smokeloader | aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74e

Analysis

max time kernel
29s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2024 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74e.exe
Size

2.9MB
MD5

e69948a6953a77464e92ac44fe945242
SHA1

d0b1569b0ca632defc74a6320658c0c1481f3ee1
SHA256

aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74e
SHA512

f14f8a41c2e5dad21908eae3494cc1db049e223b19186379256695825b9918813e4cd34d73f43eba36fdfbfff6608d50bf2b98dbd45f17c4b3136bc6087c2952
SSDEEP

49152:xcBhEwJ84vLRaBtIl9mVJUv0E5ZpAR7px2jOT+lp4wC/+nDVHrP7gvUQI0QBJ:xbCvLUBsgI0gZpU7pcOT+rL+4JbWUQ8

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ip-api.com

Program crash 17 IoCs

pid	pid_target	Process	procid_target
3516	1384	WerFault.exe	59
1984	3216	WerFault.exe	44
3960	1384	WerFault.exe	59
888	1384	WerFault.exe	59
364	1384	WerFault.exe	59
1624	1384	WerFault.exe	59
2292	1384	WerFault.exe	59
4540	1384	WerFault.exe	59
3336	1384	WerFault.exe	59
3700	1384	WerFault.exe	59
3960	1384	WerFault.exe	59
4420	1384	WerFault.exe	59
3360	1384	WerFault.exe	59
4396	1384	WerFault.exe	59
1196	1384	WerFault.exe	59
364	1384	WerFault.exe	59
60	1384	WerFault.exe	59

C:\Users\Admin\AppData\Local\Temp\aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74e.exe
"C:\Users\Admin\AppData\Local\Temp\aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74e.exe"
1⤵
PID:5060
- C:\Users\Admin\AppData\Local\Temp\7zS4C3CA0C7\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS4C3CA0C7\setup_install.exe"
  2⤵
  PID:3216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun213b31a7e71d4cf6d.exe
    3⤵
    PID:3604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun21ab69e87d0.exe
    3⤵
    PID:4704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun21dd3b887a3.exe
    3⤵
    PID:4836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun218856081dd1.exe
    3⤵
    PID:1216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 488
    3⤵
    - Program crash
    PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun21688b2b2b63.exe
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun21caad43cbccfb.exe
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun21cfc7686a.exe
    3⤵
    PID:3916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun211972de1e.exe
    3⤵
    PID:3620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:4876

C:\Users\Admin\AppData\Local\Temp\7zS4C3CA0C7\Sun211972de1e.exe
Sun211972de1e.exe
1⤵
PID:3084

C:\Users\Admin\AppData\Local\Temp\is-71C4R.tmp\Sun218856081dd1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-71C4R.tmp\Sun218856081dd1.tmp" /SL5="$40118,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS4C3CA0C7\Sun218856081dd1.exe"
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3216 -ip 3216
1⤵
PID:4008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
1⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\7zS4C3CA0C7\Sun21caad43cbccfb.exe
Sun21caad43cbccfb.exe
1⤵
PID:4892

C:\Users\Admin\AppData\Local\Temp\7zS4C3CA0C7\Sun218856081dd1.exe
Sun218856081dd1.exe
1⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\7zS4C3CA0C7\Sun21ab69e87d0.exe
Sun21ab69e87d0.exe
1⤵
PID:3772

C:\Users\Admin\AppData\Local\Temp\7zS4C3CA0C7\Sun213b31a7e71d4cf6d.exe
Sun213b31a7e71d4cf6d.exe
1⤵
PID:3192

C:\Users\Admin\AppData\Local\Temp\7zS4C3CA0C7\Sun21dd3b887a3.exe
Sun21dd3b887a3.exe
1⤵
PID:4136

C:\Users\Admin\AppData\Local\Temp\7zS4C3CA0C7\Sun21688b2b2b63.exe
Sun21688b2b2b63.exe
1⤵
PID:1384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 824
  2⤵
  - Program crash
  PID:3516
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 832
  2⤵
  - Program crash
  PID:3960
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 876
  2⤵
  - Program crash
  PID:888
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 884
  2⤵
  - Program crash
  PID:364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1036
  2⤵
  - Program crash
  PID:1624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1092
  2⤵
  - Program crash
  PID:2292
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1524
  2⤵
  - Program crash
  PID:4540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1532
  2⤵
  - Program crash
  PID:3336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1660
  2⤵
  - Program crash
  PID:3700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1536
  2⤵
  - Program crash
  PID:3960
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1528
  2⤵
  - Program crash
  PID:4420
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1624
  2⤵
  - Program crash
  PID:3360
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1796
  2⤵
  - Program crash
  PID:4396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1564
  2⤵
  - Program crash
  PID:1196
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1532
  2⤵
  - Program crash
  PID:364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1028
  2⤵
  - Program crash
  PID:60

C:\Users\Admin\AppData\Local\Temp\7zS4C3CA0C7\Sun21cfc7686a.exe
Sun21cfc7686a.exe
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1384 -ip 1384
1⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1384 -ip 1384
1⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1384 -ip 1384
1⤵
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1384 -ip 1384
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1384 -ip 1384
1⤵
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1384 -ip 1384
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1384 -ip 1384
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1384 -ip 1384
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1384 -ip 1384
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1384 -ip 1384
1⤵
PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1384 -ip 1384
1⤵
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1384 -ip 1384
1⤵
PID:808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1384 -ip 1384
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1384 -ip 1384
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1384 -ip 1384
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1384 -ip 1384
1⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\E261.exe
C:\Users\Admin\AppData\Local\Temp\E261.exe
1⤵
PID:1208
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:2476

C:\Users\Admin\AppData\Local\Temp\EBD8.exe
C:\Users\Admin\AppData\Local\Temp\EBD8.exe
1⤵
PID:2584
- C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
  2⤵
  PID:3308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/636-103-0x0000000000400000-0x0000000001D81000-memory.dmp

Filesize
25.5MB

Download
memory/636-95-0x0000000001DE0000-0x0000000001EE0000-memory.dmp

Filesize
1024KB

Download
memory/636-136-0x0000000000400000-0x0000000001D81000-memory.dmp

Filesize
25.5MB

Download
memory/636-96-0x0000000001DD0000-0x0000000001DD9000-memory.dmp

Filesize
36KB

Download
memory/972-78-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/972-108-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/972-158-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1208-192-0x0000000077434000-0x0000000077435000-memory.dmp

Filesize
4KB

Download
memory/1208-194-0x00000000008D0000-0x0000000000936000-memory.dmp

Filesize
408KB

Download
memory/1208-197-0x00000000008D0000-0x0000000000936000-memory.dmp

Filesize
408KB

Download
memory/1208-190-0x00000000008D0000-0x0000000000936000-memory.dmp

Filesize
408KB

Download
memory/1208-188-0x0000000000010000-0x000000000006D000-memory.dmp

Filesize
372KB

Download
memory/1208-193-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/1208-196-0x00000000026F0000-0x00000000026FC000-memory.dmp

Filesize
48KB

Download
memory/1208-191-0x0000000000950000-0x000000000095D000-memory.dmp

Filesize
52KB

Download
memory/1384-110-0x0000000000400000-0x0000000001DDD000-memory.dmp

Filesize
25.9MB

Download
memory/1384-162-0x0000000000400000-0x0000000001DDD000-memory.dmp

Filesize
25.9MB

Download
memory/1384-109-0x0000000001FF0000-0x00000000020F0000-memory.dmp

Filesize
1024KB

Download
memory/1384-106-0x0000000003A90000-0x0000000003B2D000-memory.dmp

Filesize
628KB

Download
memory/2476-225-0x0000000000360000-0x0000000000794000-memory.dmp

Filesize
4.2MB

Download
memory/2476-223-0x0000000000360000-0x0000000000794000-memory.dmp

Filesize
4.2MB

Download
memory/2584-161-0x00000000075F0000-0x0000000007601000-memory.dmp

Filesize
68KB

Download
memory/2584-164-0x0000000007620000-0x0000000007634000-memory.dmp

Filesize
80KB

Download
memory/2584-105-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/2584-111-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/2584-117-0x0000000005AC0000-0x0000000005B26000-memory.dmp

Filesize
408KB

Download
memory/2584-122-0x0000000005D90000-0x00000000060E4000-memory.dmp

Filesize
3.3MB

Download
memory/2584-210-0x00007FF636BD0000-0x00007FF637295000-memory.dmp

Filesize
6.8MB

Download
memory/2584-203-0x00007FF636BD0000-0x00007FF637295000-memory.dmp

Filesize
6.8MB

Download
memory/2584-89-0x0000000005180000-0x00000000057A8000-memory.dmp

Filesize
6.2MB

Download
memory/2584-90-0x0000000072CC0000-0x0000000073470000-memory.dmp

Filesize
7.7MB

Download
memory/2584-125-0x0000000006130000-0x000000000614E000-memory.dmp

Filesize
120KB

Download
memory/2584-102-0x0000000005050000-0x0000000005072000-memory.dmp

Filesize
136KB

Download
memory/2584-169-0x0000000072CC0000-0x0000000073470000-memory.dmp

Filesize
7.7MB

Download
memory/2584-104-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/2584-166-0x0000000007700000-0x0000000007708000-memory.dmp

Filesize
32KB

Download
memory/2584-165-0x0000000007710000-0x000000000772A000-memory.dmp

Filesize
104KB

Download
memory/2584-163-0x0000000007610000-0x000000000761E000-memory.dmp

Filesize
56KB

Download
memory/2584-84-0x0000000002A60000-0x0000000002A96000-memory.dmp

Filesize
216KB

Download
memory/2584-160-0x0000000007650000-0x00000000076E6000-memory.dmp

Filesize
600KB

Download
memory/2584-126-0x00000000061E0000-0x000000000622C000-memory.dmp

Filesize
304KB

Download
memory/2584-159-0x0000000007460000-0x000000000746A000-memory.dmp

Filesize
40KB

Download
memory/2584-152-0x0000000007400000-0x000000000741A000-memory.dmp

Filesize
104KB

Download
memory/2584-151-0x0000000007A80000-0x00000000080FA000-memory.dmp

Filesize
6.5MB

Download
memory/2584-138-0x0000000006670000-0x00000000066A2000-memory.dmp

Filesize
200KB

Download
memory/2584-150-0x0000000007350000-0x00000000073F3000-memory.dmp

Filesize
652KB

Download
memory/2584-133-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/2584-149-0x0000000006650000-0x000000000666E000-memory.dmp

Filesize
120KB

Download
memory/2584-139-0x000000006E850000-0x000000006E89C000-memory.dmp

Filesize
304KB

Download
memory/3192-79-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

Filesize
32KB

Download
memory/3192-83-0x00007FFD2C200000-0x00007FFD2CCC1000-memory.dmp

Filesize
10.8MB

Download
memory/3192-97-0x0000000002AC0000-0x0000000002AD0000-memory.dmp

Filesize
64KB

Download
memory/3192-179-0x00007FFD2C200000-0x00007FFD2CCC1000-memory.dmp

Filesize
10.8MB

Download
memory/3216-132-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3216-128-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3216-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3216-59-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3216-52-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3216-127-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/3216-50-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3216-131-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/3216-49-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3216-130-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3216-129-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3216-51-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3216-53-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3216-45-0x0000000000ED0000-0x0000000000F5F000-memory.dmp

Filesize
572KB

Download
memory/3216-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3216-41-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3216-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3216-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3216-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3308-222-0x0000000073080000-0x0000000073797000-memory.dmp

Filesize
7.1MB

Download
memory/3520-134-0x0000000002DD0000-0x0000000002DE5000-memory.dmp

Filesize
84KB

Download
memory/3772-81-0x00000000005E0000-0x000000000060E000-memory.dmp

Filesize
184KB

Download
memory/3772-85-0x00007FFD2C200000-0x00007FFD2CCC1000-memory.dmp

Filesize
10.8MB

Download
memory/3772-124-0x00007FFD2C200000-0x00007FFD2CCC1000-memory.dmp

Filesize
10.8MB

Download
memory/3772-88-0x0000000000DB0000-0x0000000000DD0000-memory.dmp

Filesize
128KB

Download
memory/4396-107-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/4396-157-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download