Analysis
-
max time kernel
150s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01-04-2023 01:51
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
setup.exe
Resource
win10v2004-20230220-en
General
-
Target
setup.exe
-
Size
217KB
-
MD5
55b5bfa46867a8404dba37ff7fb9cc6a
-
SHA1
95c2d28a448e1e4fd7f2cc67bc115fe448b315cd
-
SHA256
beae9cf0b76c707b8752d12fe281b22e5e07d107ec08307c75e02d9df45d5aed
-
SHA512
fe715473353104ddfca933bad1c4f7b90019e99431564cfb6570259bcf47fb95efa29d221dd2da461783edd79848e417a746c480bd7ccedf69264fc155ebca0c
-
SSDEEP
3072:ysyO8m9XLNk3mSO973WlBRade2PpvVZHHtDLEIJBD5MTNV:Bkmhq2SE7oTKe0/ntDL+TNV
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
setup.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI setup.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI setup.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI setup.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
setup.exepid process 1436 setup.exe 1436 setup.exe 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 1184 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1184 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
setup.exepid process 1436 setup.exe