Malware Analysis Report

2025-01-02 04:51

Sample ID 240422-tfyplsdb52
Target abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d
SHA256 abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d
Tags
smokeloader backdoor persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d

Threat Level: Known bad

The file abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d was found to be: Known bad.

Malicious Activity Summary

smokeloader backdoor persistence trojan

SmokeLoader

Deletes itself

Adds Run key to start application

Maps connected drives based on registry

Unsigned PE

Program crash

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-22 16:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-22 16:00

Reported

2024-04-22 16:03

Platform

win7-20240220-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\iwerthja\\ibrgjitg.exe" C:\Windows\SysWOW64\explorer.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe

"C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
NL 23.62.61.144:80 www.bing.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 72.246.173.187:443 www.microsoft.com tcp
NL 72.246.173.187:443 www.microsoft.com tcp
US 8.8.8.8:53 java.com udp
NL 23.62.61.137:80 java.com tcp
US 8.8.8.8:53 visualstudio.microsoft.com udp
BE 104.68.69.97:443 visualstudio.microsoft.com tcp
BE 104.68.69.97:443 visualstudio.microsoft.com tcp
US 8.8.8.8:53 www.mozilla.org udp
GB 13.224.77.115:443 www.mozilla.org tcp
US 8.8.8.8:53 java.com udp
NL 23.62.61.137:80 java.com tcp
US 8.8.8.8:53 eeaglelifeaa23ol.com udp
NL 23.62.61.137:80 java.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 72.246.173.187:443 www.microsoft.com tcp
NL 72.246.173.187:443 www.microsoft.com tcp
US 8.8.8.8:53 visualstudio.microsoft.com udp
BE 104.68.69.97:443 visualstudio.microsoft.com tcp
BE 104.68.69.97:443 visualstudio.microsoft.com tcp
BE 104.68.69.97:443 visualstudio.microsoft.com tcp
BE 104.68.69.97:443 visualstudio.microsoft.com tcp
US 8.8.8.8:53 java.com udp
NL 23.62.61.137:80 java.com tcp
US 8.8.8.8:53 www.videolan.org udp
FR 213.36.253.2:443 www.videolan.org tcp
NL 23.62.61.137:80 java.com tcp
US 8.8.8.8:53 eeaglelifebb23ahoo.com udp
US 8.8.8.8:53 visualstudio.microsoft.com udp
BE 104.68.69.97:443 visualstudio.microsoft.com tcp
BE 104.68.69.97:443 visualstudio.microsoft.com tcp
US 8.8.8.8:53 support.microsoft.com udp
NL 72.246.172.127:443 support.microsoft.com tcp
NL 72.246.172.127:443 support.microsoft.com tcp
BE 104.68.69.97:443 visualstudio.microsoft.com tcp
BE 104.68.69.97:443 visualstudio.microsoft.com tcp
US 8.8.8.8:53 java.com udp
NL 23.62.61.163:80 java.com tcp

Files

memory/2088-1-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2088-0-0x0000000000240000-0x0000000000248000-memory.dmp

memory/2088-2-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2088-3-0x0000000000310000-0x000000000031A000-memory.dmp

memory/2088-4-0x0000000000310000-0x000000000031A000-memory.dmp

memory/2900-7-0x0000000000230000-0x00000000004B1000-memory.dmp

memory/2900-8-0x0000000000230000-0x00000000004B1000-memory.dmp

memory/2900-9-0x0000000000080000-0x000000000008A000-memory.dmp

memory/2900-11-0x0000000000080000-0x000000000008A000-memory.dmp

memory/2088-13-0x0000000000310000-0x000000000031A000-memory.dmp

memory/2900-20-0x0000000000080000-0x000000000008A000-memory.dmp

memory/2900-22-0x0000000000080000-0x000000000008A000-memory.dmp

memory/2900-24-0x0000000000080000-0x000000000008A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarD927.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d09b587ebd58f160a39f48e07a11a3c
SHA1 a3b1efdb1759ebd048d1a417af98e7c8666b852b
SHA256 357630b797c6ff4564d1df84a8242ad3d92855a68bc3615fe8b3a428c6de60ce
SHA512 72f2fde72a629a5b816963dd4ec69b27f55fe00c8079fe331f0ea580f02faddb7c3d7b212068919a55a537164eae90f45301215530fbd0bd1433d2c3de9aac8b

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-22 16:00

Reported

2024-04-22 16:03

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe

"C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3812 -ip 3812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 480

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 67.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 200.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3812-1-0x0000000000600000-0x0000000000601000-memory.dmp

memory/3812-0-0x0000000000550000-0x0000000000558000-memory.dmp