smokeloader | 64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331

General

Target

64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe
Size

189KB
MD5

c45ae284dcf4a15dbdd913c921e59c28
SHA1

237fade97880ab0eaba0bc461871e66b6530a4c7
SHA256

64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331
SHA512

7914106ea0bf76843523bad1570219c2346439f34e0865056243a6b99001712987bc87d519ab8971fd6d951a2ceadab79fb0627c02eebf35241bb3563d3e3d5d

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

3032

pid	process
3032

Suspicious use of SetThreadContext 1 IoCs

Processes:

64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe

description	pid	process	target process
PID 3832 set thread context of 4176	3832	64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe	64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe

pid	process
4176	64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe
4176	64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3032
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe

pid process

4176 64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe

pid	process
3032

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe

description	pid	process	target process
PID 3832 wrote to memory of 4176	3832	64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe	64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe
PID 3832 wrote to memory of 4176	3832	64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe	64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe
PID 3832 wrote to memory of 4176	3832	64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe	64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe
PID 3832 wrote to memory of 4176	3832	64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe	64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe
PID 3832 wrote to memory of 4176	3832	64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe	64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe
PID 3832 wrote to memory of 4176	3832	64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe	64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe

C:\Users\Admin\AppData\Local\Temp\64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe
"C:\Users\Admin\AppData\Local\Temp\64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3832

C:\Users\Admin\AppData\Local\Temp\64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe
"C:\Users\Admin\AppData\Local\Temp\64d0a7328d5808964e5c9a906f89af275681e91542839ae2b6ae38bd397bd331.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3032-119-0x0000000002CF0000-0x0000000002D06000-memory.dmp

Filesize
88KB

Download
memory/3832-116-0x0000000000440000-0x00000000004EE000-memory.dmp

Filesize
696KB

Download
memory/4176-117-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4176-118-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads