smokeloader | 64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd

General

Target

64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd_x.exe
Size

273KB
MD5

a7a476d82ccf49fcc87bfe5dd5a395a5
SHA1

0daa3664b2f86c3af059ca0c867bb1f928c760a2
SHA256

64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd
SHA512

57bc1426b272bb79993f10587bcee0608d176e439b324354edd09099fe6a004cc91544893dc317192db92ba0d18d84be656c55acb1c9a4f934f9260442ee90e4
SSDEEP

6144:TEk00KpwnNeKgygYzRwtbhlcu2p77wmV:T90twnN3eiAaumV

Score

10^/10

smokeloader pub1 backdoor bootkit persistence trojan vmprotect

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

Processes:

pid process

1180
Executes dropped EXE 4 IoCs

Processes:

B482.exework.exepodaw.exeB7BE.exe

pid process

2664 B482.exe
1236 work.exe
1964 podaw.exe
2332 B7BE.exe
Loads dropped DLL 5 IoCs

Processes:

cmd.exework.exe

pid process

1856 cmd.exe
1236 work.exe
1236 work.exe
1236 work.exe
1236 work.exe

pid	process
1180

pid	process
2664	B482.exe
1236	work.exe
1964	podaw.exe
2332	B7BE.exe

pid	process
1856	cmd.exe
1236	work.exe
1236	work.exe
1236	work.exe
1236	work.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX1\podaw.exe	vmprotect
behavioral1/memory/1964-81-0x0000000001330000-0x0000000001C21000-memory.dmp	vmprotect

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

15 drive.google.com
16 drive.google.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

B7BE.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 B7BE.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
15	drive.google.com
16	drive.google.com

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	B7BE.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd_x.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd_x.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd_x.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd_x.exe

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd_x.exe

pid	process
2328	64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd_x.exe
2328	64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd_x.exe
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

780 explorer.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd_x.exe

pid process

2328 64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd_x.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeShutdownPrivilege	1180
Token: SeShutdownPrivilege	1180
Token: SeShutdownPrivilege	1180
Token: SeShutdownPrivilege	1180
Token: SeShutdownPrivilege	780	explorer.exe
Token: SeShutdownPrivilege	780	explorer.exe
Token: SeShutdownPrivilege	780	explorer.exe
Token: SeShutdownPrivilege	780	explorer.exe
Token: SeShutdownPrivilege	780	explorer.exe
Token: SeShutdownPrivilege	780	explorer.exe
Token: SeShutdownPrivilege	780	explorer.exe
Token: SeShutdownPrivilege	780	explorer.exe
Token: SeShutdownPrivilege	780	explorer.exe
Token: SeShutdownPrivilege	780	explorer.exe
Token: SeShutdownPrivilege	780	explorer.exe
Token: SeShutdownPrivilege	780	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

explorer.exe

pid	process
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

Processes:

explorer.exe

pid	process
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

cmd.execmd.exeB482.execmd.exework.exe

description	pid	process	target process
PID 1180 wrote to memory of 2540	1180		cmd.exe
PID 1180 wrote to memory of 2540	1180		cmd.exe
PID 1180 wrote to memory of 2540	1180		cmd.exe
PID 2540 wrote to memory of 2024	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 2024	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 2024	2540	cmd.exe	reg.exe
PID 1180 wrote to memory of 3044	1180		cmd.exe
PID 1180 wrote to memory of 3044	1180		cmd.exe
PID 1180 wrote to memory of 3044	1180		cmd.exe
PID 3044 wrote to memory of 2472	3044	cmd.exe	reg.exe
PID 3044 wrote to memory of 2472	3044	cmd.exe	reg.exe
PID 3044 wrote to memory of 2472	3044	cmd.exe	reg.exe
PID 1180 wrote to memory of 2664	1180		B482.exe
PID 1180 wrote to memory of 2664	1180		B482.exe
PID 1180 wrote to memory of 2664	1180		B482.exe
PID 1180 wrote to memory of 2664	1180		B482.exe
PID 2664 wrote to memory of 1856	2664	B482.exe	cmd.exe
PID 2664 wrote to memory of 1856	2664	B482.exe	cmd.exe
PID 2664 wrote to memory of 1856	2664	B482.exe	cmd.exe
PID 2664 wrote to memory of 1856	2664	B482.exe	cmd.exe
PID 1856 wrote to memory of 1236	1856	cmd.exe	work.exe
PID 1856 wrote to memory of 1236	1856	cmd.exe	work.exe
PID 1856 wrote to memory of 1236	1856	cmd.exe	work.exe
PID 1856 wrote to memory of 1236	1856	cmd.exe	work.exe
PID 1236 wrote to memory of 1964	1236	work.exe	podaw.exe
PID 1236 wrote to memory of 1964	1236	work.exe	podaw.exe
PID 1236 wrote to memory of 1964	1236	work.exe	podaw.exe
PID 1236 wrote to memory of 1964	1236	work.exe	podaw.exe
PID 1180 wrote to memory of 2332	1180		B7BE.exe
PID 1180 wrote to memory of 2332	1180		B7BE.exe
PID 1180 wrote to memory of 2332	1180		B7BE.exe
PID 1180 wrote to memory of 2332	1180		B7BE.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd_x.exe
"C:\Users\Admin\AppData\Local\Temp\64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd_x.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2328

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\63A3.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:2024

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\73AB.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\B482.exe
C:\Users\Admin\AppData\Local\Temp\B482.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
work.exe -priverdD
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Local\Temp\RarSFX1\podaw.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\podaw.exe"
4⤵
- Executes dropped EXE
PID:1964

C:\Users\Admin\AppData\Local\Temp\B7BE.exe
C:\Users\Admin\AppData\Local\Temp\B7BE.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2332

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:780

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\63A3.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\B482.exe
Filesize
6.1MB

MD5
9fb56dd5b5beb0b9c5d0102f22373c0b

SHA1
5559dc162d09c11c1ed80aedf8e9fa86fd531e4c

SHA256
a65b290aa9ebfb82746cf75440c19956169f48d7dcbebafde6996c9b46039539

SHA512
ab6c88acddf3350f4da37e20e38fc1bd4ac56433d5320fa071649ddf261cf1b6bb4692b54791e08e47b9e887a87ba5704afde6cb9aa9220c1da7f27c85400a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7BE.exe
Filesize
421KB

MD5
9185b776b7a981d060b0bb0d7ffed201

SHA1
427982fb520c099e8d2e831ace18294ade871aff

SHA256
91a45c416324ed3a8c184e349214e7c82d6df0df4fe6d06f3c7818c0d322373b

SHA512
cb46ca0c3156dc7b177fdb73869e13b229cbab8918dbb4b61a854765313fc9526aa5d7b944aa4b9acb77717c5ffd8fe955ba4eb48d75e2528ec844bfcf4aa5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
Filesize
5.8MB

MD5
8eeea65d388106b4489d07e025e17fed

SHA1
96651968f724c7daec51e74476403899bc7bf8c2

SHA256
69efe73bf8f9669427fb25962d104fb63ae7a4fdb4fb2f0022c7541a72c8a2c3

SHA512
1c5966906a89b8e7e83bf382c382e5ece1cf6827e7ba7e4ab4fc0ba0c91284bf398bf4822c53aab250520f7ffde231090a9e44d11493b6be8921899fb6d944d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\podaw.exe
Filesize
5.5MB

MD5
125c7efdef3f11c70b514739b1bab646

SHA1
526560d1ff7636ea4f0404eb74f5da68f7eb8e23

SHA256
2ca04fad5b8a81264292bb9877cb9c1c9f7a484cd03815ec9bb686ddf70edefa

SHA512
e08218e2415a051b9b8b7e6d28e6822341227fc5256f418c22b2b39f6d3d89e763f58b77dbbdfc792f8a8a17870136be5757c736db1c98d3437e76500f768261

Download Submit
memory/1180-83-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/1180-4-0x0000000002D80000-0x0000000002D96000-memory.dmp

Filesize
88KB

Download
memory/1964-78-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1964-81-0x0000000001330000-0x0000000001C21000-memory.dmp

Filesize
8.9MB

Download
memory/1964-80-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1964-76-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2328-5-0x0000000000400000-0x0000000001A10000-memory.dmp

Filesize
22.1MB

Download
memory/2328-1-0x0000000000230000-0x0000000000330000-memory.dmp

Filesize
1024KB

Download
memory/2328-3-0x0000000000400000-0x0000000001A10000-memory.dmp

Filesize
22.1MB

Download
memory/2328-2-0x00000000003A0000-0x00000000003AB000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads