smokeloader | 928bebc6fd81753d079c38d1d3ea3a92c5be87e47c4eff0011ba0b8cec45d0fb

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
30/09/2023, 18:07

Target

2456-471-0x0000000000400000-0x0000000000409000-memory.exe
Size

36KB
MD5

dfa49a4ab662e69fc200dec97c9f6c07
SHA1

399378353366bbf12cfb91cb0d04517a268b5017
SHA256

928bebc6fd81753d079c38d1d3ea3a92c5be87e47c4eff0011ba0b8cec45d0fb
SHA512

33825136f3b3797ced3190aa82b8dde3dbfe2977c88bffed22a1f1a563af6464ccd93acd1492c70ef5a66045d5fcc2b5f2139dbe5a533c4724ed4310833215dc
SSDEEP

768:OkUqYDNyIoKpDd1KM02kQhx4hOtFceWzYqvz0bOS:zLisLKtd1PBkQD4UtFceWnz

Score

10^/10

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2184	2172	WerFault.exe	26

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2184	2172	2456-471-0x0000000000400000-0x0000000000409000-memory.exe	28
PID 2172 wrote to memory of 2184	2172	2456-471-0x0000000000400000-0x0000000000409000-memory.exe	28
PID 2172 wrote to memory of 2184	2172	2456-471-0x0000000000400000-0x0000000000409000-memory.exe	28
PID 2172 wrote to memory of 2184	2172	2456-471-0x0000000000400000-0x0000000000409000-memory.exe	28

C:\Users\Admin\AppData\Local\Temp\2456-471-0x0000000000400000-0x0000000000409000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\2456-471-0x0000000000400000-0x0000000000409000-memory.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 36
  2⤵
  - Program crash
  PID:2184

memory/2172-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download