smokeloader | a647595e7316d00d459c41191fc8169ce5a3cfa357d5a9651b6f870d6e06f175

General

Target

a647595e7316d00d459c41191fc8169ce5a3cfa357d5a9651b6f870d6e06f175.exe
Size

289KB
MD5

868b8f185038654472a6579b9269df19
SHA1

1694bed39163d09ecfef89f2876cd3d2eb7608f9
SHA256

a647595e7316d00d459c41191fc8169ce5a3cfa357d5a9651b6f870d6e06f175
SHA512

f12ea8054aac24aee0dbfde52e826100c3e70bd70e8fef24b97fc87d55f3bd01de62323034676f3c697ac3254fecfaa6e30698c5bef3aa6e4ec88ce8e0e45a44
SSDEEP

3072:DeOMh0OnJpjO/UySoUXw0sIYje/DLKcBeaQ5mUQU8rQj+/:aOc0OJhOcyEs2LK8Hw8t

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://onualituyrs.org/

http://sumagulituyo.org/

http://snukerukeutit.org/

http://lightseinsteniki.org/

http://liuliuoumumy.org/

http://stualialuyastrelia.net/

http://kumbuyartyty.net/

http://criogetikfenbut.org/

http://tonimiuyaytre.org/

http://tyiuiunuewqy.org/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a647595e7316d00d459c41191fc8169ce5a3cfa357d5a9651b6f870d6e06f175.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a647595e7316d00d459c41191fc8169ce5a3cfa357d5a9651b6f870d6e06f175.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a647595e7316d00d459c41191fc8169ce5a3cfa357d5a9651b6f870d6e06f175.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a647595e7316d00d459c41191fc8169ce5a3cfa357d5a9651b6f870d6e06f175.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

a647595e7316d00d459c41191fc8169ce5a3cfa357d5a9651b6f870d6e06f175.exe

pid	process
1984	a647595e7316d00d459c41191fc8169ce5a3cfa357d5a9651b6f870d6e06f175.exe
1984	a647595e7316d00d459c41191fc8169ce5a3cfa357d5a9651b6f870d6e06f175.exe
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

a647595e7316d00d459c41191fc8169ce5a3cfa357d5a9651b6f870d6e06f175.exe

pid process

1984 a647595e7316d00d459c41191fc8169ce5a3cfa357d5a9651b6f870d6e06f175.exe

C:\Users\Admin\AppData\Local\Temp\a647595e7316d00d459c41191fc8169ce5a3cfa357d5a9651b6f870d6e06f175.exe
"C:\Users\Admin\AppData\Local\Temp\a647595e7316d00d459c41191fc8169ce5a3cfa357d5a9651b6f870d6e06f175.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1984

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1984-9-0x00000000001C0000-0x00000000001CB000-memory.dmp

Filesize
44KB

Download
memory/1984-2-0x00000000001C0000-0x00000000001CB000-memory.dmp

Filesize
44KB

Download
memory/1984-3-0x0000000000400000-0x0000000002AC0000-memory.dmp

Filesize
38.8MB

Download
memory/1984-4-0x0000000000400000-0x0000000002AC0000-memory.dmp

Filesize
38.8MB

Download
memory/1984-1-0x0000000002CA0000-0x0000000002DA0000-memory.dmp

Filesize
1024KB

Download
memory/1984-6-0x0000000000400000-0x0000000002AC0000-memory.dmp

Filesize
38.8MB

Download
memory/3312-23-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/3312-32-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/3312-11-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/3312-12-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/3312-13-0x0000000002180000-0x0000000002190000-memory.dmp

Filesize
64KB

Download
memory/3312-14-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/3312-15-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/3312-17-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/3312-16-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/3312-21-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/3312-19-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/3312-22-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/3312-5-0x0000000002160000-0x0000000002176000-memory.dmp

Filesize
88KB

Download
memory/3312-24-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/3312-26-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/3312-28-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/3312-30-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/3312-10-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/3312-33-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/3312-31-0x0000000002180000-0x0000000002190000-memory.dmp

Filesize
64KB

Download
memory/3312-29-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/3312-27-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/3312-34-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/3312-25-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/3312-36-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/3312-35-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/3312-38-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/3312-37-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/3312-39-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/3312-40-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/3312-42-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/3312-41-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/3312-43-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing