Overview

overview

10

Static

static

3

d874c5f6b1...8c.exe

windows7-x64

10

d874c5f6b1...8c.exe

windows10-1703-x64

10

d874c5f6b1...8c.exe

windows10-2004-x64

10

d874c5f6b1...8c.exe

windows11-21h2-x64

10

Resubmissions

24-01-2025 23:30

250124-3hgcsatray 10

09-04-2024 08:35

240409-kg6xyaag48 10

09-04-2024 08:35

240409-kg2m8aea6s 10

09-04-2024 08:35

240409-kg12paag46 10

09-04-2024 08:35

240409-kg1qxsag45 10

23-02-2024 00:53

240223-a8rxzsha6z 10

22-02-2024 06:18

240222-g2y62sdc6x 10

Analysis

  • max time kernel
    1200s
  • max time network
    846s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09-04-2024 08:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe

  • Size

    141KB

  • MD5

    3151d44dd03886e5f64f34481b116c81

  • SHA1

    ebef87d5fd54925493385fbff5ba4d175c046fbc

  • SHA256

    d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c

  • SHA512

    6ebcb293583a6858a023bf71a347783b788064f9415421503155e2f87426ff52d7881f2a680331d4332e4062153901295f4b92771a1afd527624bb15230bbcc6

  • SSDEEP

    3072:p13jvfNcgSRb5hPi9OTtA5HljuEa9ckZKD4Xxh:bTX2gSJL3t0HlyEa9cM

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe
    "C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2148
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {253EAB35-35A6-4E83-9007-C178298B02B5} S-1-5-21-3787592910-3720486031-2929222812-1000:HSNHLVYA\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Users\Admin\AppData\Roaming\idjuibc
      C:\Users\Admin\AppData\Roaming\idjuibc
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:860
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {10DC7AF6-8596-4890-98FF-CA6D82B230E1} S-1-5-21-3787592910-3720486031-2929222812-1000:HSNHLVYA\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1532
    • C:\Users\Admin\AppData\Roaming\idjuibc
      C:\Users\Admin\AppData\Roaming\idjuibc
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:1764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\idjuibc
    Filesize

    141KB

    MD5

    3151d44dd03886e5f64f34481b116c81

    SHA1

    ebef87d5fd54925493385fbff5ba4d175c046fbc

    SHA256

    d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c

    SHA512

    6ebcb293583a6858a023bf71a347783b788064f9415421503155e2f87426ff52d7881f2a680331d4332e4062153901295f4b92771a1afd527624bb15230bbcc6

    Download Submit

  • memory/860-17-0x0000000000400000-0x0000000000819000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/860-14-0x0000000000890000-0x0000000000990000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/860-15-0x0000000000400000-0x0000000000819000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1208-4-0x0000000002A00000-0x0000000002A16000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1208-16-0x0000000002BA0000-0x0000000002BB6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1208-25-0x0000000002BC0000-0x0000000002BD6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1764-23-0x00000000002D0000-0x00000000003D0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1764-24-0x0000000000400000-0x0000000000819000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1764-28-0x0000000000400000-0x0000000000819000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2148-3-0x0000000000400000-0x0000000000819000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2148-5-0x0000000000400000-0x0000000000819000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2148-2-0x0000000000220000-0x000000000022B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2148-1-0x00000000008B0000-0x00000000009B0000-memory.dmp

    Filesize

    1024KB

    Download