smokeloader | ae4180e4445722038a31316c00548218d653508ef603e2052e954a55d3b2accf

General

Target

ae4180e4445722038a31316c00548218d653508ef603e2052e954a55d3b2accf.exe
Size

222KB
MD5

96c60afa5c5265b8ddfe6471ef6eb984
SHA1

91a21892133e9bb9b3c9dbd15b07b4224bc0567c
SHA256

ae4180e4445722038a31316c00548218d653508ef603e2052e954a55d3b2accf
SHA512

72bb8a938b58bc6be3650a327c806bd401d36f0e7e9ff73ec0a4d4229e5b94160795ba85f7dfc5785f5cf71a68601e7cb52cec6c5058312e82d154d87c5214b0
SSDEEP

3072:41rDMnPimnYvPEkGF41EKJ/gqXJagCg5qfSVQP:45Yn6mQ8GvgqXwZ3KVQ

Score

10^/10

smokeloader pub3 backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

smokeloader

Version

2022

C2

http://nidoe.org/tmp/index.php

http://sodez.ru/tmp/index.php

http://uama.com.ua/tmp/index.php

http://talesofpirates.net/tmp/index.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

1208
Executes dropped EXE 1 IoCs

Processes:

rtsiwrw

pid process

1936 rtsiwrw

pid	process
1208

pid	process
1936	rtsiwrw

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rtsiwrwae4180e4445722038a31316c00548218d653508ef603e2052e954a55d3b2accf.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rtsiwrw
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rtsiwrw
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rtsiwrw
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ae4180e4445722038a31316c00548218d653508ef603e2052e954a55d3b2accf.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ae4180e4445722038a31316c00548218d653508ef603e2052e954a55d3b2accf.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ae4180e4445722038a31316c00548218d653508ef603e2052e954a55d3b2accf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ae4180e4445722038a31316c00548218d653508ef603e2052e954a55d3b2accf.exe

pid	process
1200	ae4180e4445722038a31316c00548218d653508ef603e2052e954a55d3b2accf.exe
1200	ae4180e4445722038a31316c00548218d653508ef603e2052e954a55d3b2accf.exe
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

ae4180e4445722038a31316c00548218d653508ef603e2052e954a55d3b2accf.exertsiwrw

pid process

1200 ae4180e4445722038a31316c00548218d653508ef603e2052e954a55d3b2accf.exe
1936 rtsiwrw
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1208

description	pid	process
Token: SeShutdownPrivilege	1208

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 2292 wrote to memory of 1936	2292	taskeng.exe	rtsiwrw
PID 2292 wrote to memory of 1936	2292	taskeng.exe	rtsiwrw
PID 2292 wrote to memory of 1936	2292	taskeng.exe	rtsiwrw
PID 2292 wrote to memory of 1936	2292	taskeng.exe	rtsiwrw

C:\Users\Admin\AppData\Local\Temp\ae4180e4445722038a31316c00548218d653508ef603e2052e954a55d3b2accf.exe
"C:\Users\Admin\AppData\Local\Temp\ae4180e4445722038a31316c00548218d653508ef603e2052e954a55d3b2accf.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1200

C:\Windows\system32\taskeng.exe
taskeng.exe {484EDACC-9EDD-414F-8EA0-29371A50FD18} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Users\Admin\AppData\Roaming\rtsiwrw
C:\Users\Admin\AppData\Roaming\rtsiwrw
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\rtsiwrw

Filesize
222KB

MD5
96c60afa5c5265b8ddfe6471ef6eb984

SHA1
91a21892133e9bb9b3c9dbd15b07b4224bc0567c

SHA256
ae4180e4445722038a31316c00548218d653508ef603e2052e954a55d3b2accf

SHA512
72bb8a938b58bc6be3650a327c806bd401d36f0e7e9ff73ec0a4d4229e5b94160795ba85f7dfc5785f5cf71a68601e7cb52cec6c5058312e82d154d87c5214b0

Download Submit
memory/1200-2-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/1200-1-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1200-3-0x0000000000400000-0x0000000002C1A000-memory.dmp

Filesize
40.1MB

Download
memory/1200-5-0x0000000000400000-0x0000000002C1A000-memory.dmp

Filesize
40.1MB

Download
memory/1208-4-0x0000000003040000-0x0000000003056000-memory.dmp

Filesize
88KB

Download
memory/1208-16-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/1936-14-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1936-15-0x0000000000400000-0x0000000002C1A000-memory.dmp

Filesize
40.1MB

Download
memory/1936-17-0x0000000000400000-0x0000000002C1A000-memory.dmp

Filesize
40.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads