smokeloader | fc5c1ed9df3db079ed9b1714c11b5fd8edd6f69498fe6150303ae160884d3c04

Analysis

max time kernel
150s
max time network
31s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08/07/2023, 11:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win32.TrojanX-gen.29884.exe
Size

232KB
MD5

420db3b8a1b7f3f56683e5d72e9adda2
SHA1

e4e104ff61f7fee2e0a64a9b243b6e39f416f9d2
SHA256

fc5c1ed9df3db079ed9b1714c11b5fd8edd6f69498fe6150303ae160884d3c04
SHA512

2459c248fd86a48722f35f4a7e2eb4ca538d83491f5968d07f80d6d1323fdd53873e9d90a12d0664db6c1da6680f1565fad343a43008777bd29e4c16f6802dc9
SSDEEP

3072:1ZmnKwVesrS0H1bCtntcqZWbJxlUsHgwn+xAsBfFHs4+Ii/D:6KVsrS0VbK1Zcvg0Y59FHs

Score

10^/10

smokeloader summ backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

summ

Extracted

Family

smokeloader

Version

2022

http://stalagmijesarl.com/

http://ukdantist-sarl.com/

http://cpcorprotationltd.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	SecuriteInfo.com.Win32.TrojanX-gen.29884.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	SecuriteInfo.com.Win32.TrojanX-gen.29884.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	SecuriteInfo.com.Win32.TrojanX-gen.29884.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1572	SecuriteInfo.com.Win32.TrojanX-gen.29884.exe
1572	SecuriteInfo.com.Win32.TrojanX-gen.29884.exe
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1204	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1572	SecuriteInfo.com.Win32.TrojanX-gen.29884.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29884.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29884.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1204-56-0x0000000002640000-0x0000000002656000-memory.dmp

Filesize
88KB

Download
memory/1572-55-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1572-57-0x0000000000400000-0x0000000001B41000-memory.dmp

Filesize
23.3MB

Download