smokeloader | aca2368fa225fda4ea1d223ac914bf42ee81884dbe97536b832fb3706ca6ac1f

Analysis

max time kernel
150s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01-04-2023 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

affb629af9de8ff0c78c3feaf7b81108.exe
Size

270KB
MD5

affb629af9de8ff0c78c3feaf7b81108
SHA1

a84cabf3aa2b6542e57a101f94f8ea0ea548a91b
SHA256

aca2368fa225fda4ea1d223ac914bf42ee81884dbe97536b832fb3706ca6ac1f
SHA512

f690f355b7e1e50ab82502009b98d054d5938fc9ff06918cf868ae3f10308a89b101b987655f9ed83dace43dd790d93d4792ac3a0fbac61614822c07d6f9b0a8
SSDEEP

3072:8cgSq3amsUo24elcTlq1Scfubj8X6MlC5MX6Gw+TDqYI:XqK5J2ONf8XVlC5MT

Score

10^/10

smokeloader sprg backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

sprg

Extracted

Family

smokeloader

Version

2022

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

http://yic0oosaeiy7ahng.com/

http://wa5zu7sekai8xeih.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

affb629af9de8ff0c78c3feaf7b81108.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	affb629af9de8ff0c78c3feaf7b81108.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	affb629af9de8ff0c78c3feaf7b81108.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	affb629af9de8ff0c78c3feaf7b81108.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

affb629af9de8ff0c78c3feaf7b81108.exe

pid	process
1060	affb629af9de8ff0c78c3feaf7b81108.exe
1060	affb629af9de8ff0c78c3feaf7b81108.exe
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1264
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

affb629af9de8ff0c78c3feaf7b81108.exe

pid process

1060 affb629af9de8ff0c78c3feaf7b81108.exe

pid	process
1264

C:\Users\Admin\AppData\Local\Temp\affb629af9de8ff0c78c3feaf7b81108.exe
"C:\Users\Admin\AppData\Local\Temp\affb629af9de8ff0c78c3feaf7b81108.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1060-55-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1060-57-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1264-56-0x00000000029B0000-0x00000000029C6000-memory.dmp

Filesize
88KB

Download