Malware Analysis Report

2025-08-10 17:40

Sample ID 230915-xz3z8aef8y
Target b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6
SHA256 b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6
Tags
smokeloader pub1 backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6

Threat Level: Known bad

The file b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6 was found to be: Known bad.

Malicious Activity Summary

smokeloader pub1 backdoor trojan

SmokeLoader

Executes dropped EXE

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-15 19:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-15 19:18

Reported

2023-09-15 19:20

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\rhejifr N/A
N/A N/A C:\Users\Admin\AppData\Roaming\rhejifr N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\rhejifr N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\rhejifr N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\rhejifr N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\rhejifr N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4952 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6.exe C:\Users\Admin\AppData\Local\Temp\b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6.exe
PID 4952 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6.exe C:\Users\Admin\AppData\Local\Temp\b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6.exe
PID 4952 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6.exe C:\Users\Admin\AppData\Local\Temp\b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6.exe
PID 4952 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6.exe C:\Users\Admin\AppData\Local\Temp\b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6.exe
PID 4952 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6.exe C:\Users\Admin\AppData\Local\Temp\b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6.exe
PID 4952 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6.exe C:\Users\Admin\AppData\Local\Temp\b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6.exe
PID 568 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Roaming\rhejifr C:\Users\Admin\AppData\Roaming\rhejifr
PID 568 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Roaming\rhejifr C:\Users\Admin\AppData\Roaming\rhejifr
PID 568 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Roaming\rhejifr C:\Users\Admin\AppData\Roaming\rhejifr
PID 568 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Roaming\rhejifr C:\Users\Admin\AppData\Roaming\rhejifr
PID 568 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Roaming\rhejifr C:\Users\Admin\AppData\Roaming\rhejifr
PID 568 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Roaming\rhejifr C:\Users\Admin\AppData\Roaming\rhejifr

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6.exe

"C:\Users\Admin\AppData\Local\Temp\b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6.exe"

C:\Users\Admin\AppData\Local\Temp\b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6.exe

"C:\Users\Admin\AppData\Local\Temp\b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6.exe"

C:\Users\Admin\AppData\Roaming\rhejifr

C:\Users\Admin\AppData\Roaming\rhejifr

C:\Users\Admin\AppData\Roaming\rhejifr

C:\Users\Admin\AppData\Roaming\rhejifr

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 25.63.96.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 198.111.78.13.in-addr.arpa udp

Files

memory/4952-1-0x0000000000760000-0x0000000000860000-memory.dmp

memory/4952-2-0x0000000002460000-0x0000000002469000-memory.dmp

memory/4520-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4520-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4520-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3180-5-0x0000000002C40000-0x0000000002C56000-memory.dmp

C:\Users\Admin\AppData\Roaming\rhejifr

MD5 12615c3c739e7fc3107920f4e1fcb8d0
SHA1 de0175d2ecbe05ab09c7eef39e004b8ebde5797a
SHA256 b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6
SHA512 2dd36a7e290b95d75cc5a30b06b7f96d774f2f9aa226469e335752a9c238b79a85e4a388e7c022d4f9ced3c8bebf4b6bfe397941f82d79ca8a532122aa635966

C:\Users\Admin\AppData\Roaming\rhejifr

MD5 12615c3c739e7fc3107920f4e1fcb8d0
SHA1 de0175d2ecbe05ab09c7eef39e004b8ebde5797a
SHA256 b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6
SHA512 2dd36a7e290b95d75cc5a30b06b7f96d774f2f9aa226469e335752a9c238b79a85e4a388e7c022d4f9ced3c8bebf4b6bfe397941f82d79ca8a532122aa635966

memory/568-16-0x00000000009F0000-0x0000000000AF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\rhejifr

MD5 12615c3c739e7fc3107920f4e1fcb8d0
SHA1 de0175d2ecbe05ab09c7eef39e004b8ebde5797a
SHA256 b706b0b48e67dced179a4775d67c6a0532c91d9d69274f214da622945a221fa6
SHA512 2dd36a7e290b95d75cc5a30b06b7f96d774f2f9aa226469e335752a9c238b79a85e4a388e7c022d4f9ced3c8bebf4b6bfe397941f82d79ca8a532122aa635966

memory/4584-19-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3180-20-0x0000000003060000-0x0000000003076000-memory.dmp

memory/4584-21-0x0000000000400000-0x0000000000409000-memory.dmp