Overview

overview

10

Static

static

3

2adf458136...26.exe

windows7-x64

10

2adf458136...26.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    11/01/2024, 20:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2adf4581364c32549d7b32826b88d7b7408214e91deee492ef3bdd846a42f526.exe

  • Size

    311KB

  • MD5

    5fb837c05b92590f5e23e89eff60d6a1

  • SHA1

    93595e218d3664d92055d60ef1753141e4fd053d

  • SHA256

    2adf4581364c32549d7b32826b88d7b7408214e91deee492ef3bdd846a42f526

  • SHA512

    2813c7643d984f3479bc83ebe04d92dcf285640e26e9cc60a9d742a193af4651bdfa43f595fdaee7f91c2b6c15147aec04eda876edf6cf3325fa52addf316346

  • SSDEEP

    3072:U8EGKLRYmuaZn29+DCxz+JwMom5WG5sKI36Fwj0:UljLRXuaZnIVMr6737

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2adf4581364c32549d7b32826b88d7b7408214e91deee492ef3bdd846a42f526.exe
    "C:\Users\Admin\AppData\Local\Temp\2adf4581364c32549d7b32826b88d7b7408214e91deee492ef3bdd846a42f526.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2336
  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\E437.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2608
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\E437.dll
      2⤵
      • Loads dropped DLL
      PID:2632

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\E437.dll
          Filesize

          1.2MB

          MD5

          d9a8b60dd12ff5956a225d7b1cdc538d

          SHA1

          88da81c1ae32cce79490e9177d6f54ba3fc7d5f4

          SHA256

          e0fdaa4098a318cd008cf444209fba633c8f3b09e63aeebac1f55a573baafd12

          SHA512

          9321aa96010e6021313afcc47558ed8b7294a1cc4934f5f1832903d69390bb88ff835194b72c7be8edbfe83121302f848f4d4addffd5b43c638da60078a33c9b

          Download Submit

        • \Users\Admin\AppData\Local\Temp\E437.dll
          Filesize

          650KB

          MD5

          4f77378b5acac0d6de4016dc2359968d

          SHA1

          24e8bf4278223adf0caa011aa5badff5286818ca

          SHA256

          fb401ac53f1f6038e60adedcb4814d5beb879604918e28649a8e2b9430719e30

          SHA512

          8372d9ccdccb99347a7e7e56e7ec7a32d31d6e574f26d756dd671c2193aafaca99d21743e7639b7d9542d702c1a4c67cfbed3fb6dc23bb2ce3201cd42a4ce5fe

          Download Submit

        • memory/1372-5-0x00000000025A0000-0x00000000025B6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2336-6-0x0000000000400000-0x0000000000870000-memory.dmp

          Filesize

          4.4MB

          Download

        • memory/2336-2-0x00000000001B0000-0x00000000001BB000-memory.dmp

          Filesize

          44KB

          Download

        • memory/2336-1-0x00000000002B0000-0x00000000003B0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2336-3-0x0000000000400000-0x0000000000870000-memory.dmp

          Filesize

          4.4MB

          Download

        • memory/2632-16-0x0000000010000000-0x0000000010227000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/2632-15-0x00000000000D0000-0x00000000000D6000-memory.dmp

          Filesize

          24KB

          Download

        • memory/2632-19-0x0000000002220000-0x000000000235D000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2632-20-0x0000000002360000-0x000000000247E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2632-23-0x0000000002360000-0x000000000247E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2632-21-0x0000000002360000-0x000000000247E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2632-24-0x0000000002360000-0x000000000247E000-memory.dmp

          Filesize

          1.1MB

          Download