smokeloader | 09b3105e7f112440192edf2f69ede65fabb1e6e364a96fdfa1e0a8ef8d1ed88a

Analysis

max time kernel
150s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15-04-2023 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cbb2dd6b37708bf705d488bc30d5de7.exe
Size

350KB
MD5

3cbb2dd6b37708bf705d488bc30d5de7
SHA1

5035de4c83444f3517421ef71ee3e5fbc05392f2
SHA256

09b3105e7f112440192edf2f69ede65fabb1e6e364a96fdfa1e0a8ef8d1ed88a
SHA512

3a3b9b8b08bc75c5bb7b5fa3fb66ece066d7100b4d00f78b23e57723c71b24f8953ca4f0d66325ba1b304bea3f112208be337a30a6b4776093ff1ae86444963b
SSDEEP

3072:au9GUtRS2/7y7+ZuczfqmNRBECcDl2KXoHO1AeYYOnltu7ezl6WfW226xC8MeKbs:a6G278+ZuCfBtWCeuiOlWxvdTi

Score

10^/10

smokeloader sprg backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

sprg

Extracted

Family

smokeloader

Version

2022

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

http://yic0oosaeiy7ahng.com/

http://wa5zu7sekai8xeih.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3cbb2dd6b37708bf705d488bc30d5de7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3cbb2dd6b37708bf705d488bc30d5de7.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3cbb2dd6b37708bf705d488bc30d5de7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1560	3cbb2dd6b37708bf705d488bc30d5de7.exe
1560	3cbb2dd6b37708bf705d488bc30d5de7.exe
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1356	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1560	3cbb2dd6b37708bf705d488bc30d5de7.exe

C:\Users\Admin\AppData\Local\Temp\3cbb2dd6b37708bf705d488bc30d5de7.exe
"C:\Users\Admin\AppData\Local\Temp\3cbb2dd6b37708bf705d488bc30d5de7.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1356-56-0x0000000002220000-0x0000000002236000-memory.dmp

Filesize
88KB

Download
memory/1560-55-0x00000000003A0000-0x00000000003A9000-memory.dmp

Filesize
36KB

Download
memory/1560-57-0x0000000000400000-0x00000000007FD000-memory.dmp

Filesize
4.0MB

Download