Analysis
-
max time kernel
150s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
19/12/2022, 09:25
Static task
static1
Behavioral task
behavioral1
Sample
4b104fabbea467e56782ba6073006e6a.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
4b104fabbea467e56782ba6073006e6a.exe
Resource
win10v2004-20220812-en
General
-
Target
4b104fabbea467e56782ba6073006e6a.exe
-
Size
215KB
-
MD5
4b104fabbea467e56782ba6073006e6a
-
SHA1
ba3aa8f9547d05b01309d6ac3b2142dadcafa304
-
SHA256
a2a1210cb259aef978fff5de2bd77447dde10fc62689e2fb1b422cebd24b3269
-
SHA512
a95401ac891346df204f8284ead4ef4d1c46efd73fd4a7edefdd081d40bf338b83e82342e4cb23571a1a59aaca90dc7de41eb9046c697b97229d235102392dea
-
SSDEEP
3072:lnC2vLlB8aRsE7eGAC3D1LmRdhDiLswS+qaNRAtOba+tcdtTYljcbImdzmuX:l/vLlBoApxsqd0qcjEljcbXF
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/1380-56-0x0000000000220000-0x0000000000229000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4b104fabbea467e56782ba6073006e6a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4b104fabbea467e56782ba6073006e6a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4b104fabbea467e56782ba6073006e6a.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1380 4b104fabbea467e56782ba6073006e6a.exe 1380 4b104fabbea467e56782ba6073006e6a.exe 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1212 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1380 4b104fabbea467e56782ba6073006e6a.exe