smokeloader | fc20b03299b8ae91e72e104ee4f18e40125b2b061f1509d1c5b3f9fac3104934

Resubmissions

11/01/2023, 13:54 UTC

230111-q71fqsdb89 10

27/08/2020, 15:49 UTC

200827-v6tcrvw9es 10

Analysis

max time kernel
27s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
11/01/2023, 13:54 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

smoke.exe
Size

329KB
MD5

5fc6f24d43bc7ca45a81d159291955d1
SHA1

72fc3ce96bd9406215cec015d70bbb67318f1e23
SHA256

fc20b03299b8ae91e72e104ee4f18e40125b2b061f1509d1c5b3f9fac3104934
SHA512

b39488cfaec3bbe93fc4b22f92edfc3b2b729e6f75a472d722418b259fc9c74faae60f5126384dc242ba1b42300e60428c7c530982550625cd59e1684f7c9380
SSDEEP

6144:8OZsdXcUIAoUKjiXeZtna8UtDpiyeMTHSN+5qm:8OZQXcDkLuTa8UtteCHP

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2019

http://protest-01242505.tk/

http://test-service012505.ru.com/

http://test-service012505.pw/

http://test-service012505.com/

http://test-service012505.site/

http://test-service012505.store/

http://test-service01242505.ru/

http://mytest-service012505.ru/

http://test-service012505.su/

http://test-service012505.info/

http://test-service012505.net/

http://test-service012505.tech/

http://test-service012505.online/

http://rutest-service012505.ru/

http://test-service01dom2505.ru/

http://test-service012505.website/

http://test-service012505.xyz/

http://test-service01pro2505.ru/

http://test-service01rus2505.ru/

http://test-service012505.eu/

rc4.i32

1
0xaf03e678

rc4.i32

1
0x78821544

Signatures

Detects Smokeloader packer 3 IoCs

resource	yara_rule
behavioral1/memory/1796-57-0x0000000000570000-0x0000000000580000-memory.dmp	family_smokeloader
behavioral1/memory/1192-55-0x0000000000400000-0x000000000040C000-memory.dmp	family_smokeloader
behavioral1/memory/1192-60-0x0000000000400000-0x000000000040C000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Loads dropped DLL 1 IoCs

pid	Process
1192	smoke.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1796 set thread context of 1192	1796	smoke.exe	28

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	smoke.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	smoke.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	smoke.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1192	smoke.exe
1192	smoke.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 1192	1796	smoke.exe	28
PID 1796 wrote to memory of 1192	1796	smoke.exe	28
PID 1796 wrote to memory of 1192	1796	smoke.exe	28
PID 1796 wrote to memory of 1192	1796	smoke.exe	28
PID 1796 wrote to memory of 1192	1796	smoke.exe	28
PID 1796 wrote to memory of 1192	1796	smoke.exe	28
PID 1796 wrote to memory of 1192	1796	smoke.exe	28

C:\Users\Admin\AppData\Local\Temp\smoke.exe
"C:\Users\Admin\AppData\Local\Temp\smoke.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Users\Admin\AppData\Local\Temp\smoke.exe
  "C:\Users\Admin\AppData\Local\Temp\smoke.exe"
  2⤵
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\4DD3.tmp

Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
memory/1192-58-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/1192-55-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1192-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1204-61-0x0000000002A30000-0x0000000002A47000-memory.dmp

Filesize
92KB

Download
memory/1796-54-0x0000000000570000-0x0000000000580000-memory.dmp

Filesize
64KB

Download
memory/1796-57-0x0000000000570000-0x0000000000580000-memory.dmp

Filesize
64KB

Download