smokeloader | e6e106a5206be28f2b76c0190d3c1ba85d4f4bf759babd66c64d9a17a4219ddb

Analysis

max time kernel
121s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55cc830f41f9e74fbcfe2259d304c99b.exe
Size

312KB
MD5

55cc830f41f9e74fbcfe2259d304c99b
SHA1

f72fd071a6df30d6b0f145463ed4fe2f7d248e2b
SHA256

e6e106a5206be28f2b76c0190d3c1ba85d4f4bf759babd66c64d9a17a4219ddb
SHA512

293f62b48bda53c1d575636d30813cbb49865ee0d67302c001db3b1fec1de22a8fd2ae3945eca10903e15ee579e5ca22599fb8fb5a03594f593144c36c3aa131
SSDEEP

3072:rjEaOZ+J2LBo0V/NqF4wDa98Egq4IlmWUkbKUGn9zSw5n2iT9BARTYFkc:rSZ/LS0xNKr+9vdlm6bKUGnZnT3Fk

Score

10^/10

smokeloader vidar zgrat autm backdoor rat stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

http://legdfls2369.com/index.php

http://fpodsp0532xc.com/index.php

http://gucc352093520.com/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

autm

Signatures

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral2/memory/5028-69-0x0000000000400000-0x000000000065E000-memory.dmp	family_vidar_v6
behavioral2/memory/5028-82-0x0000000000400000-0x000000000065E000-memory.dmp	family_vidar_v6
behavioral2/memory/5028-74-0x0000000000400000-0x000000000065E000-memory.dmp	family_vidar_v6

Detect ZGRat V1 6 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023342-15.dat	family_zgrat_v1
behavioral2/files/0x0007000000023342-14.dat	family_zgrat_v1
behavioral2/memory/4004-17-0x0000000000E70000-0x000000000125E000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000900000002311d-22.dat	family_zgrat_v1
behavioral2/memory/2092-23-0x0000000000940000-0x0000000000CF8000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000900000002311d-21.dat	family_zgrat_v1

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

.NET Reactor proctector 6 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/files/0x0007000000023342-15.dat	net_reactor
behavioral2/files/0x0007000000023342-14.dat	net_reactor
behavioral2/memory/4004-17-0x0000000000E70000-0x000000000125E000-memory.dmp	net_reactor
behavioral2/files/0x000900000002311d-22.dat	net_reactor
behavioral2/memory/2092-23-0x0000000000940000-0x0000000000CF8000-memory.dmp	net_reactor
behavioral2/files/0x000900000002311d-21.dat	net_reactor

Deletes itself 1 IoCs

pid	Process
3596	Process not Found

Executes dropped EXE 2 IoCs

pid	Process
4004	162E.exe
2092	4B39.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4252	3640	WerFault.exe	112
884	3640	WerFault.exe	112

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	55cc830f41f9e74fbcfe2259d304c99b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	55cc830f41f9e74fbcfe2259d304c99b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	55cc830f41f9e74fbcfe2259d304c99b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1672	55cc830f41f9e74fbcfe2259d304c99b.exe
1672	55cc830f41f9e74fbcfe2259d304c99b.exe
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1672	55cc830f41f9e74fbcfe2259d304c99b.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3596	Process not Found

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 4004	3596	Process not Found	108
PID 3596 wrote to memory of 4004	3596	Process not Found	108
PID 3596 wrote to memory of 4004	3596	Process not Found	108
PID 3596 wrote to memory of 2092	3596	Process not Found	109
PID 3596 wrote to memory of 2092	3596	Process not Found	109
PID 3596 wrote to memory of 2092	3596	Process not Found	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\55cc830f41f9e74fbcfe2259d304c99b.exe
"C:\Users\Admin\AppData\Local\Temp\55cc830f41f9e74fbcfe2259d304c99b.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1672

C:\Users\Admin\AppData\Local\Temp\162E.exe
C:\Users\Admin\AppData\Local\Temp\162E.exe
1⤵
- Executes dropped EXE
PID:4004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  PID:3640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1036
    3⤵
    - Program crash
    PID:4252
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 608
    3⤵
    - Program crash
    PID:884

C:\Users\Admin\AppData\Local\Temp\4B39.exe
C:\Users\Admin\AppData\Local\Temp\4B39.exe
1⤵
- Executes dropped EXE
PID:2092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  PID:3052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  PID:5028

C:\Users\Admin\AppData\Local\Temp\7140.exe
C:\Users\Admin\AppData\Local\Temp\7140.exe
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3640 -ip 3640
1⤵
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 3640 -ip 3640
1⤵
PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\162E.exe

Filesize
218KB

MD5
5665fcbdb71982c6d0ed4e7bcd3aead0

SHA1
e76a1086bd7a614a0acbc78b5f0011c9c5ff9ac3

SHA256
ef5c59ca42f0211f9b7460b38fa623914308fb9785af95fdafa367b1a258ecb3

SHA512
f03224dc437868f204d5c2c7484fc509d1b39c151fb1e55233d7269afffcf9f1e4f3054818563be8b6f17447f307d038b231ee5995105880a248578f02b26a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\162E.exe

Filesize
208KB

MD5
6d327e2052750b8a1f08919c27c319af

SHA1
0334cfdc92acf01b449d9a5c8b5f3ea112dd4d40

SHA256
1ead06037c21d4434942c1b326f277f2e25fea4e9bc20248175d26c29e466888

SHA512
9792b0467efcac932e5f69a3c3f292f4ce34c40cdec57a4b14b4945421d7881d7ac731b63863646b3957e3e6b476081df91ef7ff81ccaa000660b73e2a6cd99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B39.exe

Filesize
117KB

MD5
82b5c2a949f6e23e219c90cb34629d92

SHA1
16d90bcb440947467c581b2b7b50fd0be0c9961c

SHA256
06ffaf357616a55edfb19e5086de130f7df921e3bf6235aa24fd50a20e6bcd77

SHA512
beffd2652ca3c8b18fe525b164e7472afdf996c7df39290f87f059aed9329c2f450281595ca50c00b5932cfd9d2fd1d4a1f0d992e856b97f67385fa0a6968849

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B39.exe

Filesize
64KB

MD5
6230879d980abbee1f5e9ebb11d3c137

SHA1
a3592f8929a54c5937076665b8f16517da36973c

SHA256
85ee46e39411cbf90ea9bf421b02181cc5fdbb9b05b9240a595cf351f0040105

SHA512
79e522a0f487229d66ca708c3e9f803e20c8c791d492681c7504cb2c5145d71d8c23b3b39a5ccb78fe06d252b58329db698dcda4fb5439c93aea2fed6097a619

Download Submit
C:\Users\Admin\AppData\Local\Temp\7140.exe

Filesize
55KB

MD5
5aa36bf547279a1510e7a38fbaf12947

SHA1
f59edbabbe02f6a4b4bc8e1dd3629fe66b153268

SHA256
e7b49149f688e9e51c9f54fcc62e355fc006c86591f477a27c40ae71d37322c4

SHA512
45e462f73247e6ab865bb979ec644dfd70011261b4a0a41e0ddb4e47b5d0a94bd5dcbef5a8f33ad9ec8227938705656865d476e0b86fa108967681f99634792c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7140.exe

Filesize
148KB

MD5
93bdf4b7a3299c815a9495e7f48b937d

SHA1
e527126266a9baeb25db43ce4e3ad15856e887a6

SHA256
a1f7ad060b973631fdf4dfd19bf8b7949ee4586d103fa61ab0724560db4a20a0

SHA512
00cdd0e569ccdc11317f431f612e356bf8d618cba81aff7f23313cb77f280e11936cf859afdb73ad37fd8cc4c165b9132811d20f0f846366121173859c4cb7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
92KB

MD5
e7e93c800f74b84706a6cf60844e8e03

SHA1
24fa13318c0393f37d632e41cf7eebf4ed1cf826

SHA256
80e2132f3e5b995b1128cb69991f0f02f01fb5b9323cf9b275b3b71b98805b46

SHA512
bbc9367dba2618c5ffb4f20a301d4637e9326d42786472eb034b71a12be83635c70f8d4779ff454aa5c91ae63fd191ef90f17d60bb98bba358530bc287faa6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
1KB

MD5
f18b89b657eb57c4d584b80dae322eca

SHA1
d4a6290f22c6439b3beabe99e31b9acfe4df9a6e

SHA256
21db171f73a43bfec7253e56348e0591196de5276e9203f21d8cbcb39758ab29

SHA512
5ef018041965e67dd6719ca358ed45f0fbafdee2e4e5535c2353f270e03753c64ed6765f57f1c4ecfbeac13acbdd87ee1687f8772d84ebdc95611232ad60168b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
17KB

MD5
565c4597e8709a4f43ca04dbdfebaec1

SHA1
a7520b89be6bd34b3d45f519015751caf7d54c22

SHA256
6cb29eb5cfad358ce78ad9ad3255e5cd1bf940e4422d2cec267292bfed8e1408

SHA512
b63700cb07fcf5d38cf902b23dd8d2446eef32c5c95873cd54e5c62a754f29dd353bfeb67dc87bd183703b8f2da8cf96099c1005be5831137c07bc9de05c4396

Download Submit
C:\Users\Admin\AppData\Roaming\urhjvdr

Filesize
28KB

MD5
5204745f9bbe97707ea688ea3f22834b

SHA1
9fe7c05b86b5d5b2f7667f4e51801d6b24b1fd26

SHA256
7d973963c56b260a00e1fb0ac8995ab944192039da3eab8a75a92d1dff240cc6

SHA512
55f3e16a2fe8bbadb6ca2c6457962c5926017c68f1d9820fe64cee78739acbff50c7bb4f08914efc7d391af3da6fb0bb16b24a2a6614119aed53b3fe07a6c3a6

Download Submit
memory/1672-3-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/1672-6-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/1672-1-0x0000000000AD0000-0x0000000000BD0000-memory.dmp

Filesize
1024KB

Download
memory/1672-2-0x0000000002470000-0x000000000247B000-memory.dmp

Filesize
44KB

Download
memory/1672-4-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/1996-58-0x0000000000A70000-0x0000000000B70000-memory.dmp

Filesize
1024KB

Download
memory/1996-59-0x0000000000A10000-0x0000000000A1B000-memory.dmp

Filesize
44KB

Download
memory/1996-60-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/1996-67-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/2092-79-0x0000000007190000-0x0000000007290000-memory.dmp

Filesize
1024KB

Download
memory/2092-62-0x0000000005A30000-0x0000000005C0A000-memory.dmp

Filesize
1.9MB

Download
memory/2092-75-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/2092-77-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/2092-78-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/2092-84-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/2092-73-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/2092-71-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/2092-24-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/2092-80-0x0000000007190000-0x0000000007290000-memory.dmp

Filesize
1024KB

Download
memory/2092-23-0x0000000000940000-0x0000000000CF8000-memory.dmp

Filesize
3.7MB

Download
memory/2092-57-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/2092-70-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/2092-76-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/2092-81-0x0000000007190000-0x0000000007290000-memory.dmp

Filesize
1024KB

Download
memory/3596-5-0x0000000001DD0000-0x0000000001DE6000-memory.dmp

Filesize
88KB

Download
memory/3596-63-0x0000000001E20000-0x0000000001E36000-memory.dmp

Filesize
88KB

Download
memory/3640-54-0x0000000000F90000-0x0000000000FC2000-memory.dmp

Filesize
200KB

Download
memory/3640-56-0x0000000000F90000-0x0000000000FC2000-memory.dmp

Filesize
200KB

Download
memory/3640-55-0x0000000000F90000-0x0000000000FC2000-memory.dmp

Filesize
200KB

Download
memory/3640-53-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3640-51-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3640-86-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3640-45-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4004-41-0x0000000005D50000-0x0000000005D60000-memory.dmp

Filesize
64KB

Download
memory/4004-46-0x0000000007990000-0x0000000007A90000-memory.dmp

Filesize
1024KB

Download
memory/4004-40-0x0000000005D40000-0x0000000005D50000-memory.dmp

Filesize
64KB

Download
memory/4004-44-0x0000000007990000-0x0000000007A90000-memory.dmp

Filesize
1024KB

Download
memory/4004-18-0x0000000005C60000-0x0000000005CFC000-memory.dmp

Filesize
624KB

Download
memory/4004-48-0x0000000005D50000-0x0000000005D60000-memory.dmp

Filesize
64KB

Download
memory/4004-52-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/4004-17-0x0000000000E70000-0x000000000125E000-memory.dmp

Filesize
3.9MB

Download
memory/4004-50-0x0000000007990000-0x0000000007A90000-memory.dmp

Filesize
1024KB

Download
memory/4004-39-0x0000000005D50000-0x0000000005D60000-memory.dmp

Filesize
64KB

Download
memory/4004-43-0x0000000005D50000-0x0000000005D60000-memory.dmp

Filesize
64KB

Download
memory/4004-42-0x0000000005D50000-0x0000000005D60000-memory.dmp

Filesize
64KB

Download
memory/4004-16-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/4004-33-0x0000000007520000-0x00000000076B2000-memory.dmp

Filesize
1.6MB

Download
memory/4004-32-0x00000000061D0000-0x00000000063F4000-memory.dmp

Filesize
2.1MB

Download
memory/4004-26-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/4004-31-0x0000000005D50000-0x0000000005D60000-memory.dmp

Filesize
64KB

Download
memory/5028-74-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/5028-82-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/5028-69-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download