smokeloader | 766374196d4e79bd565eba19f4fa3a822f7451ff57ba9b3d9e13e24276d5edd5

General

Target

setup.exe
Size

295KB
MD5

16a3c84422b5e8933e27cb6b873746ab
SHA1

80d718e83454d9fee5832a1ce50d136e0645c00f
SHA256

766374196d4e79bd565eba19f4fa3a822f7451ff57ba9b3d9e13e24276d5edd5
SHA512

e70efe05ec3777f122b89391c896197f8ce6584d125d67aba8db164d8cf827d9c1f32d53197168f44732535dc61cc8022d7deb36b5985538dcdf7e60baf5a7ba
SSDEEP

3072:+eQlnqA8VNF9giHti/YeIe6M39TCLUF61+PHwmxEylbxyxFWYTgWvQfC:dMQLgiMYe3M1+/wmxpxG+

Score

10^/10

smokeloader sprg backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

sprg

Extracted

Family

smokeloader

Version

2022

C2

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

http://yic0oosaeiy7ahng.com/

http://wa5zu7sekai8xeih.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 1 IoCs

Processes:

rribfiu

pid process

4192 rribfiu

pid	process
4192	rribfiu

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rribfiusetup.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rribfiu
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	setup.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	setup.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rribfiu
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rribfiu

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

setup.exe

pid	process
3536	setup.exe
3536	setup.exe
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3160
Suspicious behavior: MapViewOfSection 20 IoCs

Processes:

setup.exerribfiu

pid process

3536 setup.exe
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
3160
4192 rribfiu

pid	process
3160

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

description	pid	target process
PID 3160 wrote to memory of 3136	3160	explorer.exe
PID 3160 wrote to memory of 3136	3160	explorer.exe
PID 3160 wrote to memory of 3136	3160	explorer.exe
PID 3160 wrote to memory of 3136	3160	explorer.exe
PID 3160 wrote to memory of 4132	3160	explorer.exe
PID 3160 wrote to memory of 4132	3160	explorer.exe
PID 3160 wrote to memory of 4132	3160	explorer.exe
PID 3160 wrote to memory of 4236	3160	explorer.exe
PID 3160 wrote to memory of 4236	3160	explorer.exe
PID 3160 wrote to memory of 4236	3160	explorer.exe
PID 3160 wrote to memory of 4236	3160	explorer.exe
PID 3160 wrote to memory of 5000	3160	explorer.exe
PID 3160 wrote to memory of 5000	3160	explorer.exe
PID 3160 wrote to memory of 5000	3160	explorer.exe
PID 3160 wrote to memory of 3308	3160	explorer.exe
PID 3160 wrote to memory of 3308	3160	explorer.exe
PID 3160 wrote to memory of 3308	3160	explorer.exe
PID 3160 wrote to memory of 3308	3160	explorer.exe
PID 3160 wrote to memory of 2908	3160	explorer.exe
PID 3160 wrote to memory of 2908	3160	explorer.exe
PID 3160 wrote to memory of 2908	3160	explorer.exe
PID 3160 wrote to memory of 2908	3160	explorer.exe
PID 3160 wrote to memory of 3172	3160	explorer.exe
PID 3160 wrote to memory of 3172	3160	explorer.exe
PID 3160 wrote to memory of 3172	3160	explorer.exe
PID 3160 wrote to memory of 3172	3160	explorer.exe
PID 3160 wrote to memory of 4472	3160	explorer.exe
PID 3160 wrote to memory of 4472	3160	explorer.exe
PID 3160 wrote to memory of 4472	3160	explorer.exe
PID 3160 wrote to memory of 2844	3160	explorer.exe
PID 3160 wrote to memory of 2844	3160	explorer.exe
PID 3160 wrote to memory of 2844	3160	explorer.exe
PID 3160 wrote to memory of 2844	3160	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3536

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3136

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4132

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4236

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5000

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3308

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2908

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3172

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4472

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2844

C:\Users\Admin\AppData\Roaming\rribfiu
C:\Users\Admin\AppData\Roaming\rribfiu
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\rribfiu
Filesize
295KB

MD5
16a3c84422b5e8933e27cb6b873746ab

SHA1
80d718e83454d9fee5832a1ce50d136e0645c00f

SHA256
766374196d4e79bd565eba19f4fa3a822f7451ff57ba9b3d9e13e24276d5edd5

SHA512
e70efe05ec3777f122b89391c896197f8ce6584d125d67aba8db164d8cf827d9c1f32d53197168f44732535dc61cc8022d7deb36b5985538dcdf7e60baf5a7ba

Download Submit
C:\Users\Admin\AppData\Roaming\rribfiu
Filesize
295KB

MD5
16a3c84422b5e8933e27cb6b873746ab

SHA1
80d718e83454d9fee5832a1ce50d136e0645c00f

SHA256
766374196d4e79bd565eba19f4fa3a822f7451ff57ba9b3d9e13e24276d5edd5

SHA512
e70efe05ec3777f122b89391c896197f8ce6584d125d67aba8db164d8cf827d9c1f32d53197168f44732535dc61cc8022d7deb36b5985538dcdf7e60baf5a7ba

Download Submit
memory/2844-170-0x0000000000350000-0x000000000035B000-memory.dmp

Filesize
44KB

Download
memory/2844-177-0x0000000000620000-0x000000000062D000-memory.dmp

Filesize
52KB

Download
memory/2844-171-0x0000000000350000-0x000000000035B000-memory.dmp

Filesize
44KB

Download
memory/2908-161-0x0000000001450000-0x0000000001459000-memory.dmp

Filesize
36KB

Download
memory/2908-162-0x0000000000310000-0x0000000000337000-memory.dmp

Filesize
156KB

Download
memory/2908-174-0x0000000000310000-0x0000000000337000-memory.dmp

Filesize
156KB

Download
memory/2908-163-0x0000000001450000-0x0000000001459000-memory.dmp

Filesize
36KB

Download
memory/3136-148-0x0000000000BA0000-0x0000000000BAB000-memory.dmp

Filesize
44KB

Download
memory/3136-147-0x0000000002C50000-0x0000000002C59000-memory.dmp

Filesize
36KB

Download
memory/3136-146-0x0000000000BA0000-0x0000000000BAB000-memory.dmp

Filesize
44KB

Download
memory/3160-181-0x0000000002D20000-0x0000000002D36000-memory.dmp

Filesize
88KB

Download
memory/3160-135-0x0000000002CD0000-0x0000000002CE6000-memory.dmp

Filesize
88KB

Download
memory/3172-164-0x0000000000C50000-0x0000000000C5B000-memory.dmp

Filesize
44KB

Download
memory/3172-166-0x0000000000C50000-0x0000000000C5B000-memory.dmp

Filesize
44KB

Download
memory/3172-175-0x0000000001450000-0x0000000001459000-memory.dmp

Filesize
36KB

Download
memory/3172-165-0x0000000001450000-0x0000000001459000-memory.dmp

Filesize
36KB

Download
memory/3308-159-0x0000000000DE0000-0x0000000000DEC000-memory.dmp

Filesize
48KB

Download
memory/3308-160-0x0000000000310000-0x0000000000337000-memory.dmp

Filesize
156KB

Download
memory/3308-158-0x0000000000310000-0x0000000000337000-memory.dmp

Filesize
156KB

Download
memory/3536-134-0x0000000002C50000-0x0000000002C59000-memory.dmp

Filesize
36KB

Download
memory/3536-136-0x0000000000400000-0x0000000002B77000-memory.dmp

Filesize
39.5MB

Download
memory/4132-151-0x00000000003D0000-0x00000000003DF000-memory.dmp

Filesize
60KB

Download
memory/4132-149-0x00000000003D0000-0x00000000003DF000-memory.dmp

Filesize
60KB

Download
memory/4132-172-0x0000000000BA0000-0x0000000000BAB000-memory.dmp

Filesize
44KB

Download
memory/4132-150-0x0000000000BA0000-0x0000000000BAB000-memory.dmp

Filesize
44KB

Download
memory/4192-184-0x0000000000400000-0x0000000002B77000-memory.dmp

Filesize
39.5MB

Download
memory/4236-173-0x00000000003D0000-0x00000000003DF000-memory.dmp

Filesize
60KB

Download
memory/4236-154-0x00000000011D0000-0x00000000011D9000-memory.dmp

Filesize
36KB

Download
memory/4236-153-0x00000000003D0000-0x00000000003DF000-memory.dmp

Filesize
60KB

Download
memory/4236-152-0x00000000011D0000-0x00000000011D9000-memory.dmp

Filesize
36KB

Download
memory/4472-169-0x0000000000620000-0x000000000062D000-memory.dmp

Filesize
52KB

Download
memory/4472-168-0x0000000000C50000-0x0000000000C5B000-memory.dmp

Filesize
44KB

Download
memory/4472-167-0x0000000000620000-0x000000000062D000-memory.dmp

Filesize
52KB

Download
memory/4472-176-0x0000000000C50000-0x0000000000C5B000-memory.dmp

Filesize
44KB

Download
memory/5000-157-0x0000000000DE0000-0x0000000000DEC000-memory.dmp

Filesize
48KB

Download
memory/5000-156-0x00000000011D0000-0x00000000011D9000-memory.dmp

Filesize
36KB

Download
memory/5000-155-0x0000000000DE0000-0x0000000000DEC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads