smokeloader | 4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f

General

Target

4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe
Size

353KB
MD5

2a4c49e945f90e73cce06d8aec8a0e28
SHA1

63e6e1d365489499711998c0ddcc3d3136b2ac20
SHA256

4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f
SHA512

130f0b86e7d22b97b3f6670f67caf58bc4f2c70eb5d85c4db20ded68ef34b345c591e59d4a00d63ecc314ade7e472dcaa8bd59603788d46107b06d5091a2993c

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

2472

pid	process
2472

Suspicious use of SetThreadContext 1 IoCs

Processes:

4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe

description	pid	process	target process
PID 3240 set thread context of 1344	3240	4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe	4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe

pid	process
1344	4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe
1344	4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472
2472

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2472
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe

pid process

1344 4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe

pid	process
2472

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe

description	pid	process	target process
PID 3240 wrote to memory of 1344	3240	4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe	4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe
PID 3240 wrote to memory of 1344	3240	4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe	4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe
PID 3240 wrote to memory of 1344	3240	4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe	4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe
PID 3240 wrote to memory of 1344	3240	4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe	4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe
PID 3240 wrote to memory of 1344	3240	4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe	4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe
PID 3240 wrote to memory of 1344	3240	4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe	4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe

C:\Users\Admin\AppData\Local\Temp\4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe
"C:\Users\Admin\AppData\Local\Temp\4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3240

C:\Users\Admin\AppData\Local\Temp\4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe
"C:\Users\Admin\AppData\Local\Temp\4aa172db146bd1a8e35c90ff812c574d9a639d7ffc093c2ba53ab4146c252f2f.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1344-119-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1344-120-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2472-121-0x0000000000F50000-0x0000000000F66000-memory.dmp

Filesize
88KB

Download
memory/3240-118-0x0000000000810000-0x0000000000839000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads