smokeloader | 2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9

General

Target

2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe
Size

273KB
MD5

eb9789fe77151a7e52b9f73a921231c7
SHA1

4f7755391003bb102269645de1e64b94e9041f3d
SHA256

2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9
SHA512

c26c8dd93867b91057dae52e68a2298923fa966382d0e529a2c066392db37ae333c826cd5c756971bfcdc15e21aebbb65e97d53f58e14dce3507452effe72426
SSDEEP

3072:gBXVf6YeFvwTAJQhiWR5gSMmBlCRwXj12j0OfIjdbdiVRvJTcpyoSbMY5XYgV2qI:glsVJQhnkRwzDOfuxIDcJKVS

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1148-133-0x00000000004B0000-0x00000000004B9000-memory.dmp	family_smokeloader
behavioral1/memory/4612-135-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/4612-137-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/4612-138-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 1 IoCs

Processes:

seeutsj

pid process

3348 seeutsj

pid	process
3348	seeutsj

Suspicious use of SetThreadContext 1 IoCs

Processes:

2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe

description	pid	process	target process
PID 1148 set thread context of 4612	1148	2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe	2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe

pid	process
4612	2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe
4612	2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176
2176

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2176
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe

pid process

4612 2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe

pid	process
2176

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176
Token: SeShutdownPrivilege	2176
Token: SeCreatePagefilePrivilege	2176

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

2176
2176

pid	process
2176
2176

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe

description	pid	process	target process
PID 1148 wrote to memory of 4612	1148	2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe	2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe
PID 1148 wrote to memory of 4612	1148	2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe	2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe
PID 1148 wrote to memory of 4612	1148	2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe	2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe
PID 1148 wrote to memory of 4612	1148	2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe	2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe
PID 1148 wrote to memory of 4612	1148	2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe	2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe
PID 1148 wrote to memory of 4612	1148	2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe	2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe

C:\Users\Admin\AppData\Local\Temp\2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe
"C:\Users\Admin\AppData\Local\Temp\2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1148

C:\Users\Admin\AppData\Local\Temp\2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe
"C:\Users\Admin\AppData\Local\Temp\2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4612

C:\Users\Admin\AppData\Roaming\seeutsj
C:\Users\Admin\AppData\Roaming\seeutsj
1⤵
- Executes dropped EXE
PID:3348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\seeutsj
Filesize
273KB

MD5
eb9789fe77151a7e52b9f73a921231c7

SHA1
4f7755391003bb102269645de1e64b94e9041f3d

SHA256
2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9

SHA512
c26c8dd93867b91057dae52e68a2298923fa966382d0e529a2c066392db37ae333c826cd5c756971bfcdc15e21aebbb65e97d53f58e14dce3507452effe72426

Download Submit
C:\Users\Admin\AppData\Roaming\seeutsj
Filesize
273KB

MD5
eb9789fe77151a7e52b9f73a921231c7

SHA1
4f7755391003bb102269645de1e64b94e9041f3d

SHA256
2fa1b36ec12cfb8468868b302c85d932424d428b980d2ed8854cf48a0ecab2b9

SHA512
c26c8dd93867b91057dae52e68a2298923fa966382d0e529a2c066392db37ae333c826cd5c756971bfcdc15e21aebbb65e97d53f58e14dce3507452effe72426

Download Submit
memory/1148-132-0x00000000004E9000-0x00000000004F9000-memory.dmp

Filesize
64KB

Download
memory/1148-133-0x00000000004B0000-0x00000000004B9000-memory.dmp

Filesize
36KB

Download
memory/1148-136-0x00000000004E9000-0x00000000004F9000-memory.dmp

Filesize
64KB

Download
memory/4612-134-0x0000000000000000-mapping.dmp

Download
memory/4612-135-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4612-137-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4612-138-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads