Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
22/09/2023, 06:53
Static task
static1
Behavioral task
behavioral1
Sample
bf6863460cf38b67423d10b9f51c4751.bin.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
bf6863460cf38b67423d10b9f51c4751.bin.exe
Resource
win10v2004-20230915-en
General
-
Target
bf6863460cf38b67423d10b9f51c4751.bin.exe
-
Size
202KB
-
MD5
bf6863460cf38b67423d10b9f51c4751
-
SHA1
fa8d3490fcecc1e799c8583b6b1fbf48d21960b6
-
SHA256
31e54f46b20976c9779d4fde6282ec9fc581b50646a802a517e827c5e7a6aebb
-
SHA512
78667b3d1796a61289bda88eecebbdb39e4a2bfb9001f57c9b52376a590f33dc79f2f595488ec2b3f911455bee41fc426e5b5dca9d2b735c513b959c92e9812b
-
SSDEEP
3072:nXJsh/iJRNYL+7ZbmH+nlHH05C2yO46E5JZ51ZW6YzaC:XGh/4RKgZbk+l/tZxO
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://gudintas.at/tmp/
http://pik96.ru/tmp/
http://rosatiauto.com/tmp/
http://kingpirate.ru/tmp/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bf6863460cf38b67423d10b9f51c4751.bin.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bf6863460cf38b67423d10b9f51c4751.bin.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bf6863460cf38b67423d10b9f51c4751.bin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1112 bf6863460cf38b67423d10b9f51c4751.bin.exe 1112 bf6863460cf38b67423d10b9f51c4751.bin.exe 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3172 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1112 bf6863460cf38b67423d10b9f51c4751.bin.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3172 Process not Found -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.