smokeloader | 7807d85de3cc134c4d720d5fe7b0567225e9510fb16a4445ee952c5289555d6f

Analysis

max time kernel
150s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25/05/2023, 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

132701d306cd716a064bc49cc958cd5880832e94148e13152d9e44de7184f8d1.exe
Size

228KB
MD5

840763934fa8648e52aec60fed4bbaa2
SHA1

4754147ea6935235c6a81f482ce320b45d298363
SHA256

132701d306cd716a064bc49cc958cd5880832e94148e13152d9e44de7184f8d1
SHA512

4d5b99164120f6032dc9777a0f62bd65c39f5777cbfea0cf4ba6d5ac5f587ad4d951bb5f56a9ed62933425a05d8e31dce6bc37beca9f432cf42eb1f7a6ae6b12
SSDEEP

3072:KRLFPURJHFn63fZX6jVdnSndAAkdhO854sRqUIJUyHIRVNAQom:KLOHFafZKjjeUKsW6y4VNAG

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	132701d306cd716a064bc49cc958cd5880832e94148e13152d9e44de7184f8d1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	132701d306cd716a064bc49cc958cd5880832e94148e13152d9e44de7184f8d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	132701d306cd716a064bc49cc958cd5880832e94148e13152d9e44de7184f8d1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1468	132701d306cd716a064bc49cc958cd5880832e94148e13152d9e44de7184f8d1.exe
1468	132701d306cd716a064bc49cc958cd5880832e94148e13152d9e44de7184f8d1.exe
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found
1368	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1368	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1468	132701d306cd716a064bc49cc958cd5880832e94148e13152d9e44de7184f8d1.exe

C:\Users\Admin\AppData\Local\Temp\132701d306cd716a064bc49cc958cd5880832e94148e13152d9e44de7184f8d1.exe
"C:\Users\Admin\AppData\Local\Temp\132701d306cd716a064bc49cc958cd5880832e94148e13152d9e44de7184f8d1.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1368-56-0x0000000002690000-0x00000000026A6000-memory.dmp

Filesize
88KB

Download
memory/1468-55-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1468-57-0x0000000000400000-0x00000000006B6000-memory.dmp

Filesize
2.7MB

Download