smokeloader | 1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644

Analysis

max time kernel
175s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exe
Size

133KB
MD5

834a70d97bac0a08a2c9e095ab365209
SHA1

8972e57640e647836e5a7015f527dcae7563d1a9
SHA256

1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644
SHA512

87d32ef20dfd6830447a672b1cca4c9c0ed3dcd955f142223925df5e874e90fddea5b9962096fc3dba013ce08774828440c70608f1cc59a3d961dc5c59ebc97b
SSDEEP

1536:1BYS7S3Kocpj4pYABORhhzKtqh8/lIHQThOiyChyifFxxEDuoozfhT4Q04jlgHMv:1BYS7S3GyORgzNRTYCEqFEpqT40lWu

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2024-133-0x0000000000640000-0x0000000000649000-memory.dmp	family_smokeloader
behavioral1/memory/4724-135-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/4724-136-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/4724-138-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/3664-145-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/3664-146-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

dbegrrsdbegrrs4905.exe1.exe52AB.exe5F2F.exe

pid process

3748 dbegrrs
3664 dbegrrs
1796 4905.exe
2120 1.exe
2816 52AB.exe
2156 5F2F.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

4905.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 4905.exe

pid	process
3748	dbegrrs
3664	dbegrrs
1796	4905.exe
2120	1.exe
2816	52AB.exe
2156	5F2F.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	4905.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exedbegrrs

description	pid	process	target process
PID 2024 set thread context of 4724	2024	1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exe	1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exe
PID 3748 set thread context of 3664	3748	dbegrrs	dbegrrs

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exedbegrrs

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dbegrrs
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dbegrrs
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dbegrrs
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exe

GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 107 Go-http-client/1.1
HTTP User-Agent header 110 Go-http-client/1.1
HTTP User-Agent header 112 Go-http-client/1.1

description	flow	ioc
HTTP User-Agent header	107	Go-http-client/1.1
HTTP User-Agent header	110	Go-http-client/1.1
HTTP User-Agent header	112	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exe

pid	process
4724	1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exe
4724	1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exe
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968
968

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

968
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exedbegrrs

pid process

4724 1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exe
3664 dbegrrs
968
968

pid	process
968

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	968
Token: SeCreatePagefilePrivilege	968
Token: SeShutdownPrivilege	968
Token: SeCreatePagefilePrivilege	968
Token: SeShutdownPrivilege	968
Token: SeCreatePagefilePrivilege	968
Token: SeShutdownPrivilege	968
Token: SeCreatePagefilePrivilege	968
Token: SeShutdownPrivilege	968
Token: SeCreatePagefilePrivilege	968
Token: SeShutdownPrivilege	968
Token: SeCreatePagefilePrivilege	968
Token: SeShutdownPrivilege	968
Token: SeCreatePagefilePrivilege	968
Token: SeShutdownPrivilege	968
Token: SeCreatePagefilePrivilege	968
Token: SeShutdownPrivilege	968
Token: SeCreatePagefilePrivilege	968
Token: SeShutdownPrivilege	968
Token: SeCreatePagefilePrivilege	968
Token: SeShutdownPrivilege	968
Token: SeCreatePagefilePrivilege	968
Token: SeShutdownPrivilege	968
Token: SeCreatePagefilePrivilege	968
Token: SeShutdownPrivilege	968
Token: SeCreatePagefilePrivilege	968
Token: SeShutdownPrivilege	968
Token: SeCreatePagefilePrivilege	968
Token: SeShutdownPrivilege	968
Token: SeCreatePagefilePrivilege	968
Token: SeShutdownPrivilege	968
Token: SeCreatePagefilePrivilege	968
Token: SeShutdownPrivilege	968
Token: SeCreatePagefilePrivilege	968

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exedbegrrs4905.exe

description	pid	process	target process
PID 2024 wrote to memory of 4724	2024	1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exe	1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exe
PID 2024 wrote to memory of 4724	2024	1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exe	1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exe
PID 2024 wrote to memory of 4724	2024	1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exe	1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exe
PID 2024 wrote to memory of 4724	2024	1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exe	1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exe
PID 2024 wrote to memory of 4724	2024	1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exe	1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exe
PID 2024 wrote to memory of 4724	2024	1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exe	1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exe
PID 3748 wrote to memory of 3664	3748	dbegrrs	dbegrrs
PID 3748 wrote to memory of 3664	3748	dbegrrs	dbegrrs
PID 3748 wrote to memory of 3664	3748	dbegrrs	dbegrrs
PID 3748 wrote to memory of 3664	3748	dbegrrs	dbegrrs
PID 3748 wrote to memory of 3664	3748	dbegrrs	dbegrrs
PID 3748 wrote to memory of 3664	3748	dbegrrs	dbegrrs
PID 968 wrote to memory of 1796	968		4905.exe
PID 968 wrote to memory of 1796	968		4905.exe
PID 968 wrote to memory of 1796	968		4905.exe
PID 1796 wrote to memory of 2120	1796	4905.exe	1.exe
PID 1796 wrote to memory of 2120	1796	4905.exe	1.exe
PID 1796 wrote to memory of 2120	1796	4905.exe	1.exe
PID 968 wrote to memory of 2816	968		52AB.exe
PID 968 wrote to memory of 2816	968		52AB.exe
PID 968 wrote to memory of 2816	968		52AB.exe
PID 968 wrote to memory of 2156	968		5F2F.exe
PID 968 wrote to memory of 2156	968		5F2F.exe
PID 968 wrote to memory of 2156	968		5F2F.exe
PID 968 wrote to memory of 5092	968		explorer.exe
PID 968 wrote to memory of 5092	968		explorer.exe
PID 968 wrote to memory of 5092	968		explorer.exe
PID 968 wrote to memory of 5092	968		explorer.exe

C:\Users\Admin\AppData\Local\Temp\1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exe
"C:\Users\Admin\AppData\Local\Temp\1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exe
"C:\Users\Admin\AppData\Local\Temp\1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4724

C:\Users\Admin\AppData\Roaming\dbegrrs
C:\Users\Admin\AppData\Roaming\dbegrrs
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3748

C:\Users\Admin\AppData\Roaming\dbegrrs
C:\Users\Admin\AppData\Roaming\dbegrrs
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3664

C:\Users\Admin\AppData\Local\Temp\4905.exe
C:\Users\Admin\AppData\Local\Temp\4905.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
2⤵
- Executes dropped EXE
PID:2120

C:\Users\Admin\AppData\Local\Temp\52AB.exe
C:\Users\Admin\AppData\Local\Temp\52AB.exe
1⤵
- Executes dropped EXE
PID:2816

C:\Users\Admin\AppData\Local\Temp\5F2F.exe
C:\Users\Admin\AppData\Local\Temp\5F2F.exe
1⤵
- Executes dropped EXE
PID:2156

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5092

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4905.exe
Filesize
466KB

MD5
2955a7fdcda8c0768d106b135a352173

SHA1
1de1f74183421d4f811af2dc469840c8d266eec9

SHA256
3238f627cf753b195a814ad7a01bd16fa13616802e39f48a981c5c8703a2ff6f

SHA512
c87bf10bc4eaaa912a74da441c3a3894535e54764e60a76c505c628e70e35822fcbe147aaabd117ddacbc88294ad16243c7f721400ac64178681633db8898bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4905.exe
Filesize
466KB

MD5
2955a7fdcda8c0768d106b135a352173

SHA1
1de1f74183421d4f811af2dc469840c8d266eec9

SHA256
3238f627cf753b195a814ad7a01bd16fa13616802e39f48a981c5c8703a2ff6f

SHA512
c87bf10bc4eaaa912a74da441c3a3894535e54764e60a76c505c628e70e35822fcbe147aaabd117ddacbc88294ad16243c7f721400ac64178681633db8898bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\52AB.exe
Filesize
315KB

MD5
0a52b4c30773a6b11afb4292e2173b2c

SHA1
18241480f3657d4af5db2d14b1c15c7a9c8e6f3c

SHA256
334115cf33cd1112465a8c83328771d21fd37a9e7fbcebb1bdeb4aece2253376

SHA512
fd64be4c8d6fefa4022edb2264825925c15e6994e746131f641128cb354ee2360c3c3adaeae80d4bdb9474635c2442feb68b68ef655ff6b897684a253d5dad57

Download Submit
C:\Users\Admin\AppData\Local\Temp\52AB.exe
Filesize
315KB

MD5
0a52b4c30773a6b11afb4292e2173b2c

SHA1
18241480f3657d4af5db2d14b1c15c7a9c8e6f3c

SHA256
334115cf33cd1112465a8c83328771d21fd37a9e7fbcebb1bdeb4aece2253376

SHA512
fd64be4c8d6fefa4022edb2264825925c15e6994e746131f641128cb354ee2360c3c3adaeae80d4bdb9474635c2442feb68b68ef655ff6b897684a253d5dad57

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F2F.exe
Filesize
4.3MB

MD5
06a1dc7aae769814998f99c0bca5ea41

SHA1
81ea40089386bffadd0e0a6bb780b7ddd4dc71a9

SHA256
ed14ed57c0a785e01024deffe5a05a79ed9d61a21c58ea8be136c79d31e2daa6

SHA512
aa4a4f8cfe7d7e68c6751e518763cbc509a7ba31699dc7541104170af1a19b439e9ae687d92c8b09450088317e58b5fc78b921646ddba0a28b1f080b7190f65b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F2F.exe
Filesize
4.3MB

MD5
06a1dc7aae769814998f99c0bca5ea41

SHA1
81ea40089386bffadd0e0a6bb780b7ddd4dc71a9

SHA256
ed14ed57c0a785e01024deffe5a05a79ed9d61a21c58ea8be136c79d31e2daa6

SHA512
aa4a4f8cfe7d7e68c6751e518763cbc509a7ba31699dc7541104170af1a19b439e9ae687d92c8b09450088317e58b5fc78b921646ddba0a28b1f080b7190f65b

Download Submit
C:\Users\Admin\AppData\Roaming\dbegrrs
Filesize
133KB

MD5
834a70d97bac0a08a2c9e095ab365209

SHA1
8972e57640e647836e5a7015f527dcae7563d1a9

SHA256
1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644

SHA512
87d32ef20dfd6830447a672b1cca4c9c0ed3dcd955f142223925df5e874e90fddea5b9962096fc3dba013ce08774828440c70608f1cc59a3d961dc5c59ebc97b

Download Submit
C:\Users\Admin\AppData\Roaming\dbegrrs
Filesize
133KB

MD5
834a70d97bac0a08a2c9e095ab365209

SHA1
8972e57640e647836e5a7015f527dcae7563d1a9

SHA256
1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644

SHA512
87d32ef20dfd6830447a672b1cca4c9c0ed3dcd955f142223925df5e874e90fddea5b9962096fc3dba013ce08774828440c70608f1cc59a3d961dc5c59ebc97b

Download Submit
C:\Users\Admin\AppData\Roaming\dbegrrs
Filesize
133KB

MD5
834a70d97bac0a08a2c9e095ab365209

SHA1
8972e57640e647836e5a7015f527dcae7563d1a9

SHA256
1bdd67ebc19bcd57fb4ce5ef4be548904d5c250548ea240632e6f61fed279644

SHA512
87d32ef20dfd6830447a672b1cca4c9c0ed3dcd955f142223925df5e874e90fddea5b9962096fc3dba013ce08774828440c70608f1cc59a3d961dc5c59ebc97b

Download Submit
C:\Windows\Temp\1.exe
Filesize
369KB

MD5
4a32a16c5a3c79ade487c098ee71a2be

SHA1
414b203eeb20ac7e74316fd2877ca4ebf52193df

SHA256
61059bd8f3bdb2b07ca01c87efe6284b8b3b77ca63e9a063e0e9010774a482a4

SHA512
6470c0269052bbccea48bfb5da80cdcf96fec71e0e45ae79a42acacd7c4d92139ccc6f122ab97e5b104fc93bee84891850a80aa9c835c0b31418f151517b1ee5

Download Submit
C:\Windows\Temp\1.exe
Filesize
369KB

MD5
4a32a16c5a3c79ade487c098ee71a2be

SHA1
414b203eeb20ac7e74316fd2877ca4ebf52193df

SHA256
61059bd8f3bdb2b07ca01c87efe6284b8b3b77ca63e9a063e0e9010774a482a4

SHA512
6470c0269052bbccea48bfb5da80cdcf96fec71e0e45ae79a42acacd7c4d92139ccc6f122ab97e5b104fc93bee84891850a80aa9c835c0b31418f151517b1ee5

Download Submit
memory/1796-147-0x0000000000000000-mapping.dmp

Download
memory/2024-133-0x0000000000640000-0x0000000000649000-memory.dmp

Filesize
36KB

Download
memory/2024-132-0x000000000067E000-0x000000000068F000-memory.dmp

Filesize
68KB

Download
memory/2024-137-0x000000000067E000-0x000000000068F000-memory.dmp

Filesize
68KB

Download
memory/2120-150-0x0000000000000000-mapping.dmp

Download
memory/2156-156-0x0000000000000000-mapping.dmp

Download
memory/2816-153-0x0000000000000000-mapping.dmp

Download
memory/3664-145-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3664-146-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3664-141-0x0000000000000000-mapping.dmp

Download
memory/3748-144-0x00000000007CD000-0x00000000007DE000-memory.dmp

Filesize
68KB

Download
memory/4724-138-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4724-136-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4724-135-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4724-134-0x0000000000000000-mapping.dmp

Download
memory/5092-159-0x0000000000000000-mapping.dmp

Download
memory/5092-160-0x0000000000960000-0x0000000000967000-memory.dmp

Filesize
28KB

Download
memory/5092-161-0x0000000000950000-0x000000000095B000-memory.dmp

Filesize
44KB

Download