Analysis
-
max time kernel
15s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
22-10-2023 05:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
80a0bba7b792fbc7c7cf87ac783aa2f6.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
80a0bba7b792fbc7c7cf87ac783aa2f6.exe
Resource
win10v2004-20231020-en
amadeyasyncratgluptebaredlinesmokeloader5141679758_99defaultkolyansuperaup3yt&team cloudbackdoordropperinfostealerloaderpersistencerattrojan
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
80a0bba7b792fbc7c7cf87ac783aa2f6.exe
-
Size
916KB
-
MD5
80a0bba7b792fbc7c7cf87ac783aa2f6
-
SHA1
da8cd451ed909d3845a59533b96a5490d1217214
-
SHA256
94c44d916b27f693a843dc746fad3f2fa3c7b2d85e8a5c6b35b163e7cf6f5237
-
SHA512
0cf7ab4cdfb504e5263898aad5b424028ee94811860d4a1805aedc0ba338d0ecd94e1d52485e1685cf7812d9ab94d48a2a433382e597400a3b0bd73aeba3a704
-
SSDEEP
24576:VmtwIVsHk1r1HHHHHHHHHHHJHzlagz3lt:MVsHk1hHHHHHHHHHHHJog
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2022
C2
http://77.91.68.29/fks/
rc4.i32
rc4.i32
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2188 set thread context of 1712 2188 80a0bba7b792fbc7c7cf87ac783aa2f6.exe 29 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1712 AppLaunch.exe 1712 AppLaunch.exe 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1712 AppLaunch.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2788 2188 80a0bba7b792fbc7c7cf87ac783aa2f6.exe 28 PID 2188 wrote to memory of 2788 2188 80a0bba7b792fbc7c7cf87ac783aa2f6.exe 28 PID 2188 wrote to memory of 2788 2188 80a0bba7b792fbc7c7cf87ac783aa2f6.exe 28 PID 2188 wrote to memory of 2788 2188 80a0bba7b792fbc7c7cf87ac783aa2f6.exe 28 PID 2188 wrote to memory of 2788 2188 80a0bba7b792fbc7c7cf87ac783aa2f6.exe 28 PID 2188 wrote to memory of 2788 2188 80a0bba7b792fbc7c7cf87ac783aa2f6.exe 28 PID 2188 wrote to memory of 2788 2188 80a0bba7b792fbc7c7cf87ac783aa2f6.exe 28 PID 2188 wrote to memory of 1712 2188 80a0bba7b792fbc7c7cf87ac783aa2f6.exe 29 PID 2188 wrote to memory of 1712 2188 80a0bba7b792fbc7c7cf87ac783aa2f6.exe 29 PID 2188 wrote to memory of 1712 2188 80a0bba7b792fbc7c7cf87ac783aa2f6.exe 29 PID 2188 wrote to memory of 1712 2188 80a0bba7b792fbc7c7cf87ac783aa2f6.exe 29 PID 2188 wrote to memory of 1712 2188 80a0bba7b792fbc7c7cf87ac783aa2f6.exe 29 PID 2188 wrote to memory of 1712 2188 80a0bba7b792fbc7c7cf87ac783aa2f6.exe 29 PID 2188 wrote to memory of 1712 2188 80a0bba7b792fbc7c7cf87ac783aa2f6.exe 29 PID 2188 wrote to memory of 1712 2188 80a0bba7b792fbc7c7cf87ac783aa2f6.exe 29 PID 2188 wrote to memory of 1712 2188 80a0bba7b792fbc7c7cf87ac783aa2f6.exe 29 PID 2188 wrote to memory of 1712 2188 80a0bba7b792fbc7c7cf87ac783aa2f6.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\80a0bba7b792fbc7c7cf87ac783aa2f6.exe"C:\Users\Admin\AppData\Local\Temp\80a0bba7b792fbc7c7cf87ac783aa2f6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:2788
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1712
-