smokeloader | 95147ab320f09786758083bb44e52ab1b6b951e5cc7ef8edd45cf7431e23e0ca

Analysis

max time kernel
150s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
16-12-2022 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48b9fa0cc39ab3ee91aa4ed8c8ef61bb.exe
Size

328KB
MD5

48b9fa0cc39ab3ee91aa4ed8c8ef61bb
SHA1

3b620aff04f53869bb271dc97a416c91942a012a
SHA256

95147ab320f09786758083bb44e52ab1b6b951e5cc7ef8edd45cf7431e23e0ca
SHA512

7b9ff628a0f55af9e476654f8e0fbf28a75e36bfc471879bdfe0808a612b70e3886ce08397d9c2c49118967c53335e41681da1626fd6b38c2b561412be22a46a
SSDEEP

6144:iYqzGLclqfiFjAIjEc6TMoov/poYm0iPvzpQ6ijLxQFiaI:lwlqfGEjcX/poNxnzpQ6ijqF

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2028-56-0x0000000000230000-0x0000000000239000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

48b9fa0cc39ab3ee91aa4ed8c8ef61bb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	48b9fa0cc39ab3ee91aa4ed8c8ef61bb.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	48b9fa0cc39ab3ee91aa4ed8c8ef61bb.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	48b9fa0cc39ab3ee91aa4ed8c8ef61bb.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

48b9fa0cc39ab3ee91aa4ed8c8ef61bb.exe

pid	process
2028	48b9fa0cc39ab3ee91aa4ed8c8ef61bb.exe
2028	48b9fa0cc39ab3ee91aa4ed8c8ef61bb.exe
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1276
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

48b9fa0cc39ab3ee91aa4ed8c8ef61bb.exe

pid process

2028 48b9fa0cc39ab3ee91aa4ed8c8ef61bb.exe

pid	process
1276

C:\Users\Admin\AppData\Local\Temp\48b9fa0cc39ab3ee91aa4ed8c8ef61bb.exe
"C:\Users\Admin\AppData\Local\Temp\48b9fa0cc39ab3ee91aa4ed8c8ef61bb.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1276-59-0x000007FEF67D0000-0x000007FEF6913000-memory.dmp

Filesize
1.3MB

Download
memory/1276-60-0x000007FEDFA40000-0x000007FEDFA4A000-memory.dmp

Filesize
40KB

Download
memory/2028-54-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/2028-56-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/2028-55-0x000000000060C000-0x0000000000621000-memory.dmp

Filesize
84KB

Download
memory/2028-57-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2028-58-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download