Analysis
-
max time kernel
150s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
10-03-2023 03:54
Static task
static1
Behavioral task
behavioral1
Sample
smokeloader/9afc600899956fa4398dc67bf2d8cc6990b2b3fc5e0e1ccd6ffc0156dbc2e04d.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
smokeloader/9afc600899956fa4398dc67bf2d8cc6990b2b3fc5e0e1ccd6ffc0156dbc2e04d.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
smokeloader/a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
smokeloader/a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
smokeloader/cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
smokeloader/cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exe
Resource
win10v2004-20230221-en
General
-
Target
smokeloader/9afc600899956fa4398dc67bf2d8cc6990b2b3fc5e0e1ccd6ffc0156dbc2e04d.exe
-
Size
243KB
-
MD5
15ec74f8e94f99a442a7ccc8f0b41f5f
-
SHA1
f988f2599784949d4155cf8d701cd8346f31cdcf
-
SHA256
9afc600899956fa4398dc67bf2d8cc6990b2b3fc5e0e1ccd6ffc0156dbc2e04d
-
SHA512
489324532a2dca2bbaef5d8431b204679da19283b887c1e813c44761a3c43fb603286b90ad3f4d7ea0379bb0f35fc341ec9e7f8edb6a88653e25bbd57fc06dbd
-
SSDEEP
3072:IWMqMlmjLAFDQRCf32/DGqpamtKjdWbMBtF9hEKq3Slwlhio:xMSLlRCfq3amoYbMzuKqilwO
Malware Config
Extracted
smokeloader
2023
Extracted
smokeloader
2022
http://c3g6gx853u6j.xyz/
http://04yh16065cdi.xyz/
http://33qd2w560vnx.xyz/
http://neriir0f76gr.com/
http://b4y08hrp3jdb.com/
http://swp6fbywla09.com/
http://7iqt53dr345u.com/
http://mj4aj8r55mho.com/
http://ne4ym7bjn1ts.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
9afc600899956fa4398dc67bf2d8cc6990b2b3fc5e0e1ccd6ffc0156dbc2e04d.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9afc600899956fa4398dc67bf2d8cc6990b2b3fc5e0e1ccd6ffc0156dbc2e04d.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9afc600899956fa4398dc67bf2d8cc6990b2b3fc5e0e1ccd6ffc0156dbc2e04d.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9afc600899956fa4398dc67bf2d8cc6990b2b3fc5e0e1ccd6ffc0156dbc2e04d.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9afc600899956fa4398dc67bf2d8cc6990b2b3fc5e0e1ccd6ffc0156dbc2e04d.exepid process 2016 9afc600899956fa4398dc67bf2d8cc6990b2b3fc5e0e1ccd6ffc0156dbc2e04d.exe 2016 9afc600899956fa4398dc67bf2d8cc6990b2b3fc5e0e1ccd6ffc0156dbc2e04d.exe 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1356 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
9afc600899956fa4398dc67bf2d8cc6990b2b3fc5e0e1ccd6ffc0156dbc2e04d.exepid process 2016 9afc600899956fa4398dc67bf2d8cc6990b2b3fc5e0e1ccd6ffc0156dbc2e04d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\smokeloader\9afc600899956fa4398dc67bf2d8cc6990b2b3fc5e0e1ccd6ffc0156dbc2e04d.exe"C:\Users\Admin\AppData\Local\Temp\smokeloader\9afc600899956fa4398dc67bf2d8cc6990b2b3fc5e0e1ccd6ffc0156dbc2e04d.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection