smokeloader | 36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964

General

Target

36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exe
Size

241KB
MD5

63e53cb9c5fce8cb51c409a8d2e7def4
SHA1

69aa4c4da55e3d33b60e6198250c47480b9548c9
SHA256

36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964
SHA512

c4d0f1a0d9ac9c7e8e711b6426d706fdd8ea359ac4ac60af99a158ab2a75bfcc2d74e5611766d25a0d083cdba490497b250c6c3c2d0d38811572c0abead8a203

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 2 IoCs

Processes:

gujghtvgujghtv

pid process

3468 gujghtv
1952 gujghtv
Deletes itself 1 IoCs

Processes:

pid process

3036

pid	process
3468	gujghtv
1952	gujghtv

pid	process
3036

Suspicious use of SetThreadContext 2 IoCs

Processes:

36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exegujghtv

description	pid	process	target process
PID 3800 set thread context of 3192	3800	36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exe	36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exe
PID 3468 set thread context of 1952	3468	gujghtv	gujghtv

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exegujghtv

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gujghtv
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gujghtv
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gujghtv

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exe

pid	process
3192	36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exe
3192	36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exe
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3036
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exegujghtv

pid process

3192 36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exe
1952 gujghtv
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 3036
Token: SeCreatePagefilePrivilege 3036

pid	process
3036

description	pid	process
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exegujghtv

description	pid	process	target process
PID 3800 wrote to memory of 3192	3800	36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exe	36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exe
PID 3800 wrote to memory of 3192	3800	36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exe	36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exe
PID 3800 wrote to memory of 3192	3800	36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exe	36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exe
PID 3800 wrote to memory of 3192	3800	36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exe	36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exe
PID 3800 wrote to memory of 3192	3800	36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exe	36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exe
PID 3800 wrote to memory of 3192	3800	36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exe	36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exe
PID 3468 wrote to memory of 1952	3468	gujghtv	gujghtv
PID 3468 wrote to memory of 1952	3468	gujghtv	gujghtv
PID 3468 wrote to memory of 1952	3468	gujghtv	gujghtv
PID 3468 wrote to memory of 1952	3468	gujghtv	gujghtv
PID 3468 wrote to memory of 1952	3468	gujghtv	gujghtv
PID 3468 wrote to memory of 1952	3468	gujghtv	gujghtv

C:\Users\Admin\AppData\Local\Temp\36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exe
"C:\Users\Admin\AppData\Local\Temp\36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Users\Admin\AppData\Local\Temp\36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exe
  "C:\Users\Admin\AppData\Local\Temp\36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3192

C:\Users\Admin\AppData\Roaming\gujghtv
C:\Users\Admin\AppData\Roaming\gujghtv
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Users\Admin\AppData\Roaming\gujghtv
  C:\Users\Admin\AppData\Roaming\gujghtv
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\gujghtv

MD5
63e53cb9c5fce8cb51c409a8d2e7def4

SHA1
69aa4c4da55e3d33b60e6198250c47480b9548c9

SHA256
36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964

SHA512
c4d0f1a0d9ac9c7e8e711b6426d706fdd8ea359ac4ac60af99a158ab2a75bfcc2d74e5611766d25a0d083cdba490497b250c6c3c2d0d38811572c0abead8a203

Download Submit
C:\Users\Admin\AppData\Roaming\gujghtv

MD5
63e53cb9c5fce8cb51c409a8d2e7def4

SHA1
69aa4c4da55e3d33b60e6198250c47480b9548c9

SHA256
36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964

SHA512
c4d0f1a0d9ac9c7e8e711b6426d706fdd8ea359ac4ac60af99a158ab2a75bfcc2d74e5611766d25a0d083cdba490497b250c6c3c2d0d38811572c0abead8a203

Download Submit
C:\Users\Admin\AppData\Roaming\gujghtv

MD5
63e53cb9c5fce8cb51c409a8d2e7def4

SHA1
69aa4c4da55e3d33b60e6198250c47480b9548c9

SHA256
36d5257db370921850cf447f4cbda680121d96604b12a0958434c31d71fa9964

SHA512
c4d0f1a0d9ac9c7e8e711b6426d706fdd8ea359ac4ac60af99a158ab2a75bfcc2d74e5611766d25a0d083cdba490497b250c6c3c2d0d38811572c0abead8a203

Download Submit
memory/1952-125-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3036-119-0x0000000000A30000-0x0000000000A46000-memory.dmp

Filesize
88KB

Download
memory/3036-126-0x0000000000A60000-0x0000000000A76000-memory.dmp

Filesize
88KB

Download
memory/3192-116-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3192-118-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3468-122-0x00000000006C0000-0x00000000006E5000-memory.dmp

Filesize
148KB

Download
memory/3800-117-0x00000000005E0000-0x00000000005E9000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads