Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
26-02-2024 23:56
Static task
static1
Behavioral task
behavioral1
Sample
636c32103ef487d1c30df530296f014b.exe
Resource
win7-20240220-en
General
-
Target
636c32103ef487d1c30df530296f014b.exe
-
Size
163KB
-
MD5
636c32103ef487d1c30df530296f014b
-
SHA1
f280007f3c78b0823d8978bec1c1cdf792bf5fc6
-
SHA256
c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd
-
SHA512
2a01b0fb459a710c4d8ffb20fe2907bbb5ca091769cb8b3216d909208ee662f9c2f6f035fa1c8aeb9222ee7018c6da15615414b2556e02f0bbcc3bd05337f604
-
SSDEEP
3072:eQ37N6u0D0i+zGJKHZj+4M48iIp2WZnFzw0I:eK8u0Qi+yQHZEiIttw
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1092 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
636c32103ef487d1c30df530296f014b.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 636c32103ef487d1c30df530296f014b.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 636c32103ef487d1c30df530296f014b.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 636c32103ef487d1c30df530296f014b.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
636c32103ef487d1c30df530296f014b.exepid process 2552 636c32103ef487d1c30df530296f014b.exe 2552 636c32103ef487d1c30df530296f014b.exe 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 1092 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
636c32103ef487d1c30df530296f014b.exepid process 2552 636c32103ef487d1c30df530296f014b.exe