smokeloader | 6cad140e13b0cd2c2ed202a1008a0c4a15c34dd1105ccd62ff73c835aa3c5992

Analysis

max time kernel
158s
max time network
130s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 14:49 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

309KB
MD5

0f083a5046e2f73e07d548e42fa551bd
SHA1

ea9cc1bc4ac78a28a580035068e2e69cfb373378
SHA256

6cad140e13b0cd2c2ed202a1008a0c4a15c34dd1105ccd62ff73c835aa3c5992
SHA512

23444a737bd78b74a003ab35cdccc1d5508e202c116e2e21c7bf3f92dbbaeed9418f88340e307f89946f77e5dd5674dc1750da63db74d7775954275fab28268a
SSDEEP

3072:lFdr6mKEmVl5e0AtTUHMAxXlDJvPpMQ0/oLZVPee1JSCvTVZpbOU:lnr6mBmdHAtTK7DDxPmQ0/2NxvLpK

Score

10^/10

smokeloader pub4 backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

smokeloader

Version

2022

http://gudintas.at/tmp/

http://pik96.ru/tmp/

http://rosatiauto.com/tmp/

http://kingpirate.ru/tmp/

rc4.i32

1
0x3b22e540

rc4.i32

1
0xa6b397e0

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Deletes itself 1 IoCs

pid	Process
1276	Process not Found

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1692	file.exe
1692	file.exe
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found
1276	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1276	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1692	file.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1692

Network

DNS

gudintas.at

Remote address:

8.8.8.8:53

Request

gudintas.at

IN A

Response

gudintas.at

IN A

181.170.86.159

gudintas.at

IN A

180.94.156.61

gudintas.at

IN A

186.147.159.149

gudintas.at

IN A

190.139.250.133

gudintas.at

IN A

190.141.134.150

gudintas.at

IN A

201.124.243.137

gudintas.at

IN A

175.126.109.15

gudintas.at

IN A

211.53.230.67

gudintas.at

IN A

175.120.254.9

gudintas.at

IN A

14.33.209.147
POST

http://gudintas.at/tmp/

Remote address:

181.170.86.159:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ccuoc.net/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 160
Host: gudintas.at

Response

HTTP/1.0 404 Not Found

Date: Thu, 12 Oct 2023 04:24:31 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15
X-Powered-By: PHP/7.4.15
Content-Length: 8
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://gudintas.at/tmp/

Remote address:

181.170.86.159:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://bmnhexhkyo.net/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 364
Host: gudintas.at

Response

HTTP/1.0 404 Not Found

Date: Thu, 12 Oct 2023 04:24:32 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15
X-Powered-By: PHP/7.4.15
Content-Length: 331
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://gudintas.at/tmp/

Remote address:

181.170.86.159:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://kfjujja.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 340
Host: gudintas.at

Response

HTTP/1.0 404 Not Found

Date: Thu, 12 Oct 2023 04:24:33 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15
X-Powered-By: PHP/7.4.15
Content-Length: 331
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://gudintas.at/tmp/

Remote address:

181.170.86.159:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://qwvlc.net/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 204
Host: gudintas.at

Response

HTTP/1.0 404 Not Found

Date: Thu, 12 Oct 2023 04:24:34 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15
X-Powered-By: PHP/7.4.15
Content-Length: 331
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://gudintas.at/tmp/

Remote address:

181.170.86.159:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ejugnrr.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 256
Host: gudintas.at

Response

HTTP/1.0 404 Not Found

Date: Thu, 12 Oct 2023 04:24:38 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15
X-Powered-By: PHP/7.4.15
Content-Length: 331
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://gudintas.at/tmp/

Remote address:

181.170.86.159:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://gjyrnx.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 125
Host: gudintas.at

Response

HTTP/1.0 404 Not Found

Date: Thu, 12 Oct 2023 04:24:40 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15
X-Powered-By: PHP/7.4.15
Content-Length: 331
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://gudintas.at/tmp/

Remote address:

181.170.86.159:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://jdoey.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 341
Host: gudintas.at

Response

HTTP/1.0 404 Not Found

Date: Thu, 12 Oct 2023 04:24:41 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15
X-Powered-By: PHP/7.4.15
Content-Length: 331
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://gudintas.at/tmp/

Remote address:

181.170.86.159:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://cyconb.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 264
Host: gudintas.at

Response

HTTP/1.0 404 Not Found

Date: Thu, 12 Oct 2023 04:24:42 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15
X-Powered-By: PHP/7.4.15
Content-Length: 331
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://gudintas.at/tmp/

Remote address:

181.170.86.159:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://memxvudf.net/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 256
Host: gudintas.at

Response

HTTP/1.0 404 Not Found

Date: Thu, 12 Oct 2023 04:24:43 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15
X-Powered-By: PHP/7.4.15
Content-Length: 331
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://gudintas.at/tmp/

Remote address:

181.170.86.159:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://aayin.net/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 352
Host: gudintas.at

Response

HTTP/1.1 200 OK

Date: Thu, 12 Oct 2023 04:24:45 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15
X-Powered-By: PHP/7.4.15
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://gudintas.at/tmp/

Remote address:

181.170.86.159:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://dmeialnsk.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 132
Host: gudintas.at

Response

HTTP/1.0 404 Not Found

Date: Thu, 12 Oct 2023 04:24:46 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15
X-Powered-By: PHP/7.4.15
Content-Length: 331
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://gudintas.at/tmp/

Remote address:

181.170.86.159:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://vgfcdovtv.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 133
Host: gudintas.at

Response

HTTP/1.0 404 Not Found

Date: Thu, 12 Oct 2023 04:24:47 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15
X-Powered-By: PHP/7.4.15
Content-Length: 331
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://gudintas.at/tmp/

Remote address:

181.170.86.159:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://fbaqpstmrj.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 182
Host: gudintas.at

Response

HTTP/1.0 404 Not Found

Date: Thu, 12 Oct 2023 04:24:48 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15
X-Powered-By: PHP/7.4.15
Content-Length: 331
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://gudintas.at/tmp/

Remote address:

181.170.86.159:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://odanlpfrt.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 326
Host: gudintas.at

Response

HTTP/1.0 404 Not Found

Date: Thu, 12 Oct 2023 04:24:49 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15
X-Powered-By: PHP/7.4.15
Content-Length: 331
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://gudintas.at/tmp/

Remote address:

181.170.86.159:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://jfkau.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 355
Host: gudintas.at

Response

HTTP/1.0 404 Not Found

Date: Thu, 12 Oct 2023 04:24:50 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15
X-Powered-By: PHP/7.4.15
Content-Length: 331
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://gudintas.at/tmp/

Remote address:

181.170.86.159:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://pjcirmxu.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 246
Host: gudintas.at

Response

HTTP/1.0 404 Not Found

Date: Thu, 12 Oct 2023 04:24:52 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15
X-Powered-By: PHP/7.4.15
Content-Length: 331
Connection: close
Content-Type: text/html; charset=utf-8

181.170.86.159:80

http://gudintas.at/tmp/

http

1.2kB
477 B
7
5

HTTP Request

POST http://gudintas.at/tmp/

HTTP Response

404
181.170.86.159:80

http://gudintas.at/tmp/

http

949 B
882 B
7
7

HTTP Request

POST http://gudintas.at/tmp/

HTTP Response

404
181.170.86.159:80

http://gudintas.at/tmp/

http

922 B
882 B
7
7

HTTP Request

POST http://gudintas.at/tmp/

HTTP Response

404
181.170.86.159:80

http://gudintas.at/tmp/

http

738 B
882 B
6
7

HTTP Request

POST http://gudintas.at/tmp/

HTTP Response

404
181.170.86.159:80

http://gudintas.at/tmp/

http

890 B
790 B
8
5

HTTP Request

POST http://gudintas.at/tmp/

HTTP Response

404
181.170.86.159:80

http://gudintas.at/tmp/

http

752 B
790 B
8
5

HTTP Request

POST http://gudintas.at/tmp/

HTTP Response

404
181.170.86.159:80

http://gudintas.at/tmp/

http

921 B
882 B
7
7

HTTP Request

POST http://gudintas.at/tmp/

HTTP Response

404
181.170.86.159:80

http://gudintas.at/tmp/

http

845 B
882 B
7
7

HTTP Request

POST http://gudintas.at/tmp/

HTTP Response

404
181.170.86.159:80

http://gudintas.at/tmp/

http

839 B
882 B
7
7

HTTP Request

POST http://gudintas.at/tmp/

HTTP Response

404
181.170.86.159:80

http://gudintas.at/tmp/

http

886 B
542 B
6
7

HTTP Request

POST http://gudintas.at/tmp/

HTTP Response

200
181.170.86.159:80

http://gudintas.at/tmp/

http

716 B
882 B
7
7

HTTP Request

POST http://gudintas.at/tmp/

HTTP Response

404
181.170.86.159:80

http://gudintas.at/tmp/

http

671 B
882 B
6
7

HTTP Request

POST http://gudintas.at/tmp/

HTTP Response

404
181.170.86.159:80

http://gudintas.at/tmp/

http

721 B
882 B
6
7

HTTP Request

POST http://gudintas.at/tmp/

HTTP Response

404
181.170.86.159:80

http://gudintas.at/tmp/

http

910 B
790 B
7
5

HTTP Request

POST http://gudintas.at/tmp/

HTTP Response

404
181.170.86.159:80

http://gudintas.at/tmp/

http

889 B
790 B
6
5

HTTP Request

POST http://gudintas.at/tmp/

HTTP Response

404
181.170.86.159:80

http://gudintas.at/tmp/

http

875 B
830 B
8
6

HTTP Request

POST http://gudintas.at/tmp/

HTTP Response

404

8.8.8.8:53

gudintas.at

dns

57 B
217 B
1
1

DNS Request

gudintas.at

DNS Response

181.170.86.159

180.94.156.61

186.147.159.149

190.139.250.133

190.141.134.150

201.124.243.137

175.126.109.15

211.53.230.67

175.120.254.9

14.33.209.147

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1276-4-0x0000000002B40000-0x0000000002B56000-memory.dmp

Filesize
88KB

Download
memory/1692-1-0x00000000026F0000-0x00000000027F0000-memory.dmp

Filesize
1024KB

Download
memory/1692-2-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1692-3-0x0000000000400000-0x00000000025A0000-memory.dmp

Filesize
33.6MB

Download
memory/1692-5-0x0000000000400000-0x00000000025A0000-memory.dmp

Filesize
33.6MB

Download
memory/1692-8-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.