smokeloader | 92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742

General

Target

92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe
Size

265KB
MD5

d4c7b1bf2fb6b19675194cb5c11e7a36
SHA1

36a817d059a1edf1473350d2a6b59768338b87b4
SHA256

92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742
SHA512

23d17b0ac0e7f5cc25b112ead1d889ff934e1f8cb836b697d5a013cd82b533a07b5b3d69310a8f5b217aa170a0f5a718eebe5ed4297cc85ad9e62e1f0ba273db
SSDEEP

3072:gOj+QRHyUUmJyuzoLKM7pnDW3OhElMGVdyMRrUmUqHX8N19vEOQ7mML5kfVqwCUD:vd5yUUuzoLDI+9GPydqstKyfc

Score

10^/10

smokeloader lab backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

lab

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

3196

pid	process
3196

Suspicious use of SetThreadContext 1 IoCs

Processes:

92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe

description	pid	process	target process
PID 8 set thread context of 3988	8	92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe	92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe

pid	process
3988	92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe
3988	92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3196
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe

pid process

3988 92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe

pid	process
3196

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe

description	pid	process	target process
PID 8 wrote to memory of 3988	8	92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe	92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe
PID 8 wrote to memory of 3988	8	92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe	92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe
PID 8 wrote to memory of 3988	8	92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe	92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe
PID 8 wrote to memory of 3988	8	92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe	92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe
PID 8 wrote to memory of 3988	8	92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe	92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe
PID 8 wrote to memory of 3988	8	92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe	92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe
"C:\Users\Admin\AppData\Local\Temp\92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:8

C:\Users\Admin\AppData\Local\Temp\92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe
"C:\Users\Admin\AppData\Local\Temp\92d3562dabe0104befc4737bd99053583027facf0a3f6ef59b1c25fe78973742.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/8-122-0x00000000007A0000-0x00000000007A9000-memory.dmp

Filesize
36KB

Download
memory/3196-161-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3196-124-0x0000000000DC0000-0x0000000000DD6000-memory.dmp

Filesize
88KB

Download
memory/3196-191-0x0000000001210000-0x000000000121E000-memory.dmp

Filesize
56KB

Download
memory/3196-190-0x0000000001210000-0x000000000121E000-memory.dmp

Filesize
56KB

Download
memory/3196-134-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

Filesize
64KB

Download
memory/3196-136-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-139-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-141-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-142-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-143-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-160-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-147-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-163-0x0000000002FF0000-0x0000000002FFE000-memory.dmp

Filesize
56KB

Download
memory/3196-151-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-152-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-153-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-154-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-157-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-158-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-159-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-144-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-189-0x0000000001210000-0x000000000121E000-memory.dmp

Filesize
56KB

Download
memory/3196-150-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-162-0x0000000003000000-0x0000000003003000-memory.dmp

Filesize
12KB

Download
memory/3196-164-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

Filesize
64KB

Download
memory/3196-165-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-168-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-169-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-170-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-171-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-172-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-175-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-178-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-179-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-180-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-181-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-182-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-185-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-186-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-187-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3196-188-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/3988-123-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3988-121-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3988-125-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads