smokeloader | 9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9

General

Target

9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe
Size

197KB
MD5

285b7f54e0dc93cf9c5a286cde839702
SHA1

34ca7fb36b646ef7e6206baac74e426daea31739
SHA256

9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9
SHA512

0a3e5b0e4444d8c545d3322c5234b9c26fd5c750f4e5046a469eb2786d61d5953f61fc63f6cdcdb3afe707540c437eba5b458bb399ceef6c74a1cff9337f0df6
SSDEEP

3072:l4IsMEcLfZ4UFrSN5CwukCL+obJVcBAVyYBE4H/PkkXx:FrLflFr7wunL5bJVXyYBE

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1968-142-0x00000000022A0000-0x00000000022A9000-memory.dmp	family_smokeloader
behavioral1/memory/5096-145-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/5096-146-0x0000000000402DD8-mapping.dmp	family_smokeloader
behavioral1/memory/5096-154-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/5096-178-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

2056

pid	process
2056

Suspicious use of SetThreadContext 1 IoCs

Processes:

9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe

description	pid	process	target process
PID 1968 set thread context of 5096	1968	9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe	9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe

pid	process
5096	9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe
5096	9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2056
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe

pid process

5096 9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe

pid	process
2056

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe

description	pid	process	target process
PID 1968 wrote to memory of 5096	1968	9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe	9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe
PID 1968 wrote to memory of 5096	1968	9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe	9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe
PID 1968 wrote to memory of 5096	1968	9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe	9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe
PID 1968 wrote to memory of 5096	1968	9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe	9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe
PID 1968 wrote to memory of 5096	1968	9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe	9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe
PID 1968 wrote to memory of 5096	1968	9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe	9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe

C:\Users\Admin\AppData\Local\Temp\9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe
"C:\Users\Admin\AppData\Local\Temp\9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Local\Temp\9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe
"C:\Users\Admin\AppData\Local\Temp\9244af66faa93627eb34a83316771dd041b094c13eee63da74e09c706b3028e9.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1968-116-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-117-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-118-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-119-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-120-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-121-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-122-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-123-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-124-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-127-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-126-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-128-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-125-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-129-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-130-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-131-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-132-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-133-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-134-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-135-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-136-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-137-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-138-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-139-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-140-0x00000000007C6000-0x00000000007D7000-memory.dmp

Filesize
68KB

Download
memory/1968-141-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-142-0x00000000022A0000-0x00000000022A9000-memory.dmp

Filesize
36KB

Download
memory/1968-143-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-144-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-148-0x00000000007C6000-0x00000000007D7000-memory.dmp

Filesize
68KB

Download
memory/5096-145-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5096-146-0x0000000000402DD8-mapping.dmp

Download
memory/5096-147-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-149-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-150-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-151-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-153-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-152-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-155-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-156-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-157-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-158-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-154-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5096-159-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-160-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-161-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-162-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-163-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-164-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-165-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-166-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-167-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-169-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-168-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-170-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-171-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-172-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-173-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-174-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-175-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-176-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-177-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-178-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads