smokeloader | 46ba5aa1d550914c8560b37f340d3951b95f649d9c4d57c5a866089753430c01

Analysis

max time kernel
153s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-04-2023 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7227806e030cc029ddcf455694f3d235d14eed0dbe0a5ab083c4728df2311dda.exe
Size

190KB
MD5

5f3f614bbd4a7fd2a465afe0510b3eb8
SHA1

1d2cbd617df35ee689cd17fdcfad82cea30b7bd2
SHA256

7227806e030cc029ddcf455694f3d235d14eed0dbe0a5ab083c4728df2311dda
SHA512

819ca50b660d494205ed706de7b494ffc8956c68827fb831125f2233436112015bdf1d6e2fed946fc292c20d522b1d8a8885a3476406eb09d8042f618073944b
SSDEEP

3072:aBfbAMXlVJWbJlPfxlHkvHeBa27bqye/D8gpvw/EFq5mXNktzT:cA6VEzn3kPOaUp8Igpw/4mZT

Score

10^/10

smokeloader sprg backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

sprg

Extracted

Family

smokeloader

Version

2022

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

http://yic0oosaeiy7ahng.com/

http://wa5zu7sekai8xeih.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7227806e030cc029ddcf455694f3d235d14eed0dbe0a5ab083c4728df2311dda.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7227806e030cc029ddcf455694f3d235d14eed0dbe0a5ab083c4728df2311dda.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7227806e030cc029ddcf455694f3d235d14eed0dbe0a5ab083c4728df2311dda.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1708	7227806e030cc029ddcf455694f3d235d14eed0dbe0a5ab083c4728df2311dda.exe
1708	7227806e030cc029ddcf455694f3d235d14eed0dbe0a5ab083c4728df2311dda.exe
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1272	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1708	7227806e030cc029ddcf455694f3d235d14eed0dbe0a5ab083c4728df2311dda.exe

C:\Users\Admin\AppData\Local\Temp\7227806e030cc029ddcf455694f3d235d14eed0dbe0a5ab083c4728df2311dda.exe
"C:\Users\Admin\AppData\Local\Temp\7227806e030cc029ddcf455694f3d235d14eed0dbe0a5ab083c4728df2311dda.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1272-56-0x0000000002690000-0x00000000026A6000-memory.dmp

Filesize
88KB

Download
memory/1708-55-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1708-57-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download