smokeloader | 1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b

General

Target

1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b.exe
Size

454KB
MD5

6df420b5d8bddb0f5ffe3edcc9a4464b
SHA1

80452695af5841bb75d4cfe1f754e49cf329007c
SHA256

1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b
SHA512

edb53a617602bf3c6e668ccac4a04856cc15079d65fbcb21ad8c7391d87d72164a21a06a3ed682f9f299597ac46413f89927a3fbab25627b031b90afd8866f2d

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2019

C2

http://topdalescotty.top/xsmkld/index.php

http://billyjimmyer.top/xsmkld/index.php

http://angelmariotti.xyz/xsmkld/index.php

http://tommyhalfigero.top/xsmkld/index.php

http://dannysannyer.top/xsmkld/index.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Loads dropped DLL 1 IoCs

Processes:

1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b.exe

pid process

308 1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b.exe

pid	process
308	1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b.exe
308	1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b.exe

C:\Users\Admin\AppData\Local\Temp\1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b.exe
"C:\Users\Admin\AppData\Local\Temp\1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\1D86.tmp

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
memory/308-54-0x0000000076491000-0x0000000076493000-memory.dmp

Filesize
8KB

Download
memory/308-55-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/308-57-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/1412-58-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/1412-59-0x0000000002720000-0x0000000002736000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing