Analysis
-
max time kernel
150s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
08-06-2023 02:53
Static task
static1
Behavioral task
behavioral1
Sample
f49aa3f4cc246fdf8d11363caecc1591.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
f49aa3f4cc246fdf8d11363caecc1591.exe
Resource
win10v2004-20230220-en
General
-
Target
f49aa3f4cc246fdf8d11363caecc1591.exe
-
Size
245KB
-
MD5
f49aa3f4cc246fdf8d11363caecc1591
-
SHA1
685e1e0cc4ad59ea582844d2f8746900dc5c0dbd
-
SHA256
ea641f05f32a47d5d71bc779780448676cf471793214aafba66bcc9da0a141a2
-
SHA512
c62fa20bbfd70236653fa3d570b2a447cdca4cca9b3b6ca83a3171fb237210cad8ff1a998ecdd47eb579e903b2f8528969d5fac8695d768c44b8a22c31813260
-
SSDEEP
3072:94rr40JAoRl8vgvNJeEVji7lyRsSBKBD52D3a4p1:Is0JHeQNJe4i7IRsSMuD3
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
f49aa3f4cc246fdf8d11363caecc1591.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f49aa3f4cc246fdf8d11363caecc1591.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f49aa3f4cc246fdf8d11363caecc1591.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f49aa3f4cc246fdf8d11363caecc1591.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f49aa3f4cc246fdf8d11363caecc1591.exepid process 1200 f49aa3f4cc246fdf8d11363caecc1591.exe 1200 f49aa3f4cc246fdf8d11363caecc1591.exe 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1208 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
f49aa3f4cc246fdf8d11363caecc1591.exepid process 1200 f49aa3f4cc246fdf8d11363caecc1591.exe