smokeloader | d248ac0df52d36cca68053a1a361f864e8b9b83994475df0ae5f35ee1f7c5feb

Analysis

max time kernel
307s
max time network
297s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
07-01-2024 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d248ac0df52d36cca68053a1a361f864e8b9b83994475df0ae5f35ee1f7c5feb.exe
Size

253KB
MD5

e8ef7a38069b6dd41d3aaa5f56a12ed3
SHA1

5adfdfb6cce9e7e567a9708d9cf7eb03dbaee2c5
SHA256

d248ac0df52d36cca68053a1a361f864e8b9b83994475df0ae5f35ee1f7c5feb
SHA512

d811410d383c893fb6139f4e02dbeaf2c5538eaceed4b5bbc2a8745a43ee9ed5b1582ba2f4381e9412ebf09d6373a2862386d09b536dc09816418c313466fd37
SSDEEP

3072:Se2JURFLNtsfZehN+ZEmJiiet+xTHs+mjKbqHZTrdgGD6pMGKgD9RUacmwgvXF/O:SPiLNE2N6JGKA9dgGDvfacmwgdDwwa

Score

10^/10

smokeloader pub1 backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Deletes itself 1 IoCs

pid	Process
3348	Process not Found

Executes dropped EXE 5 IoCs

pid	Process
4632	24F8.exe
2780	2EAD.exe
4424	WindowsUpdater.exe
1836	seueaje
1240	seueaje

Loads dropped DLL 2 IoCs

pid	Process
4424	WindowsUpdater.exe
4424	WindowsUpdater.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3016 set thread context of 1308	3016	d248ac0df52d36cca68053a1a361f864e8b9b83994475df0ae5f35ee1f7c5feb.exe	71
PID 1836 set thread context of 1240	1836	seueaje	76

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x000700000001abff-18.dat	nsis_installer_2
behavioral2/files/0x000700000001abff-20.dat	nsis_installer_2
behavioral2/files/0x000600000001ac00-25.dat	nsis_installer_1
behavioral2/files/0x000600000001ac00-25.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seueaje
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d248ac0df52d36cca68053a1a361f864e8b9b83994475df0ae5f35ee1f7c5feb.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d248ac0df52d36cca68053a1a361f864e8b9b83994475df0ae5f35ee1f7c5feb.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d248ac0df52d36cca68053a1a361f864e8b9b83994475df0ae5f35ee1f7c5feb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seueaje
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seueaje

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1308	d248ac0df52d36cca68053a1a361f864e8b9b83994475df0ae5f35ee1f7c5feb.exe
1308	d248ac0df52d36cca68053a1a361f864e8b9b83994475df0ae5f35ee1f7c5feb.exe
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1308	d248ac0df52d36cca68053a1a361f864e8b9b83994475df0ae5f35ee1f7c5feb.exe
1240	seueaje

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3348	Process not Found
Token: SeCreatePagefilePrivilege	3348	Process not Found
Token: SeShutdownPrivilege	3348	Process not Found
Token: SeCreatePagefilePrivilege	3348	Process not Found

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 1308	3016	d248ac0df52d36cca68053a1a361f864e8b9b83994475df0ae5f35ee1f7c5feb.exe	71
PID 3016 wrote to memory of 1308	3016	d248ac0df52d36cca68053a1a361f864e8b9b83994475df0ae5f35ee1f7c5feb.exe	71
PID 3016 wrote to memory of 1308	3016	d248ac0df52d36cca68053a1a361f864e8b9b83994475df0ae5f35ee1f7c5feb.exe	71
PID 3016 wrote to memory of 1308	3016	d248ac0df52d36cca68053a1a361f864e8b9b83994475df0ae5f35ee1f7c5feb.exe	71
PID 3016 wrote to memory of 1308	3016	d248ac0df52d36cca68053a1a361f864e8b9b83994475df0ae5f35ee1f7c5feb.exe	71
PID 3016 wrote to memory of 1308	3016	d248ac0df52d36cca68053a1a361f864e8b9b83994475df0ae5f35ee1f7c5feb.exe	71
PID 3348 wrote to memory of 4632	3348	Process not Found	72
PID 3348 wrote to memory of 4632	3348	Process not Found	72
PID 3348 wrote to memory of 4632	3348	Process not Found	72
PID 3348 wrote to memory of 2780	3348	Process not Found	73
PID 3348 wrote to memory of 2780	3348	Process not Found	73
PID 3348 wrote to memory of 2780	3348	Process not Found	73
PID 2780 wrote to memory of 4424	2780	2EAD.exe	74
PID 2780 wrote to memory of 4424	2780	2EAD.exe	74
PID 2780 wrote to memory of 4424	2780	2EAD.exe	74
PID 1836 wrote to memory of 1240	1836	seueaje	76
PID 1836 wrote to memory of 1240	1836	seueaje	76
PID 1836 wrote to memory of 1240	1836	seueaje	76
PID 1836 wrote to memory of 1240	1836	seueaje	76
PID 1836 wrote to memory of 1240	1836	seueaje	76
PID 1836 wrote to memory of 1240	1836	seueaje	76

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d248ac0df52d36cca68053a1a361f864e8b9b83994475df0ae5f35ee1f7c5feb.exe
"C:\Users\Admin\AppData\Local\Temp\d248ac0df52d36cca68053a1a361f864e8b9b83994475df0ae5f35ee1f7c5feb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\d248ac0df52d36cca68053a1a361f864e8b9b83994475df0ae5f35ee1f7c5feb.exe
  "C:\Users\Admin\AppData\Local\Temp\d248ac0df52d36cca68053a1a361f864e8b9b83994475df0ae5f35ee1f7c5feb.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1308

C:\Users\Admin\AppData\Local\Temp\24F8.exe
C:\Users\Admin\AppData\Local\Temp\24F8.exe
1⤵
- Executes dropped EXE
PID:4632

C:\Users\Admin\AppData\Local\Temp\2EAD.exe
C:\Users\Admin\AppData\Local\Temp\2EAD.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4424

C:\Users\Admin\AppData\Roaming\seueaje
C:\Users\Admin\AppData\Roaming\seueaje
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Users\Admin\AppData\Roaming\seueaje
  C:\Users\Admin\AppData\Roaming\seueaje
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\24F8.exe

Filesize
360KB

MD5
80c413180b6bd0dd664adc4e0665b494

SHA1
e791e4a3391fc6b7bcb58399cd4fa3c52a06b940

SHA256
6d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880

SHA512
347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EAD.exe

Filesize
3.4MB

MD5
aa01bb83822043ecf7be69cfb0a86435

SHA1
ba1856a70e6cd3a4bd2dd7e617fbc3e3cb93374a

SHA256
6e499a5d98f674e164cd391e731a0c97cbdb5bd81ac20159fb7de14c5584aa8a

SHA512
a7ef72d3df47fc863fe96bbb603d1b5f2e73ea2914c914e910fbcd827c362db4189edafb256531ac1e4a1d9d36e110dc2727fb0c959912c467d7455f25c04173

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EAD.exe

Filesize
4.7MB

MD5
600cb94f349e9290d49f8da66a9fdbf0

SHA1
e199399838a8a6392062510042ad38714bf64a2b

SHA256
ad96298c61ed0803b67b61fc452858638aeecc51b0774903e29b38b4936512d8

SHA512
33860774e23d95009c706d9311464f1e1746baf82f55a9cde9e89c4df582299c8ac42638a3e3f77bcb035e0e10170c4e9650c0bab3eb755d1ed474e931a8e434

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe

Filesize
2.2MB

MD5
0badb0e573d95db49ac23c11163d9386

SHA1
d86dd20e4498ba5576272df07cd71dd9ed40bf8d

SHA256
5ebb608342d1306743d1ab56bb587b00d7e14737f5af48be3fa738a98cf29668

SHA512
a83d397fdcf2b749aac8f1db38a991b06a70c58d21c84d09cd8a732ee744287e7d7d58edeb817006b6ee245ed313993a3280aea32fd4c5a079b4f960ab35eff8

Download Submit
C:\Users\Admin\AppData\Roaming\seueaje

Filesize
253KB

MD5
e8ef7a38069b6dd41d3aaa5f56a12ed3

SHA1
5adfdfb6cce9e7e567a9708d9cf7eb03dbaee2c5

SHA256
d248ac0df52d36cca68053a1a361f864e8b9b83994475df0ae5f35ee1f7c5feb

SHA512
d811410d383c893fb6139f4e02dbeaf2c5538eaceed4b5bbc2a8745a43ee9ed5b1582ba2f4381e9412ebf09d6373a2862386d09b536dc09816418c313466fd37

Download Submit
\Users\Admin\AppData\Local\Temp\lib.dll

Filesize
2.2MB

MD5
bc94fe5f3a7d234dceefa5a25c109358

SHA1
eefd19123cb554bd975d9848eff08f195c7794bb

SHA256
fdbd693e2a9eab791967e78eef8e1a3423c63b570d6fc8ccd9367be931c779c4

SHA512
650632899edc1bce009244cf228500c26df33c2036f774f60529c10bf7b277a49d3e635846097cf2d821a54e066a07f5f6ef2be055e1054e8c4a1a938fad9c69

Download Submit
\Users\Admin\AppData\Local\Temp\nsd3286.tmp\System.dll

Filesize
12KB

MD5
dd87a973e01c5d9f8e0fcc81a0af7c7a

SHA1
c9206ced48d1e5bc648b1d0f54cccc18bf643a14

SHA256
7fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1

SHA512
4910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f

Download Submit
memory/1240-45-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1240-49-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1308-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1308-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1308-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1836-42-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2780-22-0x00000000008C0000-0x0000000000E56000-memory.dmp

Filesize
5.6MB

Download
memory/2780-26-0x00000000008C0000-0x0000000000E56000-memory.dmp

Filesize
5.6MB

Download
memory/3016-2-0x00000000006A0000-0x00000000006A9000-memory.dmp

Filesize
36KB

Download
memory/3016-1-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/3348-5-0x0000000000D40000-0x0000000000D56000-memory.dmp

Filesize
88KB

Download
memory/3348-46-0x0000000000E80000-0x0000000000E96000-memory.dmp

Filesize
88KB

Download
memory/4424-38-0x00000000732C0000-0x00000000739D7000-memory.dmp

Filesize
7.1MB

Download
memory/4424-51-0x00000000732C0000-0x00000000739D7000-memory.dmp

Filesize
7.1MB

Download