smokeloader | 4cafb22334d394a75bf299e8b582791b939af7d462c79b4423948a34f364481b

Analysis

max time kernel
0s
max time network
47s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2024 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42909ef96fc66ee4ad2b1182f06ecbe6.exe
Size

3.8MB
MD5

42909ef96fc66ee4ad2b1182f06ecbe6
SHA1

9ccde9b068c6dca4172df09853e8b9aa9dcded94
SHA256

4cafb22334d394a75bf299e8b582791b939af7d462c79b4423948a34f364481b
SHA512

e54ef137f1a12fa1c77090ade5e6fd5c404f84a5c3d0b9227fe95eb72d30e6d03fd0431c265569f7b08dc5f416973081264aa3d634399f30ad273da8f4559f9a
SSDEEP

98304:Ub9fEIQBU9HIJ0tyFximjgX7dJw1mLPKZ4ygx2EjufaWte:UpfEIvdIJ0WxHjm5JwSiZ3rEAaH

Score

10^/10

smokeloader pub2 backdoor trojan vmprotect

Malware Config

Extracted

Family

smokeloader

Botnet

pub2

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	1540	rUNdlL32.eXe	105

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4432-98-0x0000000000400000-0x000000000063B000-memory.dmp	vmprotect
behavioral2/memory/4432-100-0x0000000000400000-0x000000000063B000-memory.dmp	vmprotect
behavioral2/files/0x0006000000023213-74.dat	vmprotect

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ipinfo.io
21	ipinfo.io

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5296	2576	WerFault.exe	106

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5484	PING.EXE

C:\Users\Admin\AppData\Local\Temp\42909ef96fc66ee4ad2b1182f06ecbe6.exe
"C:\Users\Admin\AppData\Local\Temp\42909ef96fc66ee4ad2b1182f06ecbe6.exe"
1⤵
PID:4176
- C:\Users\Admin\AppData\Local\Temp\Fille.exe
  "C:\Users\Admin\AppData\Local\Temp\Fille.exe"
  2⤵
  PID:512
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c cmd < Crescente.ini
    3⤵
    PID:2480
- C:\Users\Admin\AppData\Local\Temp\Folder.exe
  "C:\Users\Admin\AppData\Local\Temp\Folder.exe"
  2⤵
  PID:2932
- - C:\Users\Admin\AppData\Local\Temp\Folder.exe
    "C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
    3⤵
    PID:1680
- C:\Users\Admin\AppData\Local\Temp\Files.exe
  "C:\Users\Admin\AppData\Local\Temp\Files.exe"
  2⤵
  PID:964
- C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
  2⤵
  PID:1528
- C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
  "C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
  2⤵
  PID:4432
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  PID:1360
- C:\Users\Admin\AppData\Local\Temp\xtect20.exe
  "C:\Users\Admin\AppData\Local\Temp\xtect20.exe"
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1rPS67
  2⤵
  PID:4364
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8451456689901808765,9346673436214133990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
    3⤵
    PID:2792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8451456689901808765,9346673436214133990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
    3⤵
    PID:688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,8451456689901808765,9346673436214133990,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
    3⤵
    PID:2904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,8451456689901808765,9346673436214133990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
    3⤵
    PID:4796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,8451456689901808765,9346673436214133990,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
    3⤵
    PID:4020
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,8451456689901808765,9346673436214133990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
    3⤵
    PID:5788
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,8451456689901808765,9346673436214133990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
    3⤵
    PID:5764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8451456689901808765,9346673436214133990,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
    3⤵
    PID:5884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8451456689901808765,9346673436214133990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
    3⤵
    PID:5876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8451456689901808765,9346673436214133990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
    3⤵
    PID:4820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8451456689901808765,9346673436214133990,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
    3⤵
    PID:5156
- C:\Users\Admin\AppData\Local\Temp\pub2.exe
  "C:\Users\Admin\AppData\Local\Temp\pub2.exe"
  2⤵
  PID:1204
- C:\Users\Admin\AppData\Local\Temp\BearVpn_3.exe
  "C:\Users\Admin\AppData\Local\Temp\BearVpn_3.exe"
  2⤵
  PID:4760

C:\Windows\SysWOW64\cmd.exe
cmd
1⤵
PID:376
- C:\Windows\SysWOW64\findstr.exe
  findstr /V /R "^lmesxrORijUjeOjnoLtleIpFEzCCKScCJihKoesqpDBLYVUYVpGiCQFBdvNwBjigQsDUABfuxtqninHJmDGAjhqSBLxMfdnXvjUGsqbxTANbPixRPrCXGGeDdLaPiD$" Piramide.ini
  2⤵
  PID:2496
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mantenere.exe.com
  Mantenere.exe.com k
  2⤵
  PID:4408
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mantenere.exe.com
    C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mantenere.exe.com k
    3⤵
    PID:5464
- C:\Windows\SysWOW64\PING.EXE
  ping 127.0.0.1 -n 30
  2⤵
  - Runs ping.exe
  PID:5484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe36c846f8,0x7ffe36c84708,0x7ffe36c84718
1⤵
PID:3372

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
PID:2576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 600
  2⤵
  - Program crash
  PID:5296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2576 -ip 2576
1⤵
PID:2072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5348

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BearVpn_3.exe

Filesize
8KB

MD5
60fda22bdeacf110bd17e573d4755179

SHA1
9ec652c1adfdd612ff94d5405b37d6ce2cdeee58

SHA256
75c08d47e30fb238396887e7dfe14468e8f55563fd157ff27620e91e37a9a9a0

SHA512
29b5a77bbf9ab7dfd6914fdb7ca516c329aa6dcd23958276f2373566ce94b294add0ecd241f83ff77456a558b2089d7d2cee0867b1b5de7630f62b3b73848afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe

Filesize
239KB

MD5
9d8cf8de9b97800927728c11c3ea1a05

SHA1
0f22a1883ee171c6dd3ca2a7989e3585852fb3e7

SHA256
684be08639023e02b2940bea89373e8657bf7b4fb826d22455058ae40f3b57f3

SHA512
021834c482a20e7d998ffd8af980f0b73a16c13967966d9ec211d269ec2df990d8f5313b9567e5daaa590dfa91abe2ec57a7a9693197e110b75f035b6f404887

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe

Filesize
55KB

MD5
b367d349af9bd2292938ce37aa4302f2

SHA1
5e27140015e47c438c1a353269f492e1e38be9dc

SHA256
2a522e2018f3c1d1447c6ff8eed52fe3f005518d321aad3629ffa9250809ad1e

SHA512
f76552f6877759b879125c9b228737c23ab2ec31aee3ed8a94ff6c26f5b30adcb95c3e4e351341fe4043d3dd01e3715656056e83ce304d44a3cc2ccaaffa7c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fille.exe

Filesize
1.1MB

MD5
e35987fd2d4cd3ff879d467319e43709

SHA1
f55a7b78b464043abfb153e7f6d2d0688b78b261

SHA256
4ca6fef9e1702bbe7f84460fb9bb7cbd2085553b7fa489936e145291846175c8

SHA512
fee1fd18f42956b48f033cbcc8183c5893b9ec1a458165d585ef32e3c258f13739f74ddd3e6cf58ac200cbc1fca3fded71bf97692b9179396b2aab51a14f7b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe

Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe

Filesize
92KB

MD5
3836e5426f33225c00c064dccd94ae33

SHA1
bf7701b04e6aedeaaa6aa9c653aa76c4bd073297

SHA256
97ec7ebd5b3387150f7d4f8dbdce479e2c6aded98a1166cbc9bf9a3192f7d7ed

SHA512
20e3f5e900381a6b45cdcc35975a209e1b75ce109123ccf93745e77ad13fa60623fc371bc8f678ff0beb1a3727ffa20576c08fb0ff88bf69af2b2e4d9ffab442

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe

Filesize
92KB

MD5
709affa23369fc387727be5ab12d631f

SHA1
e3f39bf8c4fcd17874babdeba6fff6eb57ac3a48

SHA256
9731c8cfb1d06adc0ab6a791d0e340b13f7f1cfab385b3ddf1d57f374af0968b

SHA512
1e7acb5dd96c9a697dcc60225213afe219a3a4345a76cdca28997491208ef6e2303e7cb8cabd14552da40b32f4ba966ddae2b6d125b15a5925f134bb814692d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe

Filesize
166KB

MD5
63ead911676a9c9431f185fa3b415dc7

SHA1
bf86775b8713f8461fd7cc81104e7abedabd2885

SHA256
9e90ed11bd37b8004921c0b5c1668d2a3780b223055d6f4a31ce2ede411a3dfd

SHA512
e78d110b96404c63b86b7c5c91eff18221be0a846a4e11bca633ac0e7a2c5b40be2d5e1bc5645f9d3144a9c3d38a05809f3fe21a129333344cbd4de9e39d3c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe

Filesize
758KB

MD5
d7eb620404874d7f77870f1b1ecaeee3

SHA1
e281d765ee3facac0140732427c291f1a31d90b4

SHA256
1dce5d2a9682c811f7c4dd7e4f4c8f26ba35bba8803efe316aabddafb41c1708

SHA512
5042740a5f8d650cdce19b07eb45896dac5b76c853a60158b4c09ddbf83f3463ba6789dc93357aad18343add3a84e1e518c9511e0bc1af16ff16966007ad4bb8

Download Submit
memory/1204-207-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1204-184-0x0000000000580000-0x0000000000589000-memory.dmp

Filesize
36KB

Download
memory/1204-185-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1204-183-0x0000000000780000-0x0000000000880000-memory.dmp

Filesize
1024KB

Download
memory/1528-108-0x0000000000E70000-0x0000000000E96000-memory.dmp

Filesize
152KB

Download
memory/1528-97-0x0000000000E50000-0x0000000000E56000-memory.dmp

Filesize
24KB

Download
memory/1528-84-0x0000000000670000-0x00000000006A2000-memory.dmp

Filesize
200KB

Download
memory/1528-163-0x00007FFE3A6B0000-0x00007FFE3B171000-memory.dmp

Filesize
10.8MB

Download
memory/1528-125-0x0000000000E60000-0x0000000000E70000-memory.dmp

Filesize
64KB

Download
memory/1528-122-0x0000000000F00000-0x0000000000F06000-memory.dmp

Filesize
24KB

Download
memory/1528-93-0x00007FFE3A6B0000-0x00007FFE3B171000-memory.dmp

Filesize
10.8MB

Download
memory/4432-100-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/4432-98-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/4760-76-0x00007FFE3A6B0000-0x00007FFE3B171000-memory.dmp

Filesize
10.8MB

Download
memory/4760-56-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/4760-96-0x000000001B060000-0x000000001B070000-memory.dmp

Filesize
64KB

Download