smokeloader | 9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b

General

Target

9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exe
Size

87KB
MD5

79c2c4246b1db86c53592afcf57a6ce4
SHA1

f37eb98147abae0a8fa5d27d9f0d43b276ebda84
SHA256

9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b
SHA512

6dafe326c3251aef997d39ca2c4dd2c4abfc05ff13b3a86e852d3267f1275167eebdda9c3a1779602a053ddaa3e8f044bbcadacf382547fec1d21d87b198809d

Score

10^/10

smokeloader backdoor cryptone packer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://lendojekam.xyz/index.php

http://lpequdeliren.fun/index.php

http://lgrarcosbann.club/index.php

http://flablenitev.site/index.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata

CryptOne packer 2 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\egaafac	cryptone
C:\Users\Admin\AppData\Roaming\egaafac	cryptone

Executes dropped EXE 1 IoCs

Processes:

egaafac

pid process

3128 egaafac
Loads dropped DLL 2 IoCs

Processes:

9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exeegaafac

pid process

2352 9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exe
3128 egaafac

pid	process
3128	egaafac

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exeegaafac

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	egaafac
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	egaafac
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	egaafac

Modifies registry class 3 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exe

pid	process
2352	9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exe
2352	9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exe
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3032
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exeegaafac

pid process

2352 9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exe
3128 egaafac

pid	process
3032

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

3032
3032
3032
3032

pid	process
3032
3032
3032
3032

C:\Users\Admin\AppData\Local\Temp\9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exe
"C:\Users\Admin\AppData\Local\Temp\9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2352

C:\Users\Admin\AppData\Roaming\egaafac
C:\Users\Admin\AppData\Roaming\egaafac
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:4828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9A26.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A26.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A26.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Roaming\egaafac
Filesize
87KB

MD5
79c2c4246b1db86c53592afcf57a6ce4

SHA1
f37eb98147abae0a8fa5d27d9f0d43b276ebda84

SHA256
9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b

SHA512
6dafe326c3251aef997d39ca2c4dd2c4abfc05ff13b3a86e852d3267f1275167eebdda9c3a1779602a053ddaa3e8f044bbcadacf382547fec1d21d87b198809d

Download Submit
C:\Users\Admin\AppData\Roaming\egaafac
Filesize
87KB

MD5
79c2c4246b1db86c53592afcf57a6ce4

SHA1
f37eb98147abae0a8fa5d27d9f0d43b276ebda84

SHA256
9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b

SHA512
6dafe326c3251aef997d39ca2c4dd2c4abfc05ff13b3a86e852d3267f1275167eebdda9c3a1779602a053ddaa3e8f044bbcadacf382547fec1d21d87b198809d

Download Submit
memory/2352-130-0x0000000002160000-0x000000000216A000-memory.dmp

Filesize
40KB

Download
memory/2352-131-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3032-133-0x00000000033D0000-0x00000000033E6000-memory.dmp

Filesize
88KB

Download
memory/3032-139-0x0000000003480000-0x0000000003496000-memory.dmp

Filesize
88KB

Download
memory/3128-138-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads