Analysis
-
max time kernel
44s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-07-2022 18:10
Static task
static1
Behavioral task
behavioral1
Sample
f36d5900e6a646e6c35c4961736742f6583b3437ac7c8adc81f388ab38ea7d82.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f36d5900e6a646e6c35c4961736742f6583b3437ac7c8adc81f388ab38ea7d82.exe
Resource
win10v2004-20220414-en
General
-
Target
f36d5900e6a646e6c35c4961736742f6583b3437ac7c8adc81f388ab38ea7d82.exe
-
Size
42KB
-
MD5
31e8b83c5de470dabb7d1e7c0e980ccc
-
SHA1
4c231411776059620fc4ee5f703296451ed5797d
-
SHA256
f36d5900e6a646e6c35c4961736742f6583b3437ac7c8adc81f388ab38ea7d82
-
SHA512
65461eb6e9fc544de135a30f019de5f9bd80d5f8b693850d469b1c928ed00dd9be444b42fecc9e07d4ddd4b0bd4ddd32f01eb6c38c7386f040e0c916c4597c23
Malware Config
Extracted
smokeloader
2018
http://servicecredits1.4irc.com/
http://servicecredits2.4irc.com/
http://servicecredits3.4irc.com/
http://servicecredits4.4irc.com/
http://servicecredits5.4irc.com/
http://servicecredits6.4irc.com/
http://servicecredits7.4irc.com/
http://servicecredits8.4irc.com/
http://servicecredits9.4irc.com/
http://servicecredits10.4irc.com/
http://servicecredits11.4irc.com/
http://servicecredits12.4irc.com/
http://servicecredits13.4irc.com/
http://servicecredits14.4irc.com/
http://servicecredits15.4irc.com/
http://servicecredits16.4irc.com/
http://servicecredits17.4irc.com/
http://servicecredits18.4irc.com/
http://servicecredits19.4irc.com/
http://servicecredits20.4irc.com/
http://servicecredits21.4irc.com/
http://servicecredits22.4irc.com/
http://servicecredits23.4irc.com/
http://servicecredits24.4irc.com/
http://servicecredits25.4irc.com/
http://servicecredits26.4irc.com/
http://servicecredits27.4irc.com/
http://servicecredits28.4irc.com/
http://servicecredits29.4irc.com/
http://servicecredits30.4irc.com/
http://servicecredits31.4irc.com/
http://servicecredits32.4irc.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
f36d5900e6a646e6c35c4961736742f6583b3437ac7c8adc81f388ab38ea7d82.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum f36d5900e6a646e6c35c4961736742f6583b3437ac7c8adc81f388ab38ea7d82.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 f36d5900e6a646e6c35c4961736742f6583b3437ac7c8adc81f388ab38ea7d82.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
f36d5900e6a646e6c35c4961736742f6583b3437ac7c8adc81f388ab38ea7d82.exepid process 1320 f36d5900e6a646e6c35c4961736742f6583b3437ac7c8adc81f388ab38ea7d82.exe 1320 f36d5900e6a646e6c35c4961736742f6583b3437ac7c8adc81f388ab38ea7d82.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f36d5900e6a646e6c35c4961736742f6583b3437ac7c8adc81f388ab38ea7d82.exe"C:\Users\Admin\AppData\Local\Temp\f36d5900e6a646e6c35c4961736742f6583b3437ac7c8adc81f388ab38ea7d82.exe"1⤵
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection