smokeloader | b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319

Analysis

max time kernel
150s
max time network
140s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
28/11/2022, 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319.exe
Size

456KB
MD5

55b8bd9e2420f79afb0b3e1dd8a33076
SHA1

94ab22b20ae4035cc3d57744883e8c31eef4188a
SHA256

b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319
SHA512

5a126991b073432d53504dd97c7404bac0bdb784662133b1aae44d52a255b0923c60cbd96505d16de8dab140470b5519a975d8b753f0ea24f9271071ad0925d9
SSDEEP

12288:nykzrbETClqHskFgFwIyXCDf6yTy6rLhnfOWEeIc4Yh:h76CsskFgqIyXNMLhZtMY

Score

10^/10

smokeloader backdoor collection trojan

Malware Config

Signatures

Detects Smokeloader packer 5 IoCs

resource	yara_rule
behavioral1/memory/4608-189-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/4608-221-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/4608-222-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/616-395-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/616-396-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 2 IoCs

pid	Process
4812	rfwuaur
616	rfwuaur

Deletes itself 1 IoCs

pid	Process
3068	Process not Found

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 344 set thread context of 4608	344	b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319.exe	68
PID 4812 set thread context of 616	4812	rfwuaur	72

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rfwuaur
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rfwuaur
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rfwuaur
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
344	b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319.exe
344	b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319.exe
4608	b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319.exe
4608	b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319.exe
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3068	Process not Found

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
4608	b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319.exe
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
616	rfwuaur

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	344	b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319.exe
Token: SeShutdownPrivilege	3068	Process not Found
Token: SeCreatePagefilePrivilege	3068	Process not Found
Token: SeShutdownPrivilege	3068	Process not Found
Token: SeCreatePagefilePrivilege	3068	Process not Found

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 344 wrote to memory of 3840	344	b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319.exe	67
PID 344 wrote to memory of 3840	344	b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319.exe	67
PID 344 wrote to memory of 3840	344	b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319.exe	67
PID 344 wrote to memory of 4608	344	b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319.exe	68
PID 344 wrote to memory of 4608	344	b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319.exe	68
PID 344 wrote to memory of 4608	344	b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319.exe	68
PID 344 wrote to memory of 4608	344	b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319.exe	68
PID 344 wrote to memory of 4608	344	b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319.exe	68
PID 344 wrote to memory of 4608	344	b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319.exe	68
PID 3068 wrote to memory of 4260	3068	Process not Found	69
PID 3068 wrote to memory of 4260	3068	Process not Found	69
PID 3068 wrote to memory of 4260	3068	Process not Found	69
PID 3068 wrote to memory of 4260	3068	Process not Found	69
PID 3068 wrote to memory of 4444	3068	Process not Found	70
PID 3068 wrote to memory of 4444	3068	Process not Found	70
PID 3068 wrote to memory of 4444	3068	Process not Found	70
PID 4812 wrote to memory of 616	4812	rfwuaur	72
PID 4812 wrote to memory of 616	4812	rfwuaur	72
PID 4812 wrote to memory of 616	4812	rfwuaur	72
PID 4812 wrote to memory of 616	4812	rfwuaur	72
PID 4812 wrote to memory of 616	4812	rfwuaur	72
PID 4812 wrote to memory of 616	4812	rfwuaur	72

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319.exe
"C:\Users\Admin\AppData\Local\Temp\b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:344
- C:\Users\Admin\AppData\Local\Temp\b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319.exe
  "{path}"
  2⤵
  PID:3840
- C:\Users\Admin\AppData\Local\Temp\b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319.exe
  "{path}"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4608

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4260

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4444

C:\Users\Admin\AppData\Roaming\rfwuaur
C:\Users\Admin\AppData\Roaming\rfwuaur
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Users\Admin\AppData\Roaming\rfwuaur
  "{path}"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\rfwuaur

Filesize
456KB

MD5
55b8bd9e2420f79afb0b3e1dd8a33076

SHA1
94ab22b20ae4035cc3d57744883e8c31eef4188a

SHA256
b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319

SHA512
5a126991b073432d53504dd97c7404bac0bdb784662133b1aae44d52a255b0923c60cbd96505d16de8dab140470b5519a975d8b753f0ea24f9271071ad0925d9

Download Submit
C:\Users\Admin\AppData\Roaming\rfwuaur

Filesize
456KB

MD5
55b8bd9e2420f79afb0b3e1dd8a33076

SHA1
94ab22b20ae4035cc3d57744883e8c31eef4188a

SHA256
b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319

SHA512
5a126991b073432d53504dd97c7404bac0bdb784662133b1aae44d52a255b0923c60cbd96505d16de8dab140470b5519a975d8b753f0ea24f9271071ad0925d9

Download Submit
C:\Users\Admin\AppData\Roaming\rfwuaur

Filesize
456KB

MD5
55b8bd9e2420f79afb0b3e1dd8a33076

SHA1
94ab22b20ae4035cc3d57744883e8c31eef4188a

SHA256
b858414f82da91b44da1734432929660a2b866f5a424d88d4f60b6c0ffba9319

SHA512
5a126991b073432d53504dd97c7404bac0bdb784662133b1aae44d52a255b0923c60cbd96505d16de8dab140470b5519a975d8b753f0ea24f9271071ad0925d9

Download Submit
memory/344-162-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-182-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-125-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-126-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-127-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-128-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-129-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-130-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-131-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-132-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-133-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-134-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-135-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-137-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-138-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-140-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-141-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-139-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-136-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-142-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-163-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-144-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-145-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-146-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-147-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-165-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-150-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-149-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-151-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-152-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-153-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-154-0x0000000000050000-0x00000000000C8000-memory.dmp

Filesize
480KB

Download
memory/344-155-0x0000000004DE0000-0x00000000052DE000-memory.dmp

Filesize
5.0MB

Download
memory/344-156-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-157-0x0000000004980000-0x0000000004A12000-memory.dmp

Filesize
584KB

Download
memory/344-159-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-158-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-160-0x0000000004A20000-0x0000000004ABC000-memory.dmp

Filesize
624KB

Download
memory/344-161-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-120-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-143-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-124-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-148-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-166-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-167-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-168-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-169-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-170-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-171-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-172-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-173-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-174-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-175-0x00000000048E0000-0x00000000048EA000-memory.dmp

Filesize
40KB

Download
memory/344-176-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-177-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-178-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-181-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-180-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-179-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-164-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-183-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/344-184-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-185-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-186-0x0000000008550000-0x00000000085B6000-memory.dmp

Filesize
408KB

Download
memory/344-187-0x0000000004DD0000-0x0000000004DDE000-memory.dmp

Filesize
56KB

Download
memory/344-188-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-121-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-122-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-123-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/616-396-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/616-395-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4260-296-0x0000000000600000-0x000000000066B000-memory.dmp

Filesize
428KB

Download
memory/4260-279-0x0000000000670000-0x00000000006E4000-memory.dmp

Filesize
464KB

Download
memory/4444-283-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/4608-221-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4608-222-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4608-191-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/4608-192-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/4608-189-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4812-359-0x0000000005B20000-0x0000000005B32000-memory.dmp

Filesize
72KB

Download