group.ru/upload/

http://zamkikurgan.ru/upload/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

1D7D.exe

pid process

1100 1D7D.exe
Deletes itself 1 IoCs

Processes:

pid process

3056

pid	process
1100	1D7D.exe

pid	process
3056

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1D7D.exe6ff62169824c40354932fd738f8ef29389486bdbd62ff2e277a65cad7b6cbf17.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1D7D.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1D7D.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1D7D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6ff62169824c40354932fd738f8ef29389486bdbd62ff2e277a65cad7b6cbf17.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6ff62169824c40354932fd738f8ef29389486bdbd62ff2e277a65cad7b6cbf17.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6ff62169824c40354932fd738f8ef29389486bdbd62ff2e277a65cad7b6cbf17.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6ff62169824c40354932fd738f8ef29389486bdbd62ff2e277a65cad7b6cbf17.exe

pid	process
676	6ff62169824c40354932fd738f8ef29389486bdbd62ff2e277a65cad7b6cbf17.exe
676	6ff62169824c40354932fd738f8ef29389486bdbd62ff2e277a65cad7b6cbf17.exe
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3056
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

6ff62169824c40354932fd738f8ef29389486bdbd62ff2e277a65cad7b6cbf17.exe1D7D.exe

pid process

676 6ff62169824c40354932fd738f8ef29389486bdbd62ff2e277a65cad7b6cbf17.exe
1100 1D7D.exe

pid	process
3056

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

description	pid	target process
PID 3056 wrote to memory of 1100	3056	1D7D.exe
PID 3056 wrote to memory of 1100	3056	1D7D.exe
PID 3056 wrote to memory of 1100	3056	1D7D.exe

C:\Users\Admin\AppData\Local\Temp\6ff62169824c40354932fd738f8ef29389486bdbd62ff2e277a65cad7b6cbf17.exe
"C:\Users\Admin\AppData\Local\Temp\6ff62169824c40354932fd738f8ef29389486bdbd62ff2e277a65cad7b6cbf17.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:676

C:\Users\Admin\AppData\Local\Temp\1D7D.exe
C:\Users\Admin\AppData\Local\Temp\1D7D.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1D7D.exe
MD5
144f3b39f333e19e50d9b1fdd79ccc69

SHA1
0be1677f2d5b95b87588563d87a8a7b31aaf9e9e

SHA256
42e38af11a40afb62d84ea7a6f1be3e0b7660fcdf56ba047d990847696286008

SHA512
da2a721d78a86c371434bb42565e55a79bd542c14357ec9315af9c694e23180ccefb890b9ca451a64edc6fd924d87877d74982b6b2fdfe749e3878bc02b417c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1D7D.exe
MD5
144f3b39f333e19e50d9b1fdd79ccc69

SHA1
0be1677f2d5b95b87588563d87a8a7b31aaf9e9e

SHA256
42e38af11a40afb62d84ea7a6f1be3e0b7660fcdf56ba047d990847696286008

SHA512
da2a721d78a86c371434bb42565e55a79bd542c14357ec9315af9c694e23180ccefb890b9ca451a64edc6fd924d87877d74982b6b2fdfe749e3878bc02b417c1

Download Submit
memory/676-115-0x0000000000030000-0x0000000000038000-memory.dmp

Filesize
32KB

Download
memory/676-116-0x0000000000460000-0x00000000005AA000-memory.dmp

Filesize
1.3MB

Download
memory/676-117-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1100-121-0x0000000000030000-0x0000000000038000-memory.dmp

Filesize
32KB

Download
memory/1100-122-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/1100-123-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3056-118-0x0000000000E00000-0x0000000000E16000-memory.dmp

Filesize
88KB

Download
memory/3056-124-0x00000000027E0000-0x000000000305D000-memory.dmp

Filesize
8.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads