Analysis
-
max time kernel
300s -
max time network
267s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
25-08-2023 05:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
toolspub2.exe
Resource
win7-20230712-en
windows7-x64
8 signatures
300 seconds
Behavioral task
behavioral2
Sample
toolspub2.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
7 signatures
300 seconds
General
-
Target
toolspub2.exe
-
Size
271KB
-
MD5
222a4c7e494a2314e9e1d0a07abecee9
-
SHA1
dd8f2552f2fa5256fac01a51fa2c383759e84f8e
-
SHA256
60e8eef70c565ec2abbe7d16157a0edc4f8dbf8938363680ac6362620114c436
-
SHA512
fd419aa596c7f91f7cfbde0a1cb6a6801ebe684c9966b53d2e8541f7f6b0763427c251f371ba3d252acfe6ab2dc0c611273af8ca14d3ad738e3ca98b30d18d11
-
SSDEEP
3072:KS9AVA4WD+XiRE4KZ9f/KKosNgOe8R2fnedNvtKts+tiPJA88i3Ml7Z1DWGLM:K5NX3446KOOeZStKts1PDZSF1DWGL
Score
10/10
Malware Config
Extracted
Family
smokeloader
Botnet
up3
Extracted
Family
smokeloader
Version
2020
C2
http://host-file-host6.com/
http://host-host-file8.com/
rc4.i32
rc4.i32
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 244 set thread context of 2384 244 toolspub2.exe 82 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2384 toolspub2.exe 2384 toolspub2.exe 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3176 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2384 toolspub2.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 244 wrote to memory of 2384 244 toolspub2.exe 82 PID 244 wrote to memory of 2384 244 toolspub2.exe 82 PID 244 wrote to memory of 2384 244 toolspub2.exe 82 PID 244 wrote to memory of 2384 244 toolspub2.exe 82 PID 244 wrote to memory of 2384 244 toolspub2.exe 82 PID 244 wrote to memory of 2384 244 toolspub2.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2384
-