smokeloader | 71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77

General

Target

71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77.exe
Size

188KB
MD5

af3b9efe0035c9d1c99108fac6de59c3
SHA1

0d361de127c6968bcaad50968669a4bbf664b836
SHA256

71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77
SHA512

3d376f11035ea55cff7f620adcaf06d49886f0f20d2d03c05a8f9481f94dd8c34003b7f0447971aa030d022f2064ca372050fa54cbed07fed0c4206f03209640
SSDEEP

3072:tKIvqnajYLLYnJFi8kVHx6L1f8A/+GYx4i:thqnajYLLEnKV8L1f//+0

Score

10^/10

smokeloader pub3 backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

smokeloader

Version

2022

C2

http://nidoe.org/tmp/index.php

http://sodez.ru/tmp/index.php

http://uama.com.ua/tmp/index.php

http://talesofpirates.net/tmp/index.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

1208
Executes dropped EXE 1 IoCs

Processes:

sfssdvs

pid process

2640 sfssdvs

pid	process
1208

pid	process
2640	sfssdvs

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

sfssdvs71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sfssdvs
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sfssdvs
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sfssdvs

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77.exe

pid	process
1708	71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77.exe
1708	71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77.exe
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77.exesfssdvs

pid process

1708 71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77.exe
2640 sfssdvs
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1208
1208
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1208
1208

pid	process
1208
1208

pid	process
1208
1208

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 2856 wrote to memory of 2640	2856	taskeng.exe	sfssdvs
PID 2856 wrote to memory of 2640	2856	taskeng.exe	sfssdvs
PID 2856 wrote to memory of 2640	2856	taskeng.exe	sfssdvs
PID 2856 wrote to memory of 2640	2856	taskeng.exe	sfssdvs

C:\Users\Admin\AppData\Local\Temp\71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77.exe
"C:\Users\Admin\AppData\Local\Temp\71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1708

C:\Windows\system32\taskeng.exe
taskeng.exe {5A61906E-F9B9-450A-B62E-7AC5072697CB} S-1-5-21-406356229-2805545415-1236085040-1000:IKJSPGIM\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2856

C:\Users\Admin\AppData\Roaming\sfssdvs
C:\Users\Admin\AppData\Roaming\sfssdvs
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\sfssdvs
Filesize
188KB

MD5
af3b9efe0035c9d1c99108fac6de59c3

SHA1
0d361de127c6968bcaad50968669a4bbf664b836

SHA256
71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77

SHA512
3d376f11035ea55cff7f620adcaf06d49886f0f20d2d03c05a8f9481f94dd8c34003b7f0447971aa030d022f2064ca372050fa54cbed07fed0c4206f03209640

Download Submit
memory/1208-4-0x00000000029B0000-0x00000000029C6000-memory.dmp

Filesize
88KB

Download
memory/1208-17-0x0000000002C20000-0x0000000002C36000-memory.dmp

Filesize
88KB

Download
memory/1708-1-0x0000000002CB0000-0x0000000002DB0000-memory.dmp

Filesize
1024KB

Download
memory/1708-2-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/1708-3-0x0000000000400000-0x0000000002B58000-memory.dmp

Filesize
39.3MB

Download
memory/1708-5-0x0000000000400000-0x0000000002B58000-memory.dmp

Filesize
39.3MB

Download
memory/1708-8-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2640-15-0x0000000000230000-0x0000000000330000-memory.dmp

Filesize
1024KB

Download
memory/2640-16-0x0000000000400000-0x0000000002B58000-memory.dmp

Filesize
39.3MB

Download
memory/2640-18-0x0000000000400000-0x0000000002B58000-memory.dmp

Filesize
39.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads