smokeloader | 4a312d9b5d2ad81ce5da704369f201268fda30a8274136c3595767203e463e9d

General

Target

4a312d9b5d2ad81ce5da704369f201268fda30a8274136c3595767203e463e9d.exe
Size

1.6MB
MD5

7a1a1ef5364d1de84ccda20479a6be66
SHA1

4141826fdaf7c15e6ee2f23ea0bdc2c5ef1e09ae
SHA256

4a312d9b5d2ad81ce5da704369f201268fda30a8274136c3595767203e463e9d
SHA512

7d2cf5b4894af33c56497883b6dc9d0d69ce6beb7bc6615ee2ad0b3bf1467b4e6080ca570cacd112dd011e2764b0bd663a3d05d0a72462cbbbbf49a05a7cca36
SSDEEP

24576:kmZ+I9s6x+YxgS7WvwCB06006XU6DixBQuGmTm:kmZ+Iqyri2NCBL6XU6mbQrm

Score

10^/10

smokeloader zgrat pub3 backdoor rat spyware trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1176-16-0x0000000000400000-0x00000000004B4000-memory.dmp	family_zgrat_v1

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 3 IoCs

Processes:

4a312d9b5d2ad81ce5da704369f201268fda30a8274136c3595767203e463e9d.exeAddInProcess32.exe

description	pid	process	target process
PID 500 set thread context of 3156	500	4a312d9b5d2ad81ce5da704369f201268fda30a8274136c3595767203e463e9d.exe	AddInProcess32.exe
PID 500 set thread context of 2088	500	4a312d9b5d2ad81ce5da704369f201268fda30a8274136c3595767203e463e9d.exe	AddInProcess32.exe
PID 3156 set thread context of 1176	3156	AddInProcess32.exe	InstallUtil.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AddInProcess32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AddInProcess32.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AddInProcess32.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

4a312d9b5d2ad81ce5da704369f201268fda30a8274136c3595767203e463e9d.exeAddInProcess32.exeInstallUtil.exe

pid	process
500	4a312d9b5d2ad81ce5da704369f201268fda30a8274136c3595767203e463e9d.exe
500	4a312d9b5d2ad81ce5da704369f201268fda30a8274136c3595767203e463e9d.exe
3156	AddInProcess32.exe
3156	AddInProcess32.exe
3156	AddInProcess32.exe
3156	AddInProcess32.exe
1176	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

4a312d9b5d2ad81ce5da704369f201268fda30a8274136c3595767203e463e9d.exeAddInProcess32.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	500	4a312d9b5d2ad81ce5da704369f201268fda30a8274136c3595767203e463e9d.exe
Token: SeDebugPrivilege	3156	AddInProcess32.exe
Token: SeDebugPrivilege	1176	InstallUtil.exe
Token: SeBackupPrivilege	1176	InstallUtil.exe
Token: SeSecurityPrivilege	1176	InstallUtil.exe
Token: SeSecurityPrivilege	1176	InstallUtil.exe
Token: SeSecurityPrivilege	1176	InstallUtil.exe
Token: SeSecurityPrivilege	1176	InstallUtil.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

4a312d9b5d2ad81ce5da704369f201268fda30a8274136c3595767203e463e9d.exeAddInProcess32.exe

description	pid	process	target process
PID 500 wrote to memory of 3156	500	4a312d9b5d2ad81ce5da704369f201268fda30a8274136c3595767203e463e9d.exe	AddInProcess32.exe
PID 500 wrote to memory of 3156	500	4a312d9b5d2ad81ce5da704369f201268fda30a8274136c3595767203e463e9d.exe	AddInProcess32.exe
PID 500 wrote to memory of 3156	500	4a312d9b5d2ad81ce5da704369f201268fda30a8274136c3595767203e463e9d.exe	AddInProcess32.exe
PID 500 wrote to memory of 3156	500	4a312d9b5d2ad81ce5da704369f201268fda30a8274136c3595767203e463e9d.exe	AddInProcess32.exe
PID 500 wrote to memory of 3156	500	4a312d9b5d2ad81ce5da704369f201268fda30a8274136c3595767203e463e9d.exe	AddInProcess32.exe
PID 500 wrote to memory of 3156	500	4a312d9b5d2ad81ce5da704369f201268fda30a8274136c3595767203e463e9d.exe	AddInProcess32.exe
PID 500 wrote to memory of 3156	500	4a312d9b5d2ad81ce5da704369f201268fda30a8274136c3595767203e463e9d.exe	AddInProcess32.exe
PID 500 wrote to memory of 3156	500	4a312d9b5d2ad81ce5da704369f201268fda30a8274136c3595767203e463e9d.exe	AddInProcess32.exe
PID 500 wrote to memory of 2088	500	4a312d9b5d2ad81ce5da704369f201268fda30a8274136c3595767203e463e9d.exe	AddInProcess32.exe
PID 500 wrote to memory of 2088	500	4a312d9b5d2ad81ce5da704369f201268fda30a8274136c3595767203e463e9d.exe	AddInProcess32.exe
PID 500 wrote to memory of 2088	500	4a312d9b5d2ad81ce5da704369f201268fda30a8274136c3595767203e463e9d.exe	AddInProcess32.exe
PID 500 wrote to memory of 2088	500	4a312d9b5d2ad81ce5da704369f201268fda30a8274136c3595767203e463e9d.exe	AddInProcess32.exe
PID 500 wrote to memory of 2088	500	4a312d9b5d2ad81ce5da704369f201268fda30a8274136c3595767203e463e9d.exe	AddInProcess32.exe
PID 500 wrote to memory of 2088	500	4a312d9b5d2ad81ce5da704369f201268fda30a8274136c3595767203e463e9d.exe	AddInProcess32.exe
PID 3156 wrote to memory of 4000	3156	AddInProcess32.exe	InstallUtil.exe
PID 3156 wrote to memory of 4000	3156	AddInProcess32.exe	InstallUtil.exe
PID 3156 wrote to memory of 4000	3156	AddInProcess32.exe	InstallUtil.exe
PID 3156 wrote to memory of 4000	3156	AddInProcess32.exe	InstallUtil.exe
PID 3156 wrote to memory of 4000	3156	AddInProcess32.exe	InstallUtil.exe
PID 3156 wrote to memory of 4000	3156	AddInProcess32.exe	InstallUtil.exe
PID 3156 wrote to memory of 4000	3156	AddInProcess32.exe	InstallUtil.exe
PID 3156 wrote to memory of 4000	3156	AddInProcess32.exe	InstallUtil.exe
PID 3156 wrote to memory of 1176	3156	AddInProcess32.exe	InstallUtil.exe
PID 3156 wrote to memory of 1176	3156	AddInProcess32.exe	InstallUtil.exe
PID 3156 wrote to memory of 1176	3156	AddInProcess32.exe	InstallUtil.exe
PID 3156 wrote to memory of 1176	3156	AddInProcess32.exe	InstallUtil.exe
PID 3156 wrote to memory of 1176	3156	AddInProcess32.exe	InstallUtil.exe
PID 3156 wrote to memory of 1176	3156	AddInProcess32.exe	InstallUtil.exe
PID 3156 wrote to memory of 1176	3156	AddInProcess32.exe	InstallUtil.exe
PID 3156 wrote to memory of 1176	3156	AddInProcess32.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\4a312d9b5d2ad81ce5da704369f201268fda30a8274136c3595767203e463e9d.exe
"C:\Users\Admin\AppData\Local\Temp\4a312d9b5d2ad81ce5da704369f201268fda30a8274136c3595767203e463e9d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:4000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
2⤵
- Checks SCSI registry key(s)
PID:2088

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/500-0-0x00007FFC97260000-0x00007FFC9743B000-memory.dmp

Filesize
1.9MB

Download
memory/500-1-0x0000000000330000-0x00000000004D4000-memory.dmp

Filesize
1.6MB

Download
memory/500-2-0x00000000053D0000-0x00000000058CE000-memory.dmp

Filesize
5.0MB

Download
memory/500-3-0x0000000004ED0000-0x0000000004F62000-memory.dmp

Filesize
584KB

Download
memory/500-4-0x0000000004F70000-0x000000000500C000-memory.dmp

Filesize
624KB

Download
memory/500-5-0x0000000004E40000-0x0000000004E84000-memory.dmp

Filesize
272KB

Download
memory/500-6-0x0000000000E20000-0x0000000000E2A000-memory.dmp

Filesize
40KB

Download
memory/500-7-0x0000000006B20000-0x0000000006B3A000-memory.dmp

Filesize
104KB

Download
memory/500-8-0x00000000053C0000-0x00000000053C6000-memory.dmp

Filesize
24KB

Download
memory/1176-20-0x0000000008510000-0x0000000008522000-memory.dmp

Filesize
72KB

Download
memory/1176-22-0x00000000086E0000-0x000000000872B000-memory.dmp

Filesize
300KB

Download
memory/1176-27-0x000000000AB00000-0x000000000B02C000-memory.dmp

Filesize
5.2MB

Download
memory/1176-26-0x000000000A400000-0x000000000A5C2000-memory.dmp

Filesize
1.8MB

Download
memory/1176-25-0x00000000089B0000-0x00000000089CE000-memory.dmp

Filesize
120KB

Download
memory/1176-16-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1176-18-0x0000000008A50000-0x0000000009056000-memory.dmp

Filesize
6.0MB

Download
memory/1176-19-0x00000000085D0000-0x00000000086DA000-memory.dmp

Filesize
1.0MB

Download
memory/1176-21-0x0000000008570000-0x00000000085AE000-memory.dmp

Filesize
248KB

Download
memory/1176-24-0x0000000009160000-0x00000000091D6000-memory.dmp

Filesize
472KB

Download
memory/1176-23-0x00000000087F0000-0x0000000008856000-memory.dmp

Filesize
408KB

Download
memory/2088-15-0x00007FFC97260000-0x00007FFC9743B000-memory.dmp

Filesize
1.9MB

Download
memory/2088-13-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3156-11-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/3156-9-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/3156-12-0x00007FFC97260000-0x00007FFC9743B000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads