smokeloader | 3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115

General

Target

3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.exe
Size

352KB
MD5

421c75538c12cfdf503bba86df4195ee
SHA1

f757d1413ae54ff901ada6a485310c0ae231dbd9
SHA256

3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115
SHA512

d1c550c876741d1d9c64082ae590762f0759c69d0cb6750d0d80bf8d08077959a5d3d614db273ae4ad862f95e9cfa095af1c07eafb7d8573f0c9a05b7e708926

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 2 IoCs

Processes:

cfrjegecfrjege

pid process

3468 cfrjege
2852 cfrjege
Deletes itself 1 IoCs

Processes:

pid process

3000

pid	process
3468	cfrjege
2852	cfrjege

pid	process
3000

Suspicious use of SetThreadContext 2 IoCs

Processes:

3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.execfrjege

description	pid	process	target process
PID 2764 set thread context of 3976	2764	3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.exe	3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.exe
PID 3468 set thread context of 2852	3468	cfrjege	cfrjege

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.execfrjege

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cfrjege
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cfrjege
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cfrjege

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.exe

pid	process
3976	3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.exe
3976	3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.exe
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3000
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.exe

pid process

3976 3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 3000
Token: SeCreatePagefilePrivilege 3000

pid	process
3000

description	pid	process
Token: SeShutdownPrivilege	3000
Token: SeCreatePagefilePrivilege	3000

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.execfrjege

description	pid	process	target process
PID 2764 wrote to memory of 3976	2764	3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.exe	3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.exe
PID 2764 wrote to memory of 3976	2764	3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.exe	3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.exe
PID 2764 wrote to memory of 3976	2764	3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.exe	3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.exe
PID 2764 wrote to memory of 3976	2764	3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.exe	3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.exe
PID 2764 wrote to memory of 3976	2764	3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.exe	3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.exe
PID 2764 wrote to memory of 3976	2764	3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.exe	3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.exe
PID 3468 wrote to memory of 2852	3468	cfrjege	cfrjege
PID 3468 wrote to memory of 2852	3468	cfrjege	cfrjege
PID 3468 wrote to memory of 2852	3468	cfrjege	cfrjege
PID 3468 wrote to memory of 2852	3468	cfrjege	cfrjege
PID 3468 wrote to memory of 2852	3468	cfrjege	cfrjege
PID 3468 wrote to memory of 2852	3468	cfrjege	cfrjege

C:\Users\Admin\AppData\Local\Temp\3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.exe
"C:\Users\Admin\AppData\Local\Temp\3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2764

C:\Users\Admin\AppData\Local\Temp\3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.exe
"C:\Users\Admin\AppData\Local\Temp\3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3976

C:\Users\Admin\AppData\Roaming\cfrjege
C:\Users\Admin\AppData\Roaming\cfrjege
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3468

C:\Users\Admin\AppData\Roaming\cfrjege
C:\Users\Admin\AppData\Roaming\cfrjege
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\cfrjege
MD5
421c75538c12cfdf503bba86df4195ee

SHA1
f757d1413ae54ff901ada6a485310c0ae231dbd9

SHA256
3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115

SHA512
d1c550c876741d1d9c64082ae590762f0759c69d0cb6750d0d80bf8d08077959a5d3d614db273ae4ad862f95e9cfa095af1c07eafb7d8573f0c9a05b7e708926

Download Submit
C:\Users\Admin\AppData\Roaming\cfrjege
MD5
421c75538c12cfdf503bba86df4195ee

SHA1
f757d1413ae54ff901ada6a485310c0ae231dbd9

SHA256
3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115

SHA512
d1c550c876741d1d9c64082ae590762f0759c69d0cb6750d0d80bf8d08077959a5d3d614db273ae4ad862f95e9cfa095af1c07eafb7d8573f0c9a05b7e708926

Download Submit
C:\Users\Admin\AppData\Roaming\cfrjege
MD5
421c75538c12cfdf503bba86df4195ee

SHA1
f757d1413ae54ff901ada6a485310c0ae231dbd9

SHA256
3b612ceb7d2bf66a141e439a181a3fdf1c0eb31a1006e4b1d127efe37f1d1115

SHA512
d1c550c876741d1d9c64082ae590762f0759c69d0cb6750d0d80bf8d08077959a5d3d614db273ae4ad862f95e9cfa095af1c07eafb7d8573f0c9a05b7e708926

Download Submit
memory/2764-116-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3000-119-0x00000000013E0000-0x00000000013F6000-memory.dmp

Filesize
88KB

Download
memory/3468-122-0x0000000000650000-0x0000000000679000-memory.dmp

Filesize
164KB

Download
memory/3468-123-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/3976-117-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3976-118-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads