Overview

overview

10

Static

static

3

3db942a351...de.exe

windows7-x64

10

3db942a351...de.exe

windows10-2004-x64

10

Resubmissions

16-02-2024 03:57

240216-eh6exage7x 10

15-02-2024 04:48

240215-ffgjfahe94 10

Analysis

  • max time kernel
    60s
  • max time network
    52s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-02-2024 03:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3db942a351d54b698e9836bb4a6fd9ddd0ae96e90033549f9f12517a25bf3ede.exe

  • Size

    286KB

  • MD5

    b70a1bd49d4133d98946486d4ec6bb36

  • SHA1

    9feed9636e3a411bd1d2a3e80e713fe53376d9c4

  • SHA256

    3db942a351d54b698e9836bb4a6fd9ddd0ae96e90033549f9f12517a25bf3ede

  • SHA512

    880b427c04cd532f7f49f496c5fb1f3a4244757deff6495c2b20d7b19631dd296a9a04ae968d9f3d51f3b022ea4c4d16a57e7c2a215c9a0b053b96dcfb290441

  • SSDEEP

    3072:ufWRCy/dqG9gUvXg+CqJixR0/IJJQ79eh8o8EskJw64QO1N3:uCCy/PJZKWIJJL5j1O1N

Score
10/10
smokeloaderpub1backdoortrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Deletes itself 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\3db942a351d54b698e9836bb4a6fd9ddd0ae96e90033549f9f12517a25bf3ede.exe
    "C:\Users\Admin\AppData\Local\Temp\3db942a351d54b698e9836bb4a6fd9ddd0ae96e90033549f9f12517a25bf3ede.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3428-4-0x0000000002160000-0x0000000002176000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4744-2-0x0000000002DA0000-0x0000000002DAB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/4744-1-0x0000000002E70000-0x0000000002F70000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4744-3-0x0000000000400000-0x0000000002BF4000-memory.dmp

    Filesize

    40.0MB

    Download

  • memory/4744-5-0x0000000000400000-0x0000000002BF4000-memory.dmp

    Filesize

    40.0MB

    Download