smokeloader | 9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2

General

Target

9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exe
Size

356KB
MD5

84d78927a5bc7c3c510333cf89cb49e3
SHA1

a47a1a90351cb8287e38db9fe65b815718c4d035
SHA256

9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2
SHA512

c76b4fa28ba5f122d509cd29f19cfbd35901272afa69a58330495b7aba1454ce25aafa873297c12057115fbc23882b8bb5bcec723760feb18638f760bf138feb

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 2 IoCs

Processes:

rwvwitfrwvwitf

pid process

3416 rwvwitf
2816 rwvwitf
Deletes itself 1 IoCs

Processes:

pid process

3064

pid	process
3416	rwvwitf
2816	rwvwitf

pid	process
3064

Suspicious use of SetThreadContext 2 IoCs

Processes:

9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exerwvwitf

description	pid	process	target process
PID 708 set thread context of 656	708	9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exe	9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exe
PID 3416 set thread context of 2816	3416	rwvwitf	rwvwitf

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exerwvwitf

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rwvwitf
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rwvwitf
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rwvwitf

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exe

pid	process
656	9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exe
656	9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exe
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3064
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exerwvwitf

pid process

656 9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exe
2816 rwvwitf
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 3064
Token: SeCreatePagefilePrivilege 3064

pid	process
3064

description	pid	process
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exerwvwitf

description	pid	process	target process
PID 708 wrote to memory of 656	708	9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exe	9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exe
PID 708 wrote to memory of 656	708	9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exe	9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exe
PID 708 wrote to memory of 656	708	9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exe	9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exe
PID 708 wrote to memory of 656	708	9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exe	9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exe
PID 708 wrote to memory of 656	708	9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exe	9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exe
PID 708 wrote to memory of 656	708	9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exe	9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exe
PID 3416 wrote to memory of 2816	3416	rwvwitf	rwvwitf
PID 3416 wrote to memory of 2816	3416	rwvwitf	rwvwitf
PID 3416 wrote to memory of 2816	3416	rwvwitf	rwvwitf
PID 3416 wrote to memory of 2816	3416	rwvwitf	rwvwitf
PID 3416 wrote to memory of 2816	3416	rwvwitf	rwvwitf
PID 3416 wrote to memory of 2816	3416	rwvwitf	rwvwitf

C:\Users\Admin\AppData\Local\Temp\9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exe
"C:\Users\Admin\AppData\Local\Temp\9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:708

C:\Users\Admin\AppData\Local\Temp\9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exe
"C:\Users\Admin\AppData\Local\Temp\9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:656

C:\Users\Admin\AppData\Roaming\rwvwitf
C:\Users\Admin\AppData\Roaming\rwvwitf
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3416

C:\Users\Admin\AppData\Roaming\rwvwitf
C:\Users\Admin\AppData\Roaming\rwvwitf
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\rwvwitf
MD5
84d78927a5bc7c3c510333cf89cb49e3

SHA1
a47a1a90351cb8287e38db9fe65b815718c4d035

SHA256
9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2

SHA512
c76b4fa28ba5f122d509cd29f19cfbd35901272afa69a58330495b7aba1454ce25aafa873297c12057115fbc23882b8bb5bcec723760feb18638f760bf138feb

Download Submit
C:\Users\Admin\AppData\Roaming\rwvwitf
MD5
84d78927a5bc7c3c510333cf89cb49e3

SHA1
a47a1a90351cb8287e38db9fe65b815718c4d035

SHA256
9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2

SHA512
c76b4fa28ba5f122d509cd29f19cfbd35901272afa69a58330495b7aba1454ce25aafa873297c12057115fbc23882b8bb5bcec723760feb18638f760bf138feb

Download Submit
C:\Users\Admin\AppData\Roaming\rwvwitf
MD5
84d78927a5bc7c3c510333cf89cb49e3

SHA1
a47a1a90351cb8287e38db9fe65b815718c4d035

SHA256
9aec9590d7bf877904bebc6e4c8e8ac9968ed51a1e2bea86e9008ce48faaf8a2

SHA512
c76b4fa28ba5f122d509cd29f19cfbd35901272afa69a58330495b7aba1454ce25aafa873297c12057115fbc23882b8bb5bcec723760feb18638f760bf138feb

Download Submit
memory/656-117-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/656-118-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/708-116-0x00000000005B0000-0x00000000005B9000-memory.dmp

Filesize
36KB

Download
memory/2816-125-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3064-119-0x0000000000F80000-0x0000000000F96000-memory.dmp

Filesize
88KB

Download
memory/3064-126-0x0000000000FA0000-0x0000000000FB6000-memory.dmp

Filesize
88KB

Download
memory/3416-122-0x0000000000660000-0x0000000000689000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads