smokeloader | 2ce6a414cb55e0cf03f4321a9ddde819fe56f15464978ef111629ec2b3eb66b5

Analysis

max time kernel
151s
max time network
30s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
03/07/2023, 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

296a092fbaa6088746c0a3cc0c48bacf560c9d2fc0aa4fe77ff60cf26f9eb0b3.exe
Size

232KB
MD5

9a87ffc0fea826644bee36badc647d64
SHA1

00a8d9902187130023644a8448ae42ab1b8bc6aa
SHA256

296a092fbaa6088746c0a3cc0c48bacf560c9d2fc0aa4fe77ff60cf26f9eb0b3
SHA512

5c08395dbe90046d5b1262cc18f8be68c241e1730c682bde41424f67d6a9f3200a6510970f4f68961fe2d6f632502da16d76d041d755b6019d50d0251f041dad
SSDEEP

3072:JvJhSPoHrHCT3qzejmOAIepRZCqmQiS5BB3USQzahPTVr:hjpHOqEm+ep/PmsBEvgPTV

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	296a092fbaa6088746c0a3cc0c48bacf560c9d2fc0aa4fe77ff60cf26f9eb0b3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	296a092fbaa6088746c0a3cc0c48bacf560c9d2fc0aa4fe77ff60cf26f9eb0b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	296a092fbaa6088746c0a3cc0c48bacf560c9d2fc0aa4fe77ff60cf26f9eb0b3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1572	296a092fbaa6088746c0a3cc0c48bacf560c9d2fc0aa4fe77ff60cf26f9eb0b3.exe
1572	296a092fbaa6088746c0a3cc0c48bacf560c9d2fc0aa4fe77ff60cf26f9eb0b3.exe
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1188	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1572	296a092fbaa6088746c0a3cc0c48bacf560c9d2fc0aa4fe77ff60cf26f9eb0b3.exe

C:\Users\Admin\AppData\Local\Temp\296a092fbaa6088746c0a3cc0c48bacf560c9d2fc0aa4fe77ff60cf26f9eb0b3.exe
"C:\Users\Admin\AppData\Local\Temp\296a092fbaa6088746c0a3cc0c48bacf560c9d2fc0aa4fe77ff60cf26f9eb0b3.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1188-56-0x0000000002740000-0x0000000002756000-memory.dmp

Filesize
88KB

Download
memory/1572-55-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/1572-57-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1572-60-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download