smokeloader | 1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b

General

Target

1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b.exe
Size

454KB
MD5

6df420b5d8bddb0f5ffe3edcc9a4464b
SHA1

80452695af5841bb75d4cfe1f754e49cf329007c
SHA256

1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b
SHA512

edb53a617602bf3c6e668ccac4a04856cc15079d65fbcb21ad8c7391d87d72164a21a06a3ed682f9f299597ac46413f89927a3fbab25627b031b90afd8866f2d

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2019

C2

http://topdalescotty.top/xsmkld/index.php

http://billyjimmyer.top/xsmkld/index.php

http://angelmariotti.xyz/xsmkld/index.php

http://tommyhalfigero.top/xsmkld/index.php

http://dannysannyer.top/xsmkld/index.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Loads dropped DLL 1 IoCs

Processes:

1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b.exe

pid process

2756 1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b.exe

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b.exe

pid	process
2756	1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b.exe
2756	1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b.exe

C:\Users\Admin\AppData\Local\Temp\1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b.exe
"C:\Users\Admin\AppData\Local\Temp\1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2756

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\1D86.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
memory/2756-115-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2756-116-0x00000000001F0000-0x00000000001FA000-memory.dmp

Filesize
40KB

Download
memory/2892-118-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/2892-119-0x00000000013C0000-0x00000000013D6000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing