smokeloader | f36d5900e6a646e6c35c4961736742f6583b3437ac7c8adc81f388ab38ea7d82

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220414-en
submitted
07-07-2022 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f36d5900e6a646e6c35c4961736742f6583b3437ac7c8adc81f388ab38ea7d82.exe
Size

42KB
MD5

31e8b83c5de470dabb7d1e7c0e980ccc
SHA1

4c231411776059620fc4ee5f703296451ed5797d
SHA256

f36d5900e6a646e6c35c4961736742f6583b3437ac7c8adc81f388ab38ea7d82
SHA512

65461eb6e9fc544de135a30f019de5f9bd80d5f8b693850d469b1c928ed00dd9be444b42fecc9e07d4ddd4b0bd4ddd32f01eb6c38c7386f040e0c916c4597c23

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2018

http://servicecredits1.4irc.com/

http://servicecredits2.4irc.com/

http://servicecredits3.4irc.com/

http://servicecredits4.4irc.com/

http://servicecredits5.4irc.com/

http://servicecredits6.4irc.com/

http://servicecredits7.4irc.com/

http://servicecredits8.4irc.com/

http://servicecredits9.4irc.com/

http://servicecredits10.4irc.com/

http://servicecredits11.4irc.com/

http://servicecredits12.4irc.com/

http://servicecredits13.4irc.com/

http://servicecredits14.4irc.com/

http://servicecredits15.4irc.com/

http://servicecredits16.4irc.com/

http://servicecredits17.4irc.com/

http://servicecredits18.4irc.com/

http://servicecredits19.4irc.com/

http://servicecredits20.4irc.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f36d5900e6a646e6c35c4961736742f6583b3437ac7c8adc81f388ab38ea7d82.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	f36d5900e6a646e6c35c4961736742f6583b3437ac7c8adc81f388ab38ea7d82.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	f36d5900e6a646e6c35c4961736742f6583b3437ac7c8adc81f388ab38ea7d82.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

f36d5900e6a646e6c35c4961736742f6583b3437ac7c8adc81f388ab38ea7d82.exe

pid	process
1320	f36d5900e6a646e6c35c4961736742f6583b3437ac7c8adc81f388ab38ea7d82.exe
1320	f36d5900e6a646e6c35c4961736742f6583b3437ac7c8adc81f388ab38ea7d82.exe

C:\Users\Admin\AppData\Local\Temp\f36d5900e6a646e6c35c4961736742f6583b3437ac7c8adc81f388ab38ea7d82.exe
"C:\Users\Admin\AppData\Local\Temp\f36d5900e6a646e6c35c4961736742f6583b3437ac7c8adc81f388ab38ea7d82.exe"
1⤵
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
PID:1320

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1280-56-0x0000000002A20000-0x0000000002A36000-memory.dmp

Filesize
88KB

Download
memory/1320-54-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

Filesize
8KB

Download
memory/1320-55-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download