Analysis
-
max time kernel
151s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24-03-2023 01:00
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
setup.exe
Resource
win10v2004-20230220-en
General
-
Target
setup.exe
-
Size
249KB
-
MD5
fae86954741e60a3e85ba7d7884c8478
-
SHA1
5b5dae13db12d4acdc5d78782938588b6173256f
-
SHA256
b59a26cf9a84386e31f54cd6b18e44fba40b4716d9acf9c9ed6a85860105dbb2
-
SHA512
f8eef60c2bbe47bbec1ba0cd85fe49a058f5e498daf2a22b7af8221962553ff565a8fc5ec3ebea85706ee522705ae690f754b14f26bf82e4b7da52724d55f003
-
SSDEEP
3072:AnH+6IjwpCVuLkTOeYDNI5WXSnHsz0dsJlE2WKXK5KTrNUTZsl5hWpz7bIyNCG:g+XVuLQ/YDiQXWM73G0Wh7b
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
setup.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI setup.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI setup.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI setup.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
setup.exepid process 1476 setup.exe 1476 setup.exe 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 1344 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1344 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
setup.exepid process 1476 setup.exe