smokeloader | 757768465a970aa74cdd702df6f5bf71615a036f1e01fc11d62c101f36647892

General

Target

ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe
Size

290KB
MD5

6db27327a2233d8ee11abbed6229604b
SHA1

feb1887bd6f9c0f84ed539be18d2812042d87e74
SHA256

ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4
SHA512

a0fac0a468fbc7d4f4b9a03a2a5fb94ec90172f04805066250a6c2fbf322a149acba3ecfd4cfa6889218e0c51bcece9d26c355cf36d5f939cb828a7735d5c5bf
SSDEEP

6144:BecoZjpjdRLk/7Y8XOFPN8v9ntG/689RjObRXMA:B+ZjpRRA/7XOFPSvJq68fjObph

Score

10^/10

smokeloader pub1 backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

1408
Executes dropped EXE 2 IoCs

Processes:

5699.exe5C83.exe

pid process

1568 5699.exe
1472 5C83.exe

pid	process
1408

pid	process
1568	5699.exe
1472	5C83.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe

description	pid	process	target process
PID 2916 set thread context of 2480	2916	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe

pid	process
2480	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe
2480	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe

pid process

2480 ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1408
1408
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1408
1408

pid	process
1408
1408

pid	process
1408
1408

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe

description	pid	process	target process
PID 2916 wrote to memory of 2480	2916	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe
PID 2916 wrote to memory of 2480	2916	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe
PID 2916 wrote to memory of 2480	2916	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe
PID 2916 wrote to memory of 2480	2916	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe
PID 2916 wrote to memory of 2480	2916	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe
PID 2916 wrote to memory of 2480	2916	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe
PID 2916 wrote to memory of 2480	2916	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe
PID 1408 wrote to memory of 1568	1408		5699.exe
PID 1408 wrote to memory of 1568	1408		5699.exe
PID 1408 wrote to memory of 1568	1408		5699.exe
PID 1408 wrote to memory of 1568	1408		5699.exe
PID 1408 wrote to memory of 1568	1408		5699.exe
PID 1408 wrote to memory of 1568	1408		5699.exe
PID 1408 wrote to memory of 1568	1408		5699.exe
PID 1408 wrote to memory of 1472	1408		5C83.exe
PID 1408 wrote to memory of 1472	1408		5C83.exe
PID 1408 wrote to memory of 1472	1408		5C83.exe
PID 1408 wrote to memory of 1472	1408		5C83.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe
"C:\Users\Admin\AppData\Local\Temp\ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2916

C:\Users\Admin\AppData\Local\Temp\ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe
"C:\Users\Admin\AppData\Local\Temp\ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2480

C:\Users\Admin\AppData\Local\Temp\5699.exe
C:\Users\Admin\AppData\Local\Temp\5699.exe
1⤵
- Executes dropped EXE
PID:1568

C:\Users\Admin\AppData\Local\Temp\5C83.exe
C:\Users\Admin\AppData\Local\Temp\5C83.exe
1⤵
- Executes dropped EXE
PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5699.exe
Filesize
5.0MB

MD5
10ef283264e5050eb40f465feabeea60

SHA1
5c2b60ad7c2089db827532fed6069bdf74b505f8

SHA256
6d45d61463e3521aa6d3d31bd7e953d38c6381c0e1b526dcb28c7f2786669eb6

SHA512
c4e4080840991a829b05c76a55f6da6bffc9f618c7a1214d4d0b84e6e714d7b0e5646a99a5d92188f71801e6b7269069728f328d3a3b3fda577191372f399080

Download Submit
C:\Users\Admin\AppData\Local\Temp\5C83.exe
Filesize
385KB

MD5
bdbfccc2b71c0d7f9de70aba81597b52

SHA1
ebb97f2a7fe51ff607a1d1b7557c995dd1cc275a

SHA256
082e8792e48e6ae0b16330f6bde833c42158ba2c9b75fad31ebc3d939f8a0042

SHA512
fba755745e82b6acd1e74e15ce9bc729a9b0e85bbb1975959c1b5d7ab1e6859efc715de87c3f4b6ef4bb21a25d9246142e96323cfc5d732ae6007b4690dcd417

Download Submit
memory/1408-7-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/1472-26-0x0000000000010000-0x0000000000076000-memory.dmp

Filesize
408KB

Download
memory/1472-29-0x0000000000010000-0x0000000000076000-memory.dmp

Filesize
408KB

Download
memory/2480-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2480-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2480-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2480-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2916-2-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/2916-3-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads