smokeloader | 86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7

General

Target

86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exe
Size

357KB
MD5

e55d57e798bd86dd4786e0327d0b6411
SHA1

6b888c98158463f0a6ce9d0722c0ea8bfab1e223
SHA256

86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7
SHA512

a1590c1d377dc9ccbaacb19f866a8755087830739e07c0289a1d0e2baebaef700497479b03abcc8b5c97d65094da420bd604d35085a760d105e036e94edd4f17

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 2 IoCs

Processes:

hgistfbhgistfb

pid process

3124 hgistfb
3360 hgistfb
Deletes itself 1 IoCs

Processes:

pid process

3036

pid	process
3124	hgistfb
3360	hgistfb

pid	process
3036

Suspicious use of SetThreadContext 2 IoCs

Processes:

86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exehgistfb

description	pid	process	target process
PID 2844 set thread context of 520	2844	86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exe	86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exe
PID 3124 set thread context of 3360	3124	hgistfb	hgistfb

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exehgistfb

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hgistfb
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hgistfb
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hgistfb

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exe

pid	process
520	86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exe
520	86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exe
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3036
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exehgistfb

pid process

520 86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exe
3360 hgistfb
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 3036
Token: SeCreatePagefilePrivilege 3036

pid	process
3036

description	pid	process
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exehgistfb

description	pid	process	target process
PID 2844 wrote to memory of 520	2844	86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exe	86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exe
PID 2844 wrote to memory of 520	2844	86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exe	86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exe
PID 2844 wrote to memory of 520	2844	86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exe	86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exe
PID 2844 wrote to memory of 520	2844	86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exe	86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exe
PID 2844 wrote to memory of 520	2844	86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exe	86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exe
PID 2844 wrote to memory of 520	2844	86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exe	86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exe
PID 3124 wrote to memory of 3360	3124	hgistfb	hgistfb
PID 3124 wrote to memory of 3360	3124	hgistfb	hgistfb
PID 3124 wrote to memory of 3360	3124	hgistfb	hgistfb
PID 3124 wrote to memory of 3360	3124	hgistfb	hgistfb
PID 3124 wrote to memory of 3360	3124	hgistfb	hgistfb
PID 3124 wrote to memory of 3360	3124	hgistfb	hgistfb

C:\Users\Admin\AppData\Local\Temp\86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exe
"C:\Users\Admin\AppData\Local\Temp\86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2844

C:\Users\Admin\AppData\Local\Temp\86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exe
"C:\Users\Admin\AppData\Local\Temp\86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:520

C:\Users\Admin\AppData\Roaming\hgistfb
C:\Users\Admin\AppData\Roaming\hgistfb
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3124

C:\Users\Admin\AppData\Roaming\hgistfb
C:\Users\Admin\AppData\Roaming\hgistfb
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\hgistfb
MD5
e55d57e798bd86dd4786e0327d0b6411

SHA1
6b888c98158463f0a6ce9d0722c0ea8bfab1e223

SHA256
86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7

SHA512
a1590c1d377dc9ccbaacb19f866a8755087830739e07c0289a1d0e2baebaef700497479b03abcc8b5c97d65094da420bd604d35085a760d105e036e94edd4f17

Download Submit
C:\Users\Admin\AppData\Roaming\hgistfb
MD5
e55d57e798bd86dd4786e0327d0b6411

SHA1
6b888c98158463f0a6ce9d0722c0ea8bfab1e223

SHA256
86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7

SHA512
a1590c1d377dc9ccbaacb19f866a8755087830739e07c0289a1d0e2baebaef700497479b03abcc8b5c97d65094da420bd604d35085a760d105e036e94edd4f17

Download Submit
C:\Users\Admin\AppData\Roaming\hgistfb
MD5
e55d57e798bd86dd4786e0327d0b6411

SHA1
6b888c98158463f0a6ce9d0722c0ea8bfab1e223

SHA256
86e852ec39e24a821d0779857ad411a101d3e353d6782c238fc778b0bb12c0c7

SHA512
a1590c1d377dc9ccbaacb19f866a8755087830739e07c0289a1d0e2baebaef700497479b03abcc8b5c97d65094da420bd604d35085a760d105e036e94edd4f17

Download Submit
memory/520-117-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/520-118-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2844-115-0x0000000000728000-0x0000000000739000-memory.dmp

Filesize
68KB

Download
memory/2844-116-0x00000000005B0000-0x00000000005B9000-memory.dmp

Filesize
36KB

Download
memory/3036-119-0x0000000001120000-0x0000000001136000-memory.dmp

Filesize
88KB

Download
memory/3036-126-0x00000000012C0000-0x00000000012D6000-memory.dmp

Filesize
88KB

Download
memory/3360-125-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads