Overview

overview

10

Static

static

3

c14c3db734...57.exe

windows7-x64

10

c14c3db734...57.exe

windows10-1703-x64

10

c14c3db734...57.exe

windows10-2004-x64

10

c14c3db734...57.exe

windows11-21h2-x64

10

Resubmissions

09/04/2024, 07:26

240409-h9p4sahe34 10

09/04/2024, 07:25

240409-h8859scg41 10

09/04/2024, 07:25

240409-h8ydrshd88 10

09/04/2024, 07:24

240409-h8gq1shd78 10

04/02/2024, 03:55

240204-eha9rsbddj 10

Analysis

  • max time kernel
    1200s
  • max time network
    1165s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09/04/2024, 07:25

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c14c3db7340277d58f53d5ff4f28a67fda54636fdb9b07fba60992c9ed03ae57.exe

  • Size

    289KB

  • MD5

    982b330786cb34fd69849d9d7cb296a9

  • SHA1

    536c5f37004cd255cfbeff9330bf4d7f7795d87d

  • SHA256

    c14c3db7340277d58f53d5ff4f28a67fda54636fdb9b07fba60992c9ed03ae57

  • SHA512

    d9a943fb547d74acc2dc44fbf847729705426b2d81cf034daefdf680968a43defc2d1b9565a563e01cd7cdd7a9581527136018e573bb4516e861c3ede5562d70

  • SSDEEP

    3072:AfSJIG3VDgzl3rLJEBTdD96DttL2WHCfaTqCXyhZfLhaWblDmj3nnX7GHBrR4ulT:AnggFrLu5d96Dtt6Ww841kr7EBD5Fp6

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://onualituyrs.org/

http://sumagulituyo.org/

http://snukerukeutit.org/

http://lightseinsteniki.org/

http://liuliuoumumy.org/

http://stualialuyastrelia.net/

http://kumbuyartyty.net/

http://criogetikfenbut.org/

http://tonimiuyaytre.org/

http://tyiuiunuewqy.org/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c14c3db7340277d58f53d5ff4f28a67fda54636fdb9b07fba60992c9ed03ae57.exe
    "C:\Users\Admin\AppData\Local\Temp\c14c3db7340277d58f53d5ff4f28a67fda54636fdb9b07fba60992c9ed03ae57.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4592
  • C:\Users\Admin\AppData\Roaming\ugjfrte
    C:\Users\Admin\AppData\Roaming\ugjfrte
    1⤵
    • Executes dropped EXE
    • Checks SCSI registry key(s)
    • Suspicious behavior: MapViewOfSection
    PID:2308
  • C:\Users\Admin\AppData\Roaming\ugjfrte
    C:\Users\Admin\AppData\Roaming\ugjfrte
    1⤵
    • Executes dropped EXE
    • Checks SCSI registry key(s)
    • Suspicious behavior: MapViewOfSection
    PID:388

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\ugjfrte
          Filesize

          289KB

          MD5

          982b330786cb34fd69849d9d7cb296a9

          SHA1

          536c5f37004cd255cfbeff9330bf4d7f7795d87d

          SHA256

          c14c3db7340277d58f53d5ff4f28a67fda54636fdb9b07fba60992c9ed03ae57

          SHA512

          d9a943fb547d74acc2dc44fbf847729705426b2d81cf034daefdf680968a43defc2d1b9565a563e01cd7cdd7a9581527136018e573bb4516e861c3ede5562d70

          Download Submit

        • memory/388-28-0x0000000000400000-0x00000000007D1000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/388-24-0x0000000000400000-0x00000000007D1000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/388-23-0x0000000000A50000-0x0000000000B50000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2308-19-0x0000000000400000-0x00000000007D1000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/2308-14-0x0000000000A00000-0x0000000000B00000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2308-15-0x0000000000400000-0x00000000007D1000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/3236-16-0x0000000000AB0000-0x0000000000AC6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/3236-4-0x0000000000B30000-0x0000000000B46000-memory.dmp

          Filesize

          88KB

          Download

        • memory/3236-25-0x0000000002960000-0x0000000002976000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4592-5-0x0000000000400000-0x00000000007D1000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/4592-1-0x0000000000960000-0x0000000000A60000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/4592-3-0x0000000000400000-0x00000000007D1000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/4592-2-0x00000000008E0000-0x00000000008EB000-memory.dmp

          Filesize

          44KB

          Download