Malware Analysis Report

2025-08-06 03:41

Sample ID 230922-ev7thach2z
Target 5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489
SHA256 5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489
Tags
smokeloader pub1 backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489

Threat Level: Known bad

The file 5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489 was found to be: Known bad.

Malicious Activity Summary

smokeloader pub1 backdoor trojan

SmokeLoader

Deletes itself

Executes dropped EXE

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-22 04:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-22 04:16

Reported

2023-09-22 04:21

Platform

win7-20230831-en

Max time kernel

300s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\bbfbfag N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\bbfbfag N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\bbfbfag N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\bbfbfag N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bbfbfag N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1400 wrote to memory of 2640 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\bbfbfag
PID 1400 wrote to memory of 2640 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\bbfbfag
PID 1400 wrote to memory of 2640 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\bbfbfag
PID 1400 wrote to memory of 2640 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\bbfbfag

Processes

C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe

"C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {8C2DF981-1EAD-42DA-823B-923982FFA14C} S-1-5-21-2180306848-1874213455-4093218721-1000:XEBBURHY\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\bbfbfag

C:\Users\Admin\AppData\Roaming\bbfbfag

Network

Country Destination Domain Proto
US 8.8.8.8:53 gudintas.at udp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp

Files

memory/2140-1-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/2140-2-0x0000000000400000-0x0000000000717000-memory.dmp

memory/2140-3-0x0000000000230000-0x0000000000239000-memory.dmp

memory/1204-4-0x00000000029A0000-0x00000000029B6000-memory.dmp

memory/2140-5-0x0000000000400000-0x0000000000717000-memory.dmp

C:\Users\Admin\AppData\Roaming\bbfbfag

MD5 ba46aac85484a5e446516a53359ef71d
SHA1 fc487c46fb047de9a8d0c7433c11d97703f81704
SHA256 5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489
SHA512 924d02a9a757129858ee1d8300f30d1d824ee254192d2f0e69a7aaaff025d905c3603caf8d8254f184f58871b3860a3fb93340d4d5b544d91304f21807160bad

C:\Users\Admin\AppData\Roaming\bbfbfag

MD5 ba46aac85484a5e446516a53359ef71d
SHA1 fc487c46fb047de9a8d0c7433c11d97703f81704
SHA256 5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489
SHA512 924d02a9a757129858ee1d8300f30d1d824ee254192d2f0e69a7aaaff025d905c3603caf8d8254f184f58871b3860a3fb93340d4d5b544d91304f21807160bad

memory/2640-14-0x00000000002D0000-0x00000000003D0000-memory.dmp

memory/2640-15-0x0000000000400000-0x0000000000717000-memory.dmp

memory/1204-16-0x0000000002C70000-0x0000000002C86000-memory.dmp

memory/2640-17-0x0000000000400000-0x0000000000717000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-22 04:16

Reported

2023-09-22 04:21

Platform

win10-20230915-en

Max time kernel

300s

Max time network

253s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\eghfuur N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\eghfuur N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\eghfuur N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\eghfuur N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\eghfuur N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe

"C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe"

C:\Users\Admin\AppData\Roaming\eghfuur

C:\Users\Admin\AppData\Roaming\eghfuur

Network

Country Destination Domain Proto
US 8.8.8.8:53 gudintas.at udp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
US 8.8.8.8:53 251.39.40.211.in-addr.arpa udp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/1232-1-0x00000000009E0000-0x0000000000AE0000-memory.dmp

memory/1232-2-0x0000000000400000-0x0000000000717000-memory.dmp

memory/1232-3-0x0000000000850000-0x0000000000859000-memory.dmp

memory/3288-4-0x0000000001340000-0x0000000001356000-memory.dmp

memory/1232-5-0x0000000000400000-0x0000000000717000-memory.dmp

C:\Users\Admin\AppData\Roaming\eghfuur

MD5 ba46aac85484a5e446516a53359ef71d
SHA1 fc487c46fb047de9a8d0c7433c11d97703f81704
SHA256 5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489
SHA512 924d02a9a757129858ee1d8300f30d1d824ee254192d2f0e69a7aaaff025d905c3603caf8d8254f184f58871b3860a3fb93340d4d5b544d91304f21807160bad

C:\Users\Admin\AppData\Roaming\eghfuur

MD5 ba46aac85484a5e446516a53359ef71d
SHA1 fc487c46fb047de9a8d0c7433c11d97703f81704
SHA256 5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489
SHA512 924d02a9a757129858ee1d8300f30d1d824ee254192d2f0e69a7aaaff025d905c3603caf8d8254f184f58871b3860a3fb93340d4d5b544d91304f21807160bad

memory/5080-14-0x0000000000910000-0x0000000000A10000-memory.dmp

memory/5080-15-0x0000000000400000-0x0000000000717000-memory.dmp

memory/3288-16-0x0000000003240000-0x0000000003256000-memory.dmp

memory/5080-17-0x0000000000400000-0x0000000000717000-memory.dmp