Analysis
-
max time kernel
149s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
04-04-2023 05:48
Static task
static1
Behavioral task
behavioral1
Sample
15cfaa0e409bbbf1279dec450a097fea.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
15cfaa0e409bbbf1279dec450a097fea.exe
Resource
win10v2004-20230220-en
General
-
Target
15cfaa0e409bbbf1279dec450a097fea.exe
-
Size
324KB
-
MD5
15cfaa0e409bbbf1279dec450a097fea
-
SHA1
7bb6b645b85e5dca9e0af75be7b63680c15cde28
-
SHA256
0698e0d167d9aa2fcd3be93b2e20af081f742bd84bb1a18d4538d2a1d2729527
-
SHA512
b3f6a3724974716fb24a772aad1f0fd8b34bcb0e2f15fdca58c7f3b421301b923f92ab4f8bc411810e8133d2b40815df1501e6e16e5b445ba06876b0e5cd00fd
-
SSDEEP
3072:6gWdG8lNfHNkGeJQzC2HWWxZDNQw6AR4oP4YrBsvaYQDBfBEPS:fcGsNf6zWPDVdyoVrBsvaY+C
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
15cfaa0e409bbbf1279dec450a097fea.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 15cfaa0e409bbbf1279dec450a097fea.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 15cfaa0e409bbbf1279dec450a097fea.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 15cfaa0e409bbbf1279dec450a097fea.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
15cfaa0e409bbbf1279dec450a097fea.exepid process 1348 15cfaa0e409bbbf1279dec450a097fea.exe 1348 15cfaa0e409bbbf1279dec450a097fea.exe 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1220 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
15cfaa0e409bbbf1279dec450a097fea.exepid process 1348 15cfaa0e409bbbf1279dec450a097fea.exe