smokeloader | 17d15c3e994b704c8b11393ee9e83dc7ecc3cdfd981820501beaf98c6e34cc94

General

Target

toolspub2.exe
Size

203KB
MD5

d9077796101f063d05d1b18ef03639d8
SHA1

035d12383b9bcdbba8393fa643a375a19cbab559
SHA256

17d15c3e994b704c8b11393ee9e83dc7ecc3cdfd981820501beaf98c6e34cc94
SHA512

c79350993ced4a8e18b071e866a69b664143e35c5f6704afe4ff5f70437522d90722b29f0fd9bf6c66ddd331c5ebc65378915a3de062fd26ae213fbb252ac2ad
SSDEEP

3072:pfUB/bLaZdXUNc8iirJiM21K7uLX6Qn+62oM42fL4iBNkRDxs+cmH:pfUVclVrXpbGEx7co

Score

10^/10

smokeloader up3 backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

3200
Executes dropped EXE 3 IoCs

Processes:

E416.exeEACE.exeWindowsUpdater.exe

pid process

4700 E416.exe
4572 EACE.exe
988 WindowsUpdater.exe
Loads dropped DLL 2 IoCs

Processes:

WindowsUpdater.exe

pid process

988 WindowsUpdater.exe
988 WindowsUpdater.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3200

pid	process
4700	E416.exe
4572	EACE.exe
988	WindowsUpdater.exe

pid	process
988	WindowsUpdater.exe
988	WindowsUpdater.exe

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\EACE.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\EACE.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

toolspub2.exe

pid	process
3168	toolspub2.exe
3168	toolspub2.exe
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

toolspub2.exe

pid process

3168 toolspub2.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 3200
Token: SeCreatePagefilePrivilege 3200

description	pid	process
Token: SeShutdownPrivilege	3200
Token: SeCreatePagefilePrivilege	3200

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

EACE.exe

description	pid	process	target process
PID 3200 wrote to memory of 4700	3200		E416.exe
PID 3200 wrote to memory of 4700	3200		E416.exe
PID 3200 wrote to memory of 4700	3200		E416.exe
PID 3200 wrote to memory of 4572	3200		EACE.exe
PID 3200 wrote to memory of 4572	3200		EACE.exe
PID 3200 wrote to memory of 4572	3200		EACE.exe
PID 4572 wrote to memory of 988	4572	EACE.exe	WindowsUpdater.exe
PID 4572 wrote to memory of 988	4572	EACE.exe	WindowsUpdater.exe
PID 4572 wrote to memory of 988	4572	EACE.exe	WindowsUpdater.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3168

C:\Users\Admin\AppData\Local\Temp\E416.exe
C:\Users\Admin\AppData\Local\Temp\E416.exe
1⤵
- Executes dropped EXE
PID:4700

C:\Users\Admin\AppData\Local\Temp\EACE.exe
C:\Users\Admin\AppData\Local\Temp\EACE.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E416.exe

Filesize
360KB

MD5
80c413180b6bd0dd664adc4e0665b494

SHA1
e791e4a3391fc6b7bcb58399cd4fa3c52a06b940

SHA256
6d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880

SHA512
347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EACE.exe

Filesize
256KB

MD5
5a95006638b26b5a857faf785cf94723

SHA1
2722e87790d79e528dd844b1a10d191c77cbdab9

SHA256
8c1fe54e9af5fb0ff82069bac2e2d8f58d0e8552819eaa9b0aead9c02b325d3d

SHA512
ced59d0b7e8bbcc7e1ded3259e09a6a44d61e241285395d16fb2e19fa83f43cf078d74639de6e5fdffa310422967825cdb577cce7d2dcb22c50c9edf2b2c23da

Download Submit
C:\Users\Admin\AppData\Local\Temp\EACE.exe

Filesize
3.3MB

MD5
22d1b3692ae508c3a023a378be956e8e

SHA1
14b543f326990a71f1e705c01d2632d476ca580b

SHA256
8d36bda8277233d022aab4872b704b9a8646aa9d8d744f0846ca64e552865a6a

SHA512
b3a0fdd2cb173eaaef120d78719eec1f07c6cb927738ef19f8252ab43d74d16e2d3f2c05e6082c933736e1c7dd370f07bea49358017ee4665ac25dd010a9ee0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe

Filesize
1.5MB

MD5
ab86412fd6449e5a0c7553f2a6526ab0

SHA1
bb3e608ac313b1f4a900036fdddadfa703888e88

SHA256
1049cdbb24038bb843ba51a7e229983526411aa6fa15921175a3451acab4ba98

SHA512
4925e1c482462f81dd84438ddc49f62c4d8d7b1d5e43e1b37b3af3af0d0cbffb527d2abec3c4627d9d56ff7fd18dcffcb45dcc90d1478647aca55b70edd9b338

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe

Filesize
1.4MB

MD5
012e22c1f736722bcdd8acb67a319915

SHA1
69045d817bf6fbacf2758d11c38e3389a3556720

SHA256
ef82dec62feb5ee70a012af9a4c7320c3432360be16e0372ecdb0bda2d32d416

SHA512
0675e5f4b204bbe5ac9ab3244827256969fb47d08ecce1afb1d502c906e5adc54f0e359a38eb23336991c306aa8c6dacae02b2476fa5fa1e2b5ddd0deacd384a

Download Submit
\Users\Admin\AppData\Local\Temp\lib.dll

Filesize
1.4MB

MD5
0660e9b1bb9b087a3de68429449e8eb4

SHA1
61362592cbcbe42b44e4e33664602c5686d96f48

SHA256
c82819d0d21f5e719b40486ba85f97cfdde950905a722ddb8dae62cbafde9221

SHA512
6f345ca917392a0c24d10d05ce44974a8c97bb3d5fadf49f4d46061e10c8a012e6768df932b774ab29c3062928122d56d5e41105450ab5efac0c0013ad942722

Download Submit
\Users\Admin\AppData\Local\Temp\nsvEE0A.tmp\System.dll

Filesize
12KB

MD5
dd87a973e01c5d9f8e0fcc81a0af7c7a

SHA1
c9206ced48d1e5bc648b1d0f54cccc18bf643a14

SHA256
7fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1

SHA512
4910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f

Download Submit
memory/988-37-0x00000000739B0000-0x00000000740C7000-memory.dmp

Filesize
7.1MB

Download
memory/988-36-0x00000000739B0000-0x00000000740C7000-memory.dmp

Filesize
7.1MB

Download
memory/3168-5-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3168-1-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/3168-3-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3168-2-0x00000000004A0000-0x00000000004A9000-memory.dmp

Filesize
36KB

Download
memory/3200-4-0x00000000012F0000-0x0000000001306000-memory.dmp

Filesize
88KB

Download
memory/4572-24-0x0000000000E20000-0x00000000013B6000-memory.dmp

Filesize
5.6MB

Download
memory/4572-20-0x0000000000E20000-0x00000000013B6000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads