smokeloader | b07d68525b06686f29948847aea54a4426a7cbeb9375131b9fb2963bf51b8e6e

General

Target

b07d68525b06686f29948847aea54a4426a7cbeb9375131b9fb2963bf51b8e6e.exe
Size

341KB
MD5

19fd4f92ea1ffb0322c6de541d5dd1c0
SHA1

a91cda13b6ec32603312a97748547e2a8fb7050c
SHA256

b07d68525b06686f29948847aea54a4426a7cbeb9375131b9fb2963bf51b8e6e
SHA512

8ef4be317d93bc3b739d6d49c8102aaa215e087478f74fea340957e743efbdd3462c58274057e8d13a9c835bce6aa1b8235da03590d8f2934e560eb70db8ab6f
SSDEEP

6144:bNLNLgB+4fH8dx7zEnaD8Djq7VWRFBMolz90VxmF:hxehfcfGaR7VWR5lzexq

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2920-133-0x00000000006F0000-0x00000000006F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

E42B.exe

pid process

3860 E42B.exe

pid	process
3860	E42B.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b07d68525b06686f29948847aea54a4426a7cbeb9375131b9fb2963bf51b8e6e.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b07d68525b06686f29948847aea54a4426a7cbeb9375131b9fb2963bf51b8e6e.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b07d68525b06686f29948847aea54a4426a7cbeb9375131b9fb2963bf51b8e6e.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b07d68525b06686f29948847aea54a4426a7cbeb9375131b9fb2963bf51b8e6e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b07d68525b06686f29948847aea54a4426a7cbeb9375131b9fb2963bf51b8e6e.exe

pid	process
2920	b07d68525b06686f29948847aea54a4426a7cbeb9375131b9fb2963bf51b8e6e.exe
2920	b07d68525b06686f29948847aea54a4426a7cbeb9375131b9fb2963bf51b8e6e.exe
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2748

pid	process
2748

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

b07d68525b06686f29948847aea54a4426a7cbeb9375131b9fb2963bf51b8e6e.exe

pid	process
2920	b07d68525b06686f29948847aea54a4426a7cbeb9375131b9fb2963bf51b8e6e.exe
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

description	pid	target process
PID 2748 wrote to memory of 3860	2748	E42B.exe
PID 2748 wrote to memory of 3860	2748	E42B.exe
PID 2748 wrote to memory of 2088	2748	explorer.exe
PID 2748 wrote to memory of 2088	2748	explorer.exe
PID 2748 wrote to memory of 2088	2748	explorer.exe
PID 2748 wrote to memory of 2088	2748	explorer.exe
PID 2748 wrote to memory of 2144	2748	explorer.exe
PID 2748 wrote to memory of 2144	2748	explorer.exe
PID 2748 wrote to memory of 2144	2748	explorer.exe
PID 2748 wrote to memory of 380	2748	explorer.exe
PID 2748 wrote to memory of 380	2748	explorer.exe
PID 2748 wrote to memory of 380	2748	explorer.exe
PID 2748 wrote to memory of 380	2748	explorer.exe
PID 2748 wrote to memory of 5116	2748	explorer.exe
PID 2748 wrote to memory of 5116	2748	explorer.exe
PID 2748 wrote to memory of 5116	2748	explorer.exe
PID 2748 wrote to memory of 4308	2748	explorer.exe
PID 2748 wrote to memory of 4308	2748	explorer.exe
PID 2748 wrote to memory of 4308	2748	explorer.exe
PID 2748 wrote to memory of 4308	2748	explorer.exe
PID 2748 wrote to memory of 2844	2748	explorer.exe
PID 2748 wrote to memory of 2844	2748	explorer.exe
PID 2748 wrote to memory of 2844	2748	explorer.exe
PID 2748 wrote to memory of 2844	2748	explorer.exe
PID 2748 wrote to memory of 692	2748	explorer.exe
PID 2748 wrote to memory of 692	2748	explorer.exe
PID 2748 wrote to memory of 692	2748	explorer.exe
PID 2748 wrote to memory of 692	2748	explorer.exe
PID 2748 wrote to memory of 4012	2748	explorer.exe
PID 2748 wrote to memory of 4012	2748	explorer.exe
PID 2748 wrote to memory of 4012	2748	explorer.exe
PID 2748 wrote to memory of 4524	2748	explorer.exe
PID 2748 wrote to memory of 4524	2748	explorer.exe
PID 2748 wrote to memory of 4524	2748	explorer.exe
PID 2748 wrote to memory of 4524	2748	explorer.exe

C:\Users\Admin\AppData\Local\Temp\b07d68525b06686f29948847aea54a4426a7cbeb9375131b9fb2963bf51b8e6e.exe
"C:\Users\Admin\AppData\Local\Temp\b07d68525b06686f29948847aea54a4426a7cbeb9375131b9fb2963bf51b8e6e.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2920

C:\Users\Admin\AppData\Local\Temp\E42B.exe
C:\Users\Admin\AppData\Local\Temp\E42B.exe
1⤵
- Executes dropped EXE
PID:3860

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2088

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2144

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:380

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5116

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4308

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2844

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:692

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4012

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E42B.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\E42B.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
memory/380-147-0x0000000000000000-mapping.dmp

Download
memory/380-149-0x0000000000630000-0x0000000000639000-memory.dmp

Filesize
36KB

Download
memory/380-170-0x0000000000640000-0x0000000000645000-memory.dmp

Filesize
20KB

Download
memory/380-148-0x0000000000640000-0x0000000000645000-memory.dmp

Filesize
20KB

Download
memory/692-161-0x00000000007F0000-0x00000000007FB000-memory.dmp

Filesize
44KB

Download
memory/692-160-0x0000000000A00000-0x0000000000A06000-memory.dmp

Filesize
24KB

Download
memory/692-159-0x0000000000000000-mapping.dmp

Download
memory/692-174-0x0000000000A00000-0x0000000000A06000-memory.dmp

Filesize
24KB

Download
memory/2088-168-0x0000000000CD0000-0x0000000000CD7000-memory.dmp

Filesize
28KB

Download
memory/2088-143-0x0000000000CC0000-0x0000000000CCB000-memory.dmp

Filesize
44KB

Download
memory/2088-142-0x0000000000CD0000-0x0000000000CD7000-memory.dmp

Filesize
28KB

Download
memory/2088-141-0x0000000000000000-mapping.dmp

Download
memory/2144-144-0x0000000000000000-mapping.dmp

Download
memory/2144-145-0x00000000009E0000-0x00000000009E9000-memory.dmp

Filesize
36KB

Download
memory/2144-146-0x00000000009D0000-0x00000000009DF000-memory.dmp

Filesize
60KB

Download
memory/2144-169-0x00000000009E0000-0x00000000009E9000-memory.dmp

Filesize
36KB

Download
memory/2844-156-0x0000000000000000-mapping.dmp

Download
memory/2844-157-0x00000000014E0000-0x00000000014E5000-memory.dmp

Filesize
20KB

Download
memory/2844-173-0x00000000014E0000-0x00000000014E5000-memory.dmp

Filesize
20KB

Download
memory/2844-158-0x00000000014D0000-0x00000000014D9000-memory.dmp

Filesize
36KB

Download
memory/2920-132-0x000000000071D000-0x0000000000732000-memory.dmp

Filesize
84KB

Download
memory/2920-135-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2920-134-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2920-133-0x00000000006F0000-0x00000000006F9000-memory.dmp

Filesize
36KB

Download
memory/3860-139-0x0000000000990000-0x0000000000998000-memory.dmp

Filesize
32KB

Download
memory/3860-136-0x0000000000000000-mapping.dmp

Download
memory/3860-140-0x00007FF953110000-0x00007FF953BD1000-memory.dmp

Filesize
10.8MB

Download
memory/4012-175-0x00000000006A0000-0x00000000006A7000-memory.dmp

Filesize
28KB

Download
memory/4012-162-0x0000000000000000-mapping.dmp

Download
memory/4012-163-0x00000000006A0000-0x00000000006A7000-memory.dmp

Filesize
28KB

Download
memory/4012-164-0x0000000000690000-0x000000000069D000-memory.dmp

Filesize
52KB

Download
memory/4308-154-0x0000000001500000-0x0000000001522000-memory.dmp

Filesize
136KB

Download
memory/4308-155-0x00000000014D0000-0x00000000014F7000-memory.dmp

Filesize
156KB

Download
memory/4308-153-0x0000000000000000-mapping.dmp

Download
memory/4308-172-0x0000000001500000-0x0000000001522000-memory.dmp

Filesize
136KB

Download
memory/4524-166-0x0000000000C20000-0x0000000000C28000-memory.dmp

Filesize
32KB

Download
memory/4524-167-0x0000000000C10000-0x0000000000C1B000-memory.dmp

Filesize
44KB

Download
memory/4524-165-0x0000000000000000-mapping.dmp

Download
memory/4524-176-0x0000000000C20000-0x0000000000C28000-memory.dmp

Filesize
32KB

Download
memory/5116-171-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/5116-152-0x00000000001A0000-0x00000000001AC000-memory.dmp

Filesize
48KB

Download
memory/5116-151-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/5116-150-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads