smokeloader | cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1

Analysis

max time kernel
0s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b6b2968e8f090b22bc47abab70c4dd0.exe
Size

5.7MB
MD5

0b6b2968e8f090b22bc47abab70c4dd0
SHA1

216f0ada991deb26c4607dd142ea5f0176484cc0
SHA256

cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1
SHA512

8598904d81f4ee2a31e9c3a9e2634b69b1a2cd61f92f679c2fa52ee302eef1524045adfd4fb3f5176218c5a53ace6263ac8a1c19952a9083b3339484e0468037
SSDEEP

98304:yfa/a9mJY8p/79aJYpiPSnfCyg0+UA/bJMfcvPA5L2wvpvnSALNl5UL5nXSCC333:ymY+/BdsKnar0SWmIL2EqSNl5klZoZ

Score

10^/10

smokeloader vidar zgrat 706 pub6 backdoor rat stealer themida trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

vidar

Version

Botnet

706

https://lenak513.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/2152-135-0x0000000001210000-0x0000000001A36000-memory.dmp	family_zgrat_v1

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/memory/1240-143-0x0000000003350000-0x00000000033ED000-memory.dmp	family_vidar
behavioral1/memory/1240-144-0x0000000000400000-0x000000000334B000-memory.dmp	family_vidar
behavioral1/memory/1240-269-0x0000000000400000-0x000000000334B000-memory.dmp	family_vidar

Executes dropped EXE 1 IoCs

pid	Process
1916	setup_installer.exe

Loads dropped DLL 4 IoCs

pid	Process
2984	0b6b2968e8f090b22bc47abab70c4dd0.exe
1916	setup_installer.exe
1916	setup_installer.exe
1916	setup_installer.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2152-135-0x0000000001210000-0x0000000001A36000-memory.dmp	themida

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
38	api.db-ip.com
39	api.db-ip.com
4	ipinfo.io
14	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2880	2796	WerFault.exe
2592	1240	WerFault.exe	31

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 1916	2984	0b6b2968e8f090b22bc47abab70c4dd0.exe	50
PID 2984 wrote to memory of 1916	2984	0b6b2968e8f090b22bc47abab70c4dd0.exe	50
PID 2984 wrote to memory of 1916	2984	0b6b2968e8f090b22bc47abab70c4dd0.exe	50
PID 2984 wrote to memory of 1916	2984	0b6b2968e8f090b22bc47abab70c4dd0.exe	50
PID 2984 wrote to memory of 1916	2984	0b6b2968e8f090b22bc47abab70c4dd0.exe	50
PID 2984 wrote to memory of 1916	2984	0b6b2968e8f090b22bc47abab70c4dd0.exe	50
PID 2984 wrote to memory of 1916	2984	0b6b2968e8f090b22bc47abab70c4dd0.exe	50

C:\Users\Admin\AppData\Local\Temp\0b6b2968e8f090b22bc47abab70c4dd0.exe
"C:\Users\Admin\AppData\Local\Temp\0b6b2968e8f090b22bc47abab70c4dd0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2d7080268fee447.exe
1⤵
PID:2800
- C:\Users\Admin\AppData\Local\Temp\7zSC7752636\2d7080268fee447.exe
  2d7080268fee447.exe
  2⤵
  PID:2960

C:\Users\Admin\AppData\Local\Temp\7zSC7752636\20383e5a9a4c5112.exe
20383e5a9a4c5112.exe
1⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\7zSC7752636\b001a8f56.exe
b001a8f56.exe
1⤵
PID:1240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 956
  2⤵
  - Program crash
  PID:2592

C:\Users\Admin\AppData\Local\Temp\7zSC7752636\e9e6055abb695524.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC7752636\e9e6055abb695524.exe" -a
1⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\7zSC7752636\27ce46284501.exe
27ce46284501.exe
1⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\7zSC7752636\79d822fc709e78.exe
79d822fc709e78.exe
1⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\7zSC7752636\f9a302645.exe
f9a302645.exe
1⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\7zSC7752636\e9e6055abb695524.exe
e9e6055abb695524.exe
1⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\7zSC7752636\3d0c613fcb2403.exe
3d0c613fcb2403.exe
1⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 79d822fc709e78.exe
1⤵
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 416
1⤵
- Program crash
PID:2880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c b001a8f56.exe
1⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c f9a302645.exe
1⤵
PID:2576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3d0c613fcb2403.exe
1⤵
PID:2504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e9e6055abb695524.exe
1⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 20383e5a9a4c5112.exe
1⤵
PID:2452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 27ce46284501.exe
1⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\7zSC7752636\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC7752636\setup_install.exe"
1⤵
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\7zSC7752636\setup_install.exe

Filesize
21KB

MD5
a752dbb95598b6270756534e5a489792

SHA1
a1a40379c178af37c2f6985dfc6ca79d71ff8ee1

SHA256
67807ab0b40497b17fd753c3d2f9623bd4bfea3148510b2ccb768d08f8a73193

SHA512
f75d5e13d850ac15e371c518efe1066e624cdef6a3e4dffc0d61dcda5270942942f7a4e5664ee7298142b4535df56a1c527661f65531c6dd9a3b33c4e90307a9

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC7752636\setup_install.exe

Filesize
40B

MD5
5bda86c200ce3cb2d69c723a5e33ee7f

SHA1
3ae6b41ddd271eae3225285844afba2a67f6664a

SHA256
74db2527f5f87d5916b041b6a45fb9b0f650c756f13f295344c9c1e6778b6d27

SHA512
7485c29cef947a0b16b6b58a524f3e656e73215bfe225c980616669f7d5690d1b8fa193efd61c374304d0eff85fcea7aef7352b7d9c08953dc8e11507a0a8148

Download Submit
memory/1152-133-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/1152-377-0x000007FEF5FC0000-0x000007FEF69AC000-memory.dmp

Filesize
9.9MB

Download
memory/1152-307-0x000000001AE70000-0x000000001AEF0000-memory.dmp

Filesize
512KB

Download
memory/1152-147-0x000000001AE70000-0x000000001AEF0000-memory.dmp

Filesize
512KB

Download
memory/1152-117-0x0000000000B70000-0x0000000000B9E000-memory.dmp

Filesize
184KB

Download
memory/1152-129-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1152-131-0x0000000000250000-0x0000000000272000-memory.dmp

Filesize
136KB

Download
memory/1152-282-0x000007FEF5FC0000-0x000007FEF69AC000-memory.dmp

Filesize
9.9MB

Download
memory/1152-130-0x000007FEF5FC0000-0x000007FEF69AC000-memory.dmp

Filesize
9.9MB

Download
memory/1240-142-0x00000000034B0000-0x00000000035B0000-memory.dmp

Filesize
1024KB

Download
memory/1240-143-0x0000000003350000-0x00000000033ED000-memory.dmp

Filesize
628KB

Download
memory/1240-269-0x0000000000400000-0x000000000334B000-memory.dmp

Filesize
47.3MB

Download
memory/1240-304-0x00000000034B0000-0x00000000035B0000-memory.dmp

Filesize
1024KB

Download
memory/1240-144-0x0000000000400000-0x000000000334B000-memory.dmp

Filesize
47.3MB

Download
memory/1248-158-0x0000000002F00000-0x0000000002F16000-memory.dmp

Filesize
88KB

Download
memory/1964-305-0x0000000002A70000-0x0000000003296000-memory.dmp

Filesize
8.1MB

Download
memory/1964-145-0x0000000002A70000-0x0000000003296000-memory.dmp

Filesize
8.1MB

Download
memory/2152-140-0x0000000077E60000-0x0000000077E62000-memory.dmp

Filesize
8KB

Download
memory/2152-134-0x0000000001210000-0x0000000001A36000-memory.dmp

Filesize
8.1MB

Download
memory/2152-303-0x0000000001A40000-0x0000000002266000-memory.dmp

Filesize
8.1MB

Download
memory/2152-136-0x0000000001A40000-0x0000000002266000-memory.dmp

Filesize
8.1MB

Download
memory/2152-135-0x0000000001210000-0x0000000001A36000-memory.dmp

Filesize
8.1MB

Download
memory/2152-137-0x0000000001A40000-0x0000000002266000-memory.dmp

Filesize
8.1MB

Download
memory/2152-302-0x0000000001210000-0x0000000001A36000-memory.dmp

Filesize
8.1MB

Download
memory/2336-141-0x0000000000400000-0x00000000032F8000-memory.dmp

Filesize
47.0MB

Download
memory/2336-139-0x0000000000250000-0x0000000000259000-memory.dmp

Filesize
36KB

Download
memory/2336-159-0x0000000000400000-0x00000000032F8000-memory.dmp

Filesize
47.0MB

Download
memory/2336-138-0x0000000003430000-0x0000000003530000-memory.dmp

Filesize
1024KB

Download
memory/2796-61-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2796-266-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2796-54-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2796-52-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2796-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2796-43-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2796-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2796-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2796-60-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2796-44-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2796-62-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2796-268-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2796-267-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2796-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2796-265-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2796-264-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2796-263-0x0000000000400000-0x0000000000C7F000-memory.dmp

Filesize
8.5MB

Download
memory/2796-51-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2796-53-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2796-55-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2796-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2796-63-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2960-132-0x000007FEF5FC0000-0x000007FEF69AC000-memory.dmp

Filesize
9.9MB

Download
memory/2960-283-0x000007FEF5FC0000-0x000007FEF69AC000-memory.dmp

Filesize
9.9MB

Download
memory/2960-306-0x000000001AC20000-0x000000001ACA0000-memory.dmp

Filesize
512KB

Download
memory/2960-111-0x0000000000A10000-0x0000000000A18000-memory.dmp

Filesize
32KB

Download
memory/2960-146-0x000000001AC20000-0x000000001ACA0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads