Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
-
submitted
14-01-2024 23:08
General
-
Target
toolspab2.exe
-
Size
207KB
-
MD5
38cb64fa3339058ae21850bb66b82279
-
SHA1
4ab731f54aec2b9a8c49bf5e38fe294e9745b604
-
SHA256
ef743dcfbc3b85460416d9708cd43452354c148b375ef94075aaa79207c6467b
-
SHA512
23ac1bfc8e21b879d347867e7a66af3a2b907265ce8fe415e6315ba7e1b9631c9c32d14b51e95e226661c1630f43d2d0e10e5d17705b9b6fe3200a3a1c13b3a7
-
SSDEEP
3072:JXNxFFqcLXdCOck2DLO5LE99KsIv3UVmi2nRpMqC3L4EkwAD:t3bqcLtL2LMMPa3UVxIyqCb41p
Malware Config
Extracted
smokeloader
pub2
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 6 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\toolspab2.exe"C:\Users\Admin\AppData\Local\Temp\toolspab2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\toolspab2.exe"C:\Users\Admin\AppData\Local\Temp\toolspab2.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\FA3E.exeC:\Users\Admin\AppData\Local\Temp\FA3E.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\106.exeC:\Users\Admin\AppData\Local\Temp\106.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\uabgggsC:\Users\Admin\AppData\Roaming\uabgggs1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\uabgggsC:\Users\Admin\AppData\Roaming\uabgggs2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
575KB
MD5af4407851ed2a938677e0b9c673de2d8
SHA138fb83baabd8c656182c69f87a47d329943d63e3
SHA256f168fe9e6bb65d7a472d03d4ac01cbcaca6993ec8cf7d2f64b4313f409691158
SHA5127db8e96908f599aa76d8e7cf03243d8058ce0961262818a3c41cb1ba71f1590622c0e815858be8894adbcafee4093aaa7cde32ec3d1264e8ba27e13862891f6a
-
Filesize
319KB
MD5d6cb7c03cfc2cc3446fa05b18734582e
SHA1dd6a55ea856f7dd59907250e02b8a0f73186daa6
SHA256e0da68e5a56e52f93fef22eb8740c56b9456d9b895d7141989839e988cb87894
SHA512bc90ec1745e85d3893b699cfd5ba40e6285cc67a6788bd9de623a2d65ea9672f72e1f143d5b7de6326beab746129a04416ad2503d0d2b667e769d13dd10689c7
-
Filesize
201KB
MD567c6cbf32426f86fb1bd8aff0e91efaa
SHA16ffc81d1f2fe4bc1c4ae6c25d9117c62ea3fef1e
SHA2567adddba69e0cbf2c1f07ecb27b32d2d8056f070d87aad49381a656c93c023f27
SHA5123ec65c67af6bac80f354b30ba2a7379a83eb4e22ef13f44dda8f96f2ed192e9304d6834315a91e3330a43ebe6718af7e3f84a3e03e13c057859baa8e043f9def
-
Filesize
173KB
MD50ab3ba1ed71ead83643f9e5db0a72e91
SHA13813e438648df49753d5a7ba3d2243af6452f06d
SHA2561612f49a00c76b1da9363f5256bcafd5a8094f880ad44ad6e3dada0194d6a636
SHA512fed8732c157860218cae6fe0636443edc88268cdc6187bddbee92d8d02c7130d9951344fdbc298b855f583d1d9978ef55dd4e0833a4daa75195d0dace161deaa
-
Filesize
1.2MB
MD5839b8f58019dc0d4aee5bf692f536c35
SHA10e9d2d54e5961fd77de06b599378c3da433b7a21
SHA256df3fc7ac0148d935d0355a51fa10747cb45582f1b0bb196eac7f451d85a1b667
SHA51220a9acce17f56968d8311f63f74070a0feeebb22b2e9373d2256b1afa3da9f83f092eecba219f9a6ea7490e70959846c68cb128284d23db875f6b17b4deeef85
-
Filesize
882KB
MD54e43160997ef44acf43d6a9d43877130
SHA160b84402d3f57ee5318f866dd8638d0b8eeaad36
SHA256c7512927a09eed79f39042924ac80b80a00cfd008f19e5c876ff960c1b375ac7
SHA512e1e99bd7775ce5727984ed2b8978d21755db94cb23e9879ff55119a71348e1e74537d0fa3dfe498f9e7bc23a61a5b615686af0cad1bb31407a6f218aad18b3fa
-
Filesize
207KB
MD538cb64fa3339058ae21850bb66b82279
SHA14ab731f54aec2b9a8c49bf5e38fe294e9745b604
SHA256ef743dcfbc3b85460416d9708cd43452354c148b375ef94075aaa79207c6467b
SHA51223ac1bfc8e21b879d347867e7a66af3a2b907265ce8fe415e6315ba7e1b9631c9c32d14b51e95e226661c1630f43d2d0e10e5d17705b9b6fe3200a3a1c13b3a7
-
Filesize
990KB
MD58c7a66da0ce97eb314329a98f2f65d89
SHA1a23241e1882f6ef95f50ed72d8b6a65a7529be5f
SHA2562886ec1bdf94451d476e17e4ce6b900d1fee3b04e3001225fce4d497f5686671
SHA512a6fa0d2f3e0875415627b2f6663bee255dbdd7ba72c5d35d66fefe6188dadaf67171aac39e625e24c72ac3eacd6a7599fd4e7f076a9ca8dcefdc355e713a0caf
-
Filesize
12KB
MD5dd87a973e01c5d9f8e0fcc81a0af7c7a
SHA1c9206ced48d1e5bc648b1d0f54cccc18bf643a14
SHA2567fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1
SHA5124910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
1024KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
1024KB
-
Filesize
36KB