smokeloader | e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753

General

Target

e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exe
Size

334KB
MD5

adf5600538e00d4f055042baa795edf6
SHA1

c53bcca9372d49ec2e463b0cb529abd89c5ef49b
SHA256

e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753
SHA512

ae291b31633d1b9de6ffb33ce5cb2ab68110699efdca1dbdc538fdbdf20c422e126af32d2be9d7df007c1f750dcd4d94d8f6bf1b871d407055ae22a8a9ced8b0

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 2 IoCs

Processes:

jbwtthdjbwtthd

pid process

4260 jbwtthd
4208 jbwtthd
Deletes itself 1 IoCs

Processes:

pid process

1640

pid	process
4260	jbwtthd
4208	jbwtthd

pid	process
1640

Suspicious use of SetThreadContext 2 IoCs

Processes:

e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exejbwtthd

description	pid	process	target process
PID 3528 set thread context of 3592	3528	e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exe	e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exe
PID 4260 set thread context of 4208	4260	jbwtthd	jbwtthd

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

jbwtthde2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jbwtthd
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jbwtthd
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jbwtthd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exe

pid	process
3592	e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exe
3592	e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exe
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640
1640

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1640
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exejbwtthd

pid process

3592 e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exe
4208 jbwtthd
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1640
Token: SeCreatePagefilePrivilege 1640

pid	process
1640

description	pid	process
Token: SeShutdownPrivilege	1640
Token: SeCreatePagefilePrivilege	1640

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exejbwtthd

description	pid	process	target process
PID 3528 wrote to memory of 3592	3528	e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exe	e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exe
PID 3528 wrote to memory of 3592	3528	e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exe	e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exe
PID 3528 wrote to memory of 3592	3528	e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exe	e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exe
PID 3528 wrote to memory of 3592	3528	e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exe	e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exe
PID 3528 wrote to memory of 3592	3528	e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exe	e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exe
PID 3528 wrote to memory of 3592	3528	e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exe	e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exe
PID 4260 wrote to memory of 4208	4260	jbwtthd	jbwtthd
PID 4260 wrote to memory of 4208	4260	jbwtthd	jbwtthd
PID 4260 wrote to memory of 4208	4260	jbwtthd	jbwtthd
PID 4260 wrote to memory of 4208	4260	jbwtthd	jbwtthd
PID 4260 wrote to memory of 4208	4260	jbwtthd	jbwtthd
PID 4260 wrote to memory of 4208	4260	jbwtthd	jbwtthd

C:\Users\Admin\AppData\Local\Temp\e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exe
"C:\Users\Admin\AppData\Local\Temp\e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3528

C:\Users\Admin\AppData\Local\Temp\e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exe
"C:\Users\Admin\AppData\Local\Temp\e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3592

C:\Users\Admin\AppData\Roaming\jbwtthd
C:\Users\Admin\AppData\Roaming\jbwtthd
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4260

C:\Users\Admin\AppData\Roaming\jbwtthd
C:\Users\Admin\AppData\Roaming\jbwtthd
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\jbwtthd
MD5
adf5600538e00d4f055042baa795edf6

SHA1
c53bcca9372d49ec2e463b0cb529abd89c5ef49b

SHA256
e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753

SHA512
ae291b31633d1b9de6ffb33ce5cb2ab68110699efdca1dbdc538fdbdf20c422e126af32d2be9d7df007c1f750dcd4d94d8f6bf1b871d407055ae22a8a9ced8b0

Download Submit
C:\Users\Admin\AppData\Roaming\jbwtthd
MD5
adf5600538e00d4f055042baa795edf6

SHA1
c53bcca9372d49ec2e463b0cb529abd89c5ef49b

SHA256
e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753

SHA512
ae291b31633d1b9de6ffb33ce5cb2ab68110699efdca1dbdc538fdbdf20c422e126af32d2be9d7df007c1f750dcd4d94d8f6bf1b871d407055ae22a8a9ced8b0

Download Submit
C:\Users\Admin\AppData\Roaming\jbwtthd
MD5
adf5600538e00d4f055042baa795edf6

SHA1
c53bcca9372d49ec2e463b0cb529abd89c5ef49b

SHA256
e2185c73f6239d8d5fc51911ef81f28394634e963620b3132fe402e0120f5753

SHA512
ae291b31633d1b9de6ffb33ce5cb2ab68110699efdca1dbdc538fdbdf20c422e126af32d2be9d7df007c1f750dcd4d94d8f6bf1b871d407055ae22a8a9ced8b0

Download Submit
memory/1640-118-0x0000000001100000-0x0000000001116000-memory.dmp

Filesize
88KB

Download
memory/1640-125-0x0000000001140000-0x0000000001156000-memory.dmp

Filesize
88KB

Download
memory/3592-116-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3592-117-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4208-124-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads