smokeloader | 55712c0eaae89ec89fde46ff7449df5ba9960dd8a20cbb8443971ef849b6dca4

Analysis

max time kernel
150s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18-11-2022 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88cb4b7c1a73f4d2dc0497f1a690c451.exe
Size

332KB
MD5

88cb4b7c1a73f4d2dc0497f1a690c451
SHA1

9721053d30d3c3d129e5b13686bce8a5f7ef50cb
SHA256

55712c0eaae89ec89fde46ff7449df5ba9960dd8a20cbb8443971ef849b6dca4
SHA512

b949cf3a26cdbb349884ed76437b6f95d3449a3de9407b0330bff06424c56fa9fb35affcfaa5f64804e241ea1a7f8e5d8e1a5c20da936a174715c86c5ca32197
SSDEEP

6144:rCy5uK8Ll4lhCYyPVicMXTgM5QJgb7W148zZ+hp0fBa1Ew:GGuzDY0jMUeQJgbVXhp0fQ1Ew

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/768-57-0x0000000000020000-0x0000000000029000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

88cb4b7c1a73f4d2dc0497f1a690c451.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	88cb4b7c1a73f4d2dc0497f1a690c451.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	88cb4b7c1a73f4d2dc0497f1a690c451.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	88cb4b7c1a73f4d2dc0497f1a690c451.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

88cb4b7c1a73f4d2dc0497f1a690c451.exe

pid	process
768	88cb4b7c1a73f4d2dc0497f1a690c451.exe
768	88cb4b7c1a73f4d2dc0497f1a690c451.exe
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

88cb4b7c1a73f4d2dc0497f1a690c451.exe

pid process

768 88cb4b7c1a73f4d2dc0497f1a690c451.exe

C:\Users\Admin\AppData\Local\Temp\88cb4b7c1a73f4d2dc0497f1a690c451.exe
"C:\Users\Admin\AppData\Local\Temp\88cb4b7c1a73f4d2dc0497f1a690c451.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:768

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/768-55-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download
memory/768-56-0x0000000000230000-0x0000000000330000-memory.dmp

Filesize
1024KB

Download
memory/768-57-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/768-58-0x0000000000400000-0x0000000000857000-memory.dmp

Filesize
4.3MB

Download
memory/768-59-0x0000000000400000-0x0000000000857000-memory.dmp

Filesize
4.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads