smokeloader | 5619fc9f106cb00ca2a488f7219345fa042fcb925fd370a469263ce97d9ea301 | Triage

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2023 00:00

Sharing

Report Analysis Logs

General

Target

0x0009000000016592-111.exe
Size

37KB
MD5

8692ca9311f4f80ffe280831434efdf6
SHA1

52ec2c8171239b64462cc175093e2efcee15d20a
SHA256

5619fc9f106cb00ca2a488f7219345fa042fcb925fd370a469263ce97d9ea301
SHA512

64ebd22890cab3542239e64ad37b68ad6d83f6d76bcef685ae6f2f1f331537b88c98953cc01bb0bdc22f781cd8b732f77ef904267dee1af7183d4ac4dfdf5d96
SSDEEP

384:K9VD6tee+qUOTd2opQTLAdz1SvNmhpdvOjT7PbA6HBiTSnjxZMdP05ldpRMaYIBI:k6Qe+qUv8zcqdvOXA6XkPslJvGaVW

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5012	0x0009000000016592-111.exe
5012	0x0009000000016592-111.exe
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found
3140	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3140	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5012	0x0009000000016592-111.exe

C:\Users\Admin\AppData\Local\Temp\0x0009000000016592-111.exe
"C:\Users\Admin\AppData\Local\Temp\0x0009000000016592-111.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3140-134-0x0000000002760000-0x0000000002776000-memory.dmp

Filesize
88KB

Download
memory/5012-133-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5012-135-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download