Analysis
-
max time kernel
150s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-03-2023 01:11
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
setup.exe
Resource
win10v2004-20230221-en
General
-
Target
setup.exe
-
Size
266KB
-
MD5
043232c36cc78a5f34a62b23f316e3df
-
SHA1
60e819b431d4bc313e72ee8d9625ef2bd32ae65c
-
SHA256
3bbed62dd67c2832fa6775098aad23a8cae45b4ff6d9e838bd74957ebaab4e9d
-
SHA512
3adebc308cb46df558c8328e91dc5f37191bba00a17913c3f3f0419ba3d9067ae5261dab3569370d6d906105f98e07fc8141b3c4f56c725336c5e966f7cf2cfd
-
SSDEEP
6144:FN5yqeMJL1Uyzh1huy5JvsD0kmeCKtFI9k2k+:9yMJRUyl1rED02tFIVk+
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
setup.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI setup.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI setup.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI setup.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
setup.exepid process 2028 setup.exe 2028 setup.exe 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1244 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
setup.exepid process 2028 setup.exe