Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-03-2024 13:37
Static task
static1
Behavioral task
behavioral1
Sample
bbf158c96e0fba33331ee1a827d68a4e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bbf158c96e0fba33331ee1a827d68a4e.exe
Resource
win10v2004-20240226-en
General
-
Target
bbf158c96e0fba33331ee1a827d68a4e.exe
-
Size
273KB
-
MD5
bbf158c96e0fba33331ee1a827d68a4e
-
SHA1
0d8d668ac0e69415ca76056d76b7a040037732f5
-
SHA256
6e5318326145c9caf6e20fa4c1861de5e6e137caaf4d61f3f8c4cea0fedd99ef
-
SHA512
08fef333a54a717cb4607ec89b499603ea90516202e1ec431e88d8dc765586961a9723dfc775878de79fa4a4d03acb8f17ebefe89d8831d3449c9c56f60dd440
-
SSDEEP
6144:anwT4fDmc3j3zM21LuxjZhY9KJKu7hRJRDNgV9AZVfU9T:RTaDmajM89cp9TRD6vN
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
pid Process 1208 Process not Found -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bbf158c96e0fba33331ee1a827d68a4e.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bbf158c96e0fba33331ee1a827d68a4e.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bbf158c96e0fba33331ee1a827d68a4e.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2132 bbf158c96e0fba33331ee1a827d68a4e.exe 2132 bbf158c96e0fba33331ee1a827d68a4e.exe 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2132 bbf158c96e0fba33331ee1a827d68a4e.exe