Resubmissions
27-03-2023 07:51
230327-jp31kscd46 1027-03-2023 07:48
230327-jm8s2sed6s 127-03-2023 07:35
230327-jeqmhacc77 10Analysis
-
max time kernel
29s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
27-03-2023 07:35
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
269KB
-
MD5
26d85c2bdc983c43452401545f3c6007
-
SHA1
e18a2a223b91f426b5dab23b13970264d1da6ebc
-
SHA256
c8313943995590c444dac429919bc562c8f81c7d81c898fbb9bd7822dce889f4
-
SHA512
d652d2c4ab97507e0b61b37dc069b024a531b56e80f95a449d201ba6b0a1b6baecc33162be4f4a4571054295154c2c4c0a27f6831ac5dd37f0d27e3795fde3e5
-
SSDEEP
3072:Fm6fmyQA+BF8tlkC42EVOkAz+t/lB2SpYeEvyqbxDFoio56WmxeQZn78F:zQLK42EskAhS+7fyZmB
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
file.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
file.exepid process 1704 file.exe 1704 file.exe 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1336 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
file.exepid process 1704 file.exe