smokeloader | 1dfb7d09daa0bece4197d998a72acac7deebaf2ff54b4461667495a41240d0e8

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

smokeloader pub1 backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

toolspub1.exetoolspub1.exeteamviewer.exeteamviewer.exe

pid process

4528 toolspub1.exe
4528 toolspub1.exe
2016 teamviewer.exe
2016 teamviewer.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

36 api.2ip.ua
37 api.2ip.ua
45 api.2ip.ua
173 ipinfo.io
174 ipinfo.io
264 ipinfo.io
265 ipinfo.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4528	toolspub1.exe
4528	toolspub1.exe
2016	teamviewer.exe
2016	teamviewer.exe

flow	ioc
36	api.2ip.ua
37	api.2ip.ua
45	api.2ip.ua
173	ipinfo.io
174	ipinfo.io
264	ipinfo.io
265	ipinfo.io

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub1.exetoolspub1.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

toolspub1.exetoolspub1.exe

pid process

4528 toolspub1.exe
4528 toolspub1.exe
4528 toolspub1.exe
4528 toolspub1.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4363463463464363463463463.exe4363463463464363463463463.exe

description pid process

Token: SeDebugPrivilege 4324 4363463463464363463463463.exe
Token: SeDebugPrivilege 4324 4363463463464363463463463.exe

pid	process
4528	toolspub1.exe
4528	toolspub1.exe
4528	toolspub1.exe
4528	toolspub1.exe

description	pid	process
Token: SeDebugPrivilege	4324	4363463463464363463463463.exe
Token: SeDebugPrivilege	4324	4363463463464363463463463.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4363463463464363463463463.exe4363463463464363463463463.exe

description	pid	process	target process
PID 4324 wrote to memory of 4528	4324	4363463463464363463463463.exe	toolspub1.exe
PID 4324 wrote to memory of 4528	4324	4363463463464363463463463.exe	toolspub1.exe
PID 4324 wrote to memory of 4528	4324	4363463463464363463463463.exe	toolspub1.exe
PID 4324 wrote to memory of 4528	4324	4363463463464363463463463.exe	toolspub1.exe
PID 4324 wrote to memory of 4528	4324	4363463463464363463463463.exe	toolspub1.exe
PID 4324 wrote to memory of 4528	4324	4363463463464363463463463.exe	toolspub1.exe
PID 4324 wrote to memory of 2016	4324	4363463463464363463463463.exe	teamviewer.exe
PID 4324 wrote to memory of 2016	4324	4363463463464363463463463.exe	teamviewer.exe
PID 4324 wrote to memory of 2016	4324	4363463463464363463463463.exe	teamviewer.exe
PID 4324 wrote to memory of 2016	4324	4363463463464363463463463.exe	teamviewer.exe
PID 4324 wrote to memory of 2016	4324	4363463463464363463463463.exe	teamviewer.exe
PID 4324 wrote to memory of 2016	4324	4363463463464363463463463.exe	teamviewer.exe

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324

C:\Users\Admin\AppData\Local\Temp\Files\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\toolspub1.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:4528

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324

C:\Users\Admin\AppData\Local\Temp\Files\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\toolspub1.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:4528

C:\Users\Admin\AppData\Local\Temp\Files\teamviewer.exe
"C:\Users\Admin\AppData\Local\Temp\Files\teamviewer.exe"
2⤵
- Executes dropped EXE
PID:2016

C:\Users\Admin\AppData\Local\Temp\Files\teamviewer.exe
"C:\Users\Admin\AppData\Local\Temp\Files\teamviewer.exe"
2⤵
- Executes dropped EXE
PID:2016

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Files\teamviewer.exe
Filesize
1.1MB

MD5
f02287181b17f939467c8070766aca73

SHA1
6fe4bfc708fc18fcaf3d78cd20de8ad195471973

SHA256
6cf069c7ba71018a8d8e785e390f55804f6530b26732b93ae6372ce173f69b96

SHA512
1bb2ed303fa1e2ba28982ed871915235caf1d56e4986a6675756963890aca0ef7151234d14f956fc307ecbaf3f0baffc3362dc6e3944d1a2a889a25ed81fa05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\toolspub1.exe
Filesize
216KB

MD5
70283026ba9695e80afb00878f717166

SHA1
abca68a17058029e300008cb2684d4500a45c137

SHA256
00a6fa5946f6ed917903e94e9338e3a0f28aaab139df06d98063930387bfe40b

SHA512
028cf25c18f984d5bbf1c71503e40ba31c0cf67ecd12094012a30e250cc8bf518a9152d4f7e11a39bb70d3d524370c89faf3307e9aa6f12a149ad5c64350b1f4

Download Submit
memory/4324-0-0x0000000000A00000-0x0000000000A08000-memory.dmp

Filesize
32KB

Download
memory/4324-2-0x0000000005240000-0x00000000052DC000-memory.dmp

Filesize
624KB

Download
memory/4324-2-0x0000000005240000-0x00000000052DC000-memory.dmp

Filesize
624KB

Download
memory/4324-1-0x0000000073BA0000-0x000000007428E000-memory.dmp

Filesize
6.9MB

Download
memory/4324-3-0x0000000005390000-0x00000000053A0000-memory.dmp

Filesize
64KB

Download
memory/4324-3-0x0000000005390000-0x00000000053A0000-memory.dmp

Filesize
64KB

Download
memory/4324-0-0x0000000000A00000-0x0000000000A08000-memory.dmp

Filesize
32KB

Download
memory/4324-1-0x0000000073BA0000-0x000000007428E000-memory.dmp

Filesize
6.9MB

Download
memory/4528-15-0x00000000001F0000-0x00000000001FB000-memory.dmp

Filesize
44KB

Download
memory/4528-16-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4528-14-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/4528-15-0x00000000001F0000-0x00000000001FB000-memory.dmp

Filesize
44KB

Download
memory/4528-16-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4528-14-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download

Resubmissions

Analysis

Sharing