smokeloader | 4ff32cd7d9a37a73d8c836a7c5a32792281e46b3f2d8a17fd535a4c90fe65680

General

Target

df689aafc37fe83d1f76984911e4d6c2.exe
Size

264KB
MD5

df689aafc37fe83d1f76984911e4d6c2
SHA1

e90bd78e5e110fe2d306ecc8e8cadf19de78564c
SHA256

4ff32cd7d9a37a73d8c836a7c5a32792281e46b3f2d8a17fd535a4c90fe65680
SHA512

435fd573b94e4fc3c53bc5d7bf56a3e83a434da4c60a7bc960f572afbf726c00c916dab41e342b2b473b5d61a99679728f478d623a0fc7b987c6b78c8f87e4aa

Score

10^/10

smokeloader backdoor discovery spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://coralee.at/upload/

http://ducvietcao.com/upload/

http://biz-acc.ru/upload/

http://toimap.com/upload/

http://bbb7d.com/upload/

http://piratia-life.ru/upload/

http://curvreport.com/upload/

http://viagratos.com/upload/

http://mordo.ru/upload/

http://pkodev.net/upload/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

C6E7.exeDE6E.exe

pid process

972 C6E7.exe
1844 DE6E.exe
Deletes itself 1 IoCs

Processes:

pid process

1180
Loads dropped DLL 5 IoCs

Processes:

WerFault.exe

pid process

1760 WerFault.exe
1760 WerFault.exe
1760 WerFault.exe
1760 WerFault.exe
1760 WerFault.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1760 972 WerFault.exe C6E7.exe

pid	process
972	C6E7.exe
1844	DE6E.exe

pid	process
1180

pid	process
1760	WerFault.exe
1760	WerFault.exe
1760	WerFault.exe
1760	WerFault.exe
1760	WerFault.exe

pid	pid_target	process	target process
1760	972	WerFault.exe	C6E7.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

df689aafc37fe83d1f76984911e4d6c2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	df689aafc37fe83d1f76984911e4d6c2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	df689aafc37fe83d1f76984911e4d6c2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	df689aafc37fe83d1f76984911e4d6c2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

df689aafc37fe83d1f76984911e4d6c2.exe

pid	process
1736	df689aafc37fe83d1f76984911e4d6c2.exe
1736	df689aafc37fe83d1f76984911e4d6c2.exe
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1180
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

df689aafc37fe83d1f76984911e4d6c2.exe

pid process

1736 df689aafc37fe83d1f76984911e4d6c2.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DE6E.exe

description pid process

Token: SeShutdownPrivilege 1180
Token: SeDebugPrivilege 1844 DE6E.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1180
1180
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1180
1180

pid	process
1180

description	pid	process
Token: SeShutdownPrivilege	1180
Token: SeDebugPrivilege	1844	DE6E.exe

pid	process
1180
1180

pid	process
1180
1180

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

C6E7.exe

description	pid	process	target process
PID 1180 wrote to memory of 972	1180		C6E7.exe
PID 1180 wrote to memory of 972	1180		C6E7.exe
PID 1180 wrote to memory of 972	1180		C6E7.exe
PID 1180 wrote to memory of 972	1180		C6E7.exe
PID 972 wrote to memory of 1760	972	C6E7.exe	WerFault.exe
PID 972 wrote to memory of 1760	972	C6E7.exe	WerFault.exe
PID 972 wrote to memory of 1760	972	C6E7.exe	WerFault.exe
PID 972 wrote to memory of 1760	972	C6E7.exe	WerFault.exe
PID 1180 wrote to memory of 1844	1180		DE6E.exe
PID 1180 wrote to memory of 1844	1180		DE6E.exe
PID 1180 wrote to memory of 1844	1180		DE6E.exe
PID 1180 wrote to memory of 1844	1180		DE6E.exe

C:\Users\Admin\AppData\Local\Temp\df689aafc37fe83d1f76984911e4d6c2.exe
"C:\Users\Admin\AppData\Local\Temp\df689aafc37fe83d1f76984911e4d6c2.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1736

C:\Users\Admin\AppData\Local\Temp\C6E7.exe
C:\Users\Admin\AppData\Local\Temp\C6E7.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 176
2⤵
- Loads dropped DLL
- Program crash
PID:1760

C:\Users\Admin\AppData\Local\Temp\DE6E.exe
C:\Users\Admin\AppData\Local\Temp\DE6E.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C6E7.exe
MD5
85672c5beb6c2f6d314f664c0aa7ccbc

SHA1
851d1d80843e61c5ed1553ec3a876b38af8eba4a

SHA256
f1001b6e11acf408c344adf6e0f99a2633b8bdd3d7c52fb42ee967164632ccac

SHA512
bc4bb8fa39cd617a29f529bbc249ee2f26fb100c35ada84651f8b2406b5979755f6fa0efff72c0132cf5570c5bd53d9573e60dc5d2b014914e37a1ab83a2c5ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE6E.exe
MD5
27638182e40c220ac8f72b5cfc50416c

SHA1
cc39001d83cb188e307e355d3bf70c63ca8d9615

SHA256
4efa2ba1b9de97bc6a7590c9d997d8d8f667a42de96b809b0df04b7d2ec7008e

SHA512
a229a4242c0bdc66bb83cff8e27710e57fb23e6ffd635785bb8a93db745cafaf77f05fff5b6cd598e1454726a34de19c9962c79af7466db332a562bd8b141c5a

Download Submit
\Users\Admin\AppData\Local\Temp\C6E7.exe
MD5
85672c5beb6c2f6d314f664c0aa7ccbc

SHA1
851d1d80843e61c5ed1553ec3a876b38af8eba4a

SHA256
f1001b6e11acf408c344adf6e0f99a2633b8bdd3d7c52fb42ee967164632ccac

SHA512
bc4bb8fa39cd617a29f529bbc249ee2f26fb100c35ada84651f8b2406b5979755f6fa0efff72c0132cf5570c5bd53d9573e60dc5d2b014914e37a1ab83a2c5ce

Download Submit
\Users\Admin\AppData\Local\Temp\C6E7.exe
MD5
85672c5beb6c2f6d314f664c0aa7ccbc

SHA1
851d1d80843e61c5ed1553ec3a876b38af8eba4a

SHA256
f1001b6e11acf408c344adf6e0f99a2633b8bdd3d7c52fb42ee967164632ccac

SHA512
bc4bb8fa39cd617a29f529bbc249ee2f26fb100c35ada84651f8b2406b5979755f6fa0efff72c0132cf5570c5bd53d9573e60dc5d2b014914e37a1ab83a2c5ce

Download Submit
\Users\Admin\AppData\Local\Temp\C6E7.exe
MD5
85672c5beb6c2f6d314f664c0aa7ccbc

SHA1
851d1d80843e61c5ed1553ec3a876b38af8eba4a

SHA256
f1001b6e11acf408c344adf6e0f99a2633b8bdd3d7c52fb42ee967164632ccac

SHA512
bc4bb8fa39cd617a29f529bbc249ee2f26fb100c35ada84651f8b2406b5979755f6fa0efff72c0132cf5570c5bd53d9573e60dc5d2b014914e37a1ab83a2c5ce

Download Submit
\Users\Admin\AppData\Local\Temp\C6E7.exe
MD5
85672c5beb6c2f6d314f664c0aa7ccbc

SHA1
851d1d80843e61c5ed1553ec3a876b38af8eba4a

SHA256
f1001b6e11acf408c344adf6e0f99a2633b8bdd3d7c52fb42ee967164632ccac

SHA512
bc4bb8fa39cd617a29f529bbc249ee2f26fb100c35ada84651f8b2406b5979755f6fa0efff72c0132cf5570c5bd53d9573e60dc5d2b014914e37a1ab83a2c5ce

Download Submit
\Users\Admin\AppData\Local\Temp\C6E7.exe
MD5
85672c5beb6c2f6d314f664c0aa7ccbc

SHA1
851d1d80843e61c5ed1553ec3a876b38af8eba4a

SHA256
f1001b6e11acf408c344adf6e0f99a2633b8bdd3d7c52fb42ee967164632ccac

SHA512
bc4bb8fa39cd617a29f529bbc249ee2f26fb100c35ada84651f8b2406b5979755f6fa0efff72c0132cf5570c5bd53d9573e60dc5d2b014914e37a1ab83a2c5ce

Download Submit
memory/972-61-0x0000000000400000-0x0000000000634000-memory.dmp

Filesize
2.2MB

Download
memory/1180-59-0x0000000002A10000-0x0000000002A26000-memory.dmp

Filesize
88KB

Download
memory/1736-58-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1736-57-0x00000000749A1000-0x00000000749A3000-memory.dmp

Filesize
8KB

Download
memory/1736-56-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1736-54-0x000000000055E000-0x0000000000567000-memory.dmp

Filesize
36KB

Download
memory/1736-55-0x000000000055E000-0x0000000000567000-memory.dmp

Filesize
36KB

Download
memory/1844-69-0x0000000001F80000-0x0000000001FB0000-memory.dmp

Filesize
192KB

Download
memory/1844-68-0x00000000005AE000-0x00000000005D8000-memory.dmp

Filesize
168KB

Download
memory/1844-70-0x0000000002000000-0x000000000202E000-memory.dmp

Filesize
184KB

Download
memory/1844-71-0x00000000005AE000-0x00000000005D8000-memory.dmp

Filesize
168KB

Download
memory/1844-72-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/1844-73-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1844-74-0x00000000735D0000-0x0000000073CBE000-memory.dmp

Filesize
6.9MB

Download
memory/1844-76-0x00000000049C2000-0x00000000049C3000-memory.dmp

Filesize
4KB

Download
memory/1844-75-0x00000000049C1000-0x00000000049C2000-memory.dmp

Filesize
4KB

Download
memory/1844-77-0x00000000049C4000-0x00000000049C6000-memory.dmp

Filesize
8KB

Download
memory/1844-78-0x00000000049C3000-0x00000000049C4000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads