Analysis
-
max time kernel
150s -
max time network
28s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
10-03-2023 03:54
Static task
static1
Behavioral task
behavioral1
Sample
smokeloader/9afc600899956fa4398dc67bf2d8cc6990b2b3fc5e0e1ccd6ffc0156dbc2e04d.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
smokeloader/9afc600899956fa4398dc67bf2d8cc6990b2b3fc5e0e1ccd6ffc0156dbc2e04d.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
smokeloader/a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
smokeloader/a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
smokeloader/cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
smokeloader/cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exe
Resource
win10v2004-20230221-en
General
-
Target
smokeloader/cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exe
-
Size
216KB
-
MD5
7e9e7194490b4508e85827a6eddbbf50
-
SHA1
8c39812d7ff46b9d3a8d24e8637df8c173ca27aa
-
SHA256
cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0
-
SHA512
2e6da9d8fb9c26b3ed5bb5a528e40a595ed7942372b7a986e1f842faaee54cbcb7017561756ae5abeff337d33cb0ca8940860bab401d6bff47d7afadcb837585
-
SSDEEP
3072:XqstoULxtY+fpzP9991sxpR8zRVg1miGKRJBwptUhJV6/SaR5:zPLJf5DsSzXg1dJB+tUhJVg/
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://perficut.at/tmp/
http://rutobacco.ru/tmp/
http://aingular.com/tmp /
http://piratia-life.ru/tmp/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exepid process 1556 cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exe 1556 cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exe 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1212 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exepid process 1556 cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\smokeloader\cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exe"C:\Users\Admin\AppData\Local\Temp\smokeloader\cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection