smokeloader | a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53

General

Target

a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe
Size

241KB
MD5

f54e41ec1586055f161827ac7c4c7968
SHA1

10f9cf3d52005d169722ccf39af6eee1db6a36e7
SHA256

a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53
SHA512

3a1d4c1e3fa6af9ba90a78386a789e1ce22f6ed5d514d173ee9ea90708b18a004b1987ad4766e04cad61b611522419d554c7a7b7c4fa6fc4af78db9b6bfba906

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

3032

pid	process
3032

Suspicious use of SetThreadContext 1 IoCs

Processes:

a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe

description	pid	process	target process
PID 3824 set thread context of 3856	3824	a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe	a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe

pid	process
3856	a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe
3856	a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3032
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe

pid process

3856 a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe

pid	process
3032

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe

description	pid	process	target process
PID 3824 wrote to memory of 3856	3824	a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe	a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe
PID 3824 wrote to memory of 3856	3824	a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe	a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe
PID 3824 wrote to memory of 3856	3824	a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe	a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe
PID 3824 wrote to memory of 3856	3824	a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe	a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe
PID 3824 wrote to memory of 3856	3824	a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe	a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe
PID 3824 wrote to memory of 3856	3824	a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe	a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe

C:\Users\Admin\AppData\Local\Temp\a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe
"C:\Users\Admin\AppData\Local\Temp\a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3824

C:\Users\Admin\AppData\Local\Temp\a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe
"C:\Users\Admin\AppData\Local\Temp\a3016902264ec9c6e7d39fbe138cff1f5fe0cc5f07c0c8cf63cef66bc5859e53.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3032-122-0x0000000002CF0000-0x0000000002D06000-memory.dmp

Filesize
88KB

Download
memory/3824-119-0x0000000000450000-0x00000000004FE000-memory.dmp

Filesize
696KB

Download
memory/3856-120-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3856-121-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads