Analysis
-
max time kernel
163s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 10:02
Static task
static1
Behavioral task
behavioral1
Sample
6ccda75559212c7844b6f438e1529fdb.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
6ccda75559212c7844b6f438e1529fdb.exe
Resource
win10v2004-20230915-en
General
-
Target
6ccda75559212c7844b6f438e1529fdb.exe
-
Size
242KB
-
MD5
6ccda75559212c7844b6f438e1529fdb
-
SHA1
21725740126bcf0f58e7d2e5294a4ec297568da0
-
SHA256
0fd5d12ecd023e00a35c3f22158709f4088e49c3b9fce7ac6ebbf7228f874978
-
SHA512
5b84271a5703e6d453455bb7e290e0b2260eed250ab10e604d0a4ce2a447af4d101e6242a35bb5547320958055eaa5cfeb622844e091e7ffd048e3e2f76ec993
-
SSDEEP
3072:hnb4exKruCLlIKvKmVpve6WGX9uin5s3yDKdpPQ6T5cbac6TOac:B6uCLiK5nyGX5n5sf9Ubac6TO
Malware Config
Extracted
smokeloader
pub4
Extracted
smokeloader
2022
http://gudintas.at/tmp/
http://pik96.ru/tmp/
http://rosatiauto.com/tmp/
http://kingpirate.ru/tmp/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6ccda75559212c7844b6f438e1529fdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6ccda75559212c7844b6f438e1529fdb.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6ccda75559212c7844b6f438e1529fdb.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1292 6ccda75559212c7844b6f438e1529fdb.exe 1292 6ccda75559212c7844b6f438e1529fdb.exe 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found 3204 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1292 6ccda75559212c7844b6f438e1529fdb.exe