smokeloader | 7028754a2372837f2c2daf95f04359efdaa3d6d8826c0c59cfb187304d3ebeef

Analysis

max time kernel
150s
max time network
103s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
21-08-2023 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7028754a2372837f2c2daf95f04359efdaa3d6d8826c0c59cfb187304d3ebeef.exe
Size

248KB
MD5

5cc4c10eededb8e1cf10f93748c1bbc1
SHA1

795fd81d693cdf57c84c65623036e738a0bdd5b0
SHA256

7028754a2372837f2c2daf95f04359efdaa3d6d8826c0c59cfb187304d3ebeef
SHA512

7eb1ada63299f6514f80c31f221846c8d868d463c7b38575f3c1866a6e4d32df6596f4ec71e8f4f0c8c4249dd784b9daf0a0d0f172447eac7e8632f5d4de4c5b
SSDEEP

3072:xikZKLuW7P37DPheg1492ipmpS1vMcRh+tf5XEr9:5ZKL7P37DheAEp4S1EcRelEr

Score

10^/10

smokeloader pub1 backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Deletes itself 1 IoCs

pid	Process
3296	Process not Found

Executes dropped EXE 2 IoCs

pid	Process
4244	ttgbwrd
1956	ttgbwrd

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4960 set thread context of 5108	4960	7028754a2372837f2c2daf95f04359efdaa3d6d8826c0c59cfb187304d3ebeef.exe	69
PID 4244 set thread context of 1956	4244	ttgbwrd	71

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5108	7028754a2372837f2c2daf95f04359efdaa3d6d8826c0c59cfb187304d3ebeef.exe
5108	7028754a2372837f2c2daf95f04359efdaa3d6d8826c0c59cfb187304d3ebeef.exe
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found
3296	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3296	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
5108	7028754a2372837f2c2daf95f04359efdaa3d6d8826c0c59cfb187304d3ebeef.exe
1956	ttgbwrd

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3296	Process not Found
Token: SeCreatePagefilePrivilege	3296	Process not Found
Token: SeShutdownPrivilege	3296	Process not Found
Token: SeCreatePagefilePrivilege	3296	Process not Found
Token: SeShutdownPrivilege	3296	Process not Found
Token: SeCreatePagefilePrivilege	3296	Process not Found
Token: SeShutdownPrivilege	3296	Process not Found
Token: SeCreatePagefilePrivilege	3296	Process not Found
Token: SeShutdownPrivilege	3296	Process not Found
Token: SeCreatePagefilePrivilege	3296	Process not Found
Token: SeShutdownPrivilege	3296	Process not Found
Token: SeCreatePagefilePrivilege	3296	Process not Found
Token: SeShutdownPrivilege	3296	Process not Found
Token: SeCreatePagefilePrivilege	3296	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 5108	4960	7028754a2372837f2c2daf95f04359efdaa3d6d8826c0c59cfb187304d3ebeef.exe	69
PID 4960 wrote to memory of 5108	4960	7028754a2372837f2c2daf95f04359efdaa3d6d8826c0c59cfb187304d3ebeef.exe	69
PID 4960 wrote to memory of 5108	4960	7028754a2372837f2c2daf95f04359efdaa3d6d8826c0c59cfb187304d3ebeef.exe	69
PID 4960 wrote to memory of 5108	4960	7028754a2372837f2c2daf95f04359efdaa3d6d8826c0c59cfb187304d3ebeef.exe	69
PID 4960 wrote to memory of 5108	4960	7028754a2372837f2c2daf95f04359efdaa3d6d8826c0c59cfb187304d3ebeef.exe	69
PID 4960 wrote to memory of 5108	4960	7028754a2372837f2c2daf95f04359efdaa3d6d8826c0c59cfb187304d3ebeef.exe	69
PID 4244 wrote to memory of 1956	4244	ttgbwrd	71
PID 4244 wrote to memory of 1956	4244	ttgbwrd	71
PID 4244 wrote to memory of 1956	4244	ttgbwrd	71
PID 4244 wrote to memory of 1956	4244	ttgbwrd	71
PID 4244 wrote to memory of 1956	4244	ttgbwrd	71
PID 4244 wrote to memory of 1956	4244	ttgbwrd	71

C:\Users\Admin\AppData\Local\Temp\7028754a2372837f2c2daf95f04359efdaa3d6d8826c0c59cfb187304d3ebeef.exe
"C:\Users\Admin\AppData\Local\Temp\7028754a2372837f2c2daf95f04359efdaa3d6d8826c0c59cfb187304d3ebeef.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Users\Admin\AppData\Local\Temp\7028754a2372837f2c2daf95f04359efdaa3d6d8826c0c59cfb187304d3ebeef.exe
  "C:\Users\Admin\AppData\Local\Temp\7028754a2372837f2c2daf95f04359efdaa3d6d8826c0c59cfb187304d3ebeef.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:5108

C:\Users\Admin\AppData\Roaming\ttgbwrd
C:\Users\Admin\AppData\Roaming\ttgbwrd
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Users\Admin\AppData\Roaming\ttgbwrd
  C:\Users\Admin\AppData\Roaming\ttgbwrd
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: MapViewOfSection
  PID:1956

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ttgbwrd

Filesize
248KB

MD5
5cc4c10eededb8e1cf10f93748c1bbc1

SHA1
795fd81d693cdf57c84c65623036e738a0bdd5b0

SHA256
7028754a2372837f2c2daf95f04359efdaa3d6d8826c0c59cfb187304d3ebeef

SHA512
7eb1ada63299f6514f80c31f221846c8d868d463c7b38575f3c1866a6e4d32df6596f4ec71e8f4f0c8c4249dd784b9daf0a0d0f172447eac7e8632f5d4de4c5b

Download Submit
C:\Users\Admin\AppData\Roaming\ttgbwrd

Filesize
248KB

MD5
5cc4c10eededb8e1cf10f93748c1bbc1

SHA1
795fd81d693cdf57c84c65623036e738a0bdd5b0

SHA256
7028754a2372837f2c2daf95f04359efdaa3d6d8826c0c59cfb187304d3ebeef

SHA512
7eb1ada63299f6514f80c31f221846c8d868d463c7b38575f3c1866a6e4d32df6596f4ec71e8f4f0c8c4249dd784b9daf0a0d0f172447eac7e8632f5d4de4c5b

Download Submit
C:\Users\Admin\AppData\Roaming\ttgbwrd

Filesize
248KB

MD5
5cc4c10eededb8e1cf10f93748c1bbc1

SHA1
795fd81d693cdf57c84c65623036e738a0bdd5b0

SHA256
7028754a2372837f2c2daf95f04359efdaa3d6d8826c0c59cfb187304d3ebeef

SHA512
7eb1ada63299f6514f80c31f221846c8d868d463c7b38575f3c1866a6e4d32df6596f4ec71e8f4f0c8c4249dd784b9daf0a0d0f172447eac7e8632f5d4de4c5b

Download Submit
memory/1956-229-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1956-197-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3296-191-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-273-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-132-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/3296-133-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/3296-135-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-137-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-138-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3296-140-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-141-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-143-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-145-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-200-0x0000000002720000-0x0000000002730000-memory.dmp

Filesize
64KB

Download
memory/3296-149-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-144-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-150-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-151-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-153-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-154-0x0000000002720000-0x0000000002730000-memory.dmp

Filesize
64KB

Download
memory/3296-156-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-158-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-162-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/3296-161-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-164-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-160-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-165-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-167-0x0000000002720000-0x0000000002730000-memory.dmp

Filesize
64KB

Download
memory/3296-169-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-171-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-172-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-173-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-170-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-175-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-174-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-176-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-274-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-198-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-278-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-181-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/3296-183-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-185-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-186-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/3296-182-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/3296-188-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-189-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-190-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-192-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-276-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-194-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-202-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-196-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-272-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-147-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-122-0x0000000000E60000-0x0000000000E76000-memory.dmp

Filesize
88KB

Download
memory/3296-204-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-205-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/3296-207-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-209-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-213-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-215-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-211-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-216-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-218-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/3296-220-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-221-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-223-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-222-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-226-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-225-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-227-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-224-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-228-0x0000000002720000-0x0000000002736000-memory.dmp

Filesize
88KB

Download
memory/3296-270-0x0000000002740000-0x0000000002750000-memory.dmp

Filesize
64KB

Download
memory/3296-234-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/3296-235-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/3296-236-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-238-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-239-0x0000000002740000-0x0000000002750000-memory.dmp

Filesize
64KB

Download
memory/3296-242-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-241-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-243-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-245-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-244-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-249-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-250-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-247-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-252-0x0000000002740000-0x0000000002750000-memory.dmp

Filesize
64KB

Download
memory/3296-254-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-256-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-257-0x0000000002740000-0x0000000002750000-memory.dmp

Filesize
64KB

Download
memory/3296-261-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-259-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-263-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-265-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-267-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3296-268-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/4960-118-0x0000000001A20000-0x0000000001A29000-memory.dmp

Filesize
36KB

Download
memory/4960-120-0x0000000001A00000-0x0000000001A15000-memory.dmp

Filesize
84KB

Download
memory/4960-117-0x0000000001A00000-0x0000000001A15000-memory.dmp

Filesize
84KB

Download
memory/5108-119-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5108-121-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5108-123-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download