smokeloader | 3c931d38985be69682cb7b634d67dcb20c68218267660ceca6bcd62fd8f659ff

Analysis

max time kernel
150s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-02-2023 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00f4a48364a6b7dda4bf98e3847fd94c.exe
Size

201KB
MD5

00f4a48364a6b7dda4bf98e3847fd94c
SHA1

f5287134ebc11785912f8c44a3c709233a8f7fac
SHA256

3c931d38985be69682cb7b634d67dcb20c68218267660ceca6bcd62fd8f659ff
SHA512

096bc1e7537804322272136d5bfe4b7debf9ff76aad84eea5d45d819f38b19d0fd5e90259b4ea7a8e0493545a68495cfa0f867f53df7e078caf793c04d681237
SSDEEP

3072:hvYLtNOLLnWA+ponmAk86LqhDOyIkuCXwuXKU+Ogki3W6l3ccR5t:WLtIL1+pq6LWO0XwqA135l3ccRz

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/928-55-0x00000000002A0000-0x00000000002A9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

00f4a48364a6b7dda4bf98e3847fd94c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	00f4a48364a6b7dda4bf98e3847fd94c.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	00f4a48364a6b7dda4bf98e3847fd94c.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	00f4a48364a6b7dda4bf98e3847fd94c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

00f4a48364a6b7dda4bf98e3847fd94c.exe

pid	process
928	00f4a48364a6b7dda4bf98e3847fd94c.exe
928	00f4a48364a6b7dda4bf98e3847fd94c.exe
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1260
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

00f4a48364a6b7dda4bf98e3847fd94c.exe

pid process

928 00f4a48364a6b7dda4bf98e3847fd94c.exe

pid	process
1260

C:\Users\Admin\AppData\Local\Temp\00f4a48364a6b7dda4bf98e3847fd94c.exe
"C:\Users\Admin\AppData\Local\Temp\00f4a48364a6b7dda4bf98e3847fd94c.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:928

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/928-55-0x00000000002A0000-0x00000000002A9000-memory.dmp

Filesize
36KB

Download
memory/928-57-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/1260-56-0x0000000002210000-0x0000000002226000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads