smokeloader | 546d7f26d8b2a42b4a917e3642c2fffa89a1be3a41795da4ccf8afb2e0f417e8

Analysis

max time kernel
195s
max time network
299s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01-05-2024 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

546d7f26d8b2a42b4a917e3642c2fffa89a1be3a41795da4ccf8afb2e0f417e8.exe
Size

654KB
MD5

87f8958f40e487f7d816cd1aaf52fa84
SHA1

0d84722779ef406a090fd085c7a2f4ed636afb3d
SHA256

546d7f26d8b2a42b4a917e3642c2fffa89a1be3a41795da4ccf8afb2e0f417e8
SHA512

717c228b27dddca019fe81a8619f6a8d11b0362140de276aa5d6746b3eb0bc1130ae4b79a7a4389541e872cdb63b781a37a1cd459b810b0380deb6b046a0e287
SSDEEP

12288:IXAx/2a0CTmgQ9AlrsgsdNUUhfjersFwz3NTwBOuCUxQQZNIuJ3M7THqAi4dD4:IXAx/2z9CrsgsTUU1ioEnuCUxQQZN9Je

Score

10^/10

smokeloader pub3 backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Weblog.pif

description pid process target process

PID 3728 created 3264 3728 Weblog.pif Explorer.EXE
Executes dropped EXE 2 IoCs

Processes:

Weblog.pifWeblog.pif

pid process

3728 Weblog.pif
3392 Weblog.pif
Suspicious use of SetThreadContext 1 IoCs

Processes:

Weblog.pif

description pid process target process

PID 3728 set thread context of 3392 3728 Weblog.pif Weblog.pif
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 3728 created 3264	3728	Weblog.pif	Explorer.EXE

description	pid	process	target process
PID 3728 set thread context of 3392	3728	Weblog.pif	Weblog.pif

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Weblog.pif

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Weblog.pif
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Weblog.pif
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Weblog.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4288 tasklist.exe
4932 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4816 PING.EXE

pid	process
4288	tasklist.exe
4932	tasklist.exe

pid	process
4816	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

Weblog.pif

pid	process
3728	Weblog.pif
3728	Weblog.pif
3728	Weblog.pif
3728	Weblog.pif
3728	Weblog.pif
3728	Weblog.pif
3728	Weblog.pif
3728	Weblog.pif
3728	Weblog.pif
3728	Weblog.pif
3728	Weblog.pif
3728	Weblog.pif
3728	Weblog.pif
3728	Weblog.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 4288 tasklist.exe
Token: SeDebugPrivilege 4932 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Weblog.pif

pid process

3728 Weblog.pif
3728 Weblog.pif
3728 Weblog.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Weblog.pif

pid process

3728 Weblog.pif
3728 Weblog.pif
3728 Weblog.pif

description	pid	process
Token: SeDebugPrivilege	4288	tasklist.exe
Token: SeDebugPrivilege	4932	tasklist.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

546d7f26d8b2a42b4a917e3642c2fffa89a1be3a41795da4ccf8afb2e0f417e8.execmd.exeWeblog.pif

description	pid	process	target process
PID 1104 wrote to memory of 4912	1104	546d7f26d8b2a42b4a917e3642c2fffa89a1be3a41795da4ccf8afb2e0f417e8.exe	cmd.exe
PID 1104 wrote to memory of 4912	1104	546d7f26d8b2a42b4a917e3642c2fffa89a1be3a41795da4ccf8afb2e0f417e8.exe	cmd.exe
PID 1104 wrote to memory of 4912	1104	546d7f26d8b2a42b4a917e3642c2fffa89a1be3a41795da4ccf8afb2e0f417e8.exe	cmd.exe
PID 4912 wrote to memory of 4288	4912	cmd.exe	tasklist.exe
PID 4912 wrote to memory of 4288	4912	cmd.exe	tasklist.exe
PID 4912 wrote to memory of 4288	4912	cmd.exe	tasklist.exe
PID 4912 wrote to memory of 380	4912	cmd.exe	findstr.exe
PID 4912 wrote to memory of 380	4912	cmd.exe	findstr.exe
PID 4912 wrote to memory of 380	4912	cmd.exe	findstr.exe
PID 4912 wrote to memory of 4932	4912	cmd.exe	tasklist.exe
PID 4912 wrote to memory of 4932	4912	cmd.exe	tasklist.exe
PID 4912 wrote to memory of 4932	4912	cmd.exe	tasklist.exe
PID 4912 wrote to memory of 1708	4912	cmd.exe	findstr.exe
PID 4912 wrote to memory of 1708	4912	cmd.exe	findstr.exe
PID 4912 wrote to memory of 1708	4912	cmd.exe	findstr.exe
PID 4912 wrote to memory of 2736	4912	cmd.exe	cmd.exe
PID 4912 wrote to memory of 2736	4912	cmd.exe	cmd.exe
PID 4912 wrote to memory of 2736	4912	cmd.exe	cmd.exe
PID 4912 wrote to memory of 4184	4912	cmd.exe	findstr.exe
PID 4912 wrote to memory of 4184	4912	cmd.exe	findstr.exe
PID 4912 wrote to memory of 4184	4912	cmd.exe	findstr.exe
PID 4912 wrote to memory of 5008	4912	cmd.exe	cmd.exe
PID 4912 wrote to memory of 5008	4912	cmd.exe	cmd.exe
PID 4912 wrote to memory of 5008	4912	cmd.exe	cmd.exe
PID 4912 wrote to memory of 3728	4912	cmd.exe	Weblog.pif
PID 4912 wrote to memory of 3728	4912	cmd.exe	Weblog.pif
PID 4912 wrote to memory of 3728	4912	cmd.exe	Weblog.pif
PID 4912 wrote to memory of 4816	4912	cmd.exe	PING.EXE
PID 4912 wrote to memory of 4816	4912	cmd.exe	PING.EXE
PID 4912 wrote to memory of 4816	4912	cmd.exe	PING.EXE
PID 3728 wrote to memory of 3392	3728	Weblog.pif	Weblog.pif
PID 3728 wrote to memory of 3392	3728	Weblog.pif	Weblog.pif
PID 3728 wrote to memory of 3392	3728	Weblog.pif	Weblog.pif
PID 3728 wrote to memory of 3392	3728	Weblog.pif	Weblog.pif
PID 3728 wrote to memory of 3392	3728	Weblog.pif	Weblog.pif

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3264

C:\Users\Admin\AppData\Local\Temp\546d7f26d8b2a42b4a917e3642c2fffa89a1be3a41795da4ccf8afb2e0f417e8.exe
"C:\Users\Admin\AppData\Local\Temp\546d7f26d8b2a42b4a917e3642c2fffa89a1be3a41795da4ccf8afb2e0f417e8.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Eva Eva.cmd & Eva.cmd & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
PID:380

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
cmd /c md 55118105
4⤵
PID:2736

C:\Windows\SysWOW64\findstr.exe
findstr /V "RealizedBreachAttractCasino" Sapphire
4⤵
PID:4184

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Bulk + Vic + Wherever 55118105\g
4⤵
PID:5008

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55118105\Weblog.pif
55118105\Weblog.pif 55118105\g
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3728

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
4⤵
- Runs ping.exe
PID:4816

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55118105\Weblog.pif
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55118105\Weblog.pif
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3392

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55118105\Weblog.pif
Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55118105\g
Filesize
214KB

MD5
296d2bbf6e73a7b42a374a60689953b3

SHA1
fd960c722e0e60a8fe1698c96bdae2906da5b5ec

SHA256
21d83dc927f662e9df2e459662e098faf55e6585436224feec00441e57351d77

SHA512
d87b60f93c0e3546b8d19b7216bb771320c6c6768d02e113d44bb6599f58605c2f14440cf6ac2657105ffecdeb71a63f70829afb38b0be0550b6cf5c6e5ab205

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Atlas
Filesize
65KB

MD5
ee1f72d5b02779697690575c753b3ab2

SHA1
4be8b375e959f56d0803f2d0757be0c8e3e8416c

SHA256
47c298d264557ed2d5b78eda0f14f8a1f0ddaffbb211a6cee785ec49d53336be

SHA512
60c4c18d8dc49c8c8cdfffa5abc47fb63546f84d1dd2e7a08c1e51fa85acf8aea8361d3a4c022b88f4e69f1351a6a34337e73ab18d9429c54fd10bd1f5b287d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Bizrate
Filesize
252KB

MD5
ffaad75a449bd850e6468c4d9a034ff3

SHA1
327785fda15cc4fdca2e4813a964ac760446924c

SHA256
b1f2edff5c954f562c37e4c19b5c639da94186275d6a09fcf99b9a4c1a1a7b2e

SHA512
2af2f594fa8d3a0b46569e6832ebc864bc23120b2d376bb2973cd7a6c1c3f1d8f9dd4bc5af0717f5bdac93058f6ea55e9e54b91628e4db00d90befac4e55736f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Bulk
Filesize
27KB

MD5
011a99302e6aedccfc371e2385dce3b1

SHA1
ac2969c6447df8af5f0b16a43d89055b1c3cd927

SHA256
f3c746ba265885c3679a3d05df362fa6c02de3df5af888d32f7366efab948cf9

SHA512
64fc6323f52dded98efb4cc8f2649260a4aaab3d15683bef353a5f9b0609bcb70e95efd7e548aa1496695a5a156d16c89b922332bc731bd52b8e9725dc43f5ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Church
Filesize
193KB

MD5
dde77074cd4fc4841d8863e50165d308

SHA1
552f65ce1b9c4e73d83a969a0c6b49249fc4153c

SHA256
d75f980e9ab4e2abf7fdb4a3cc1023c8cf4992cc3cf2d3b8e51f058cadf1eacb

SHA512
0eaeef3d1601f0c103f9fa39d5fb2ec93b62ca726516efc555ff7ab2f4622bb2986bd2818f35e143a6faa36e2bfb882c3646f416e93ff6901cac8f4adb2b6b67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Craig
Filesize
88KB

MD5
1378c5909a67575d7113ea9c447ec1c3

SHA1
f1696a1698f957bde6e76824fd64372f8edebc52

SHA256
73ef6f39ddccaa4ae564adf7b322c2a5ca01309de1fa0d42fe158ea0ab409b2a

SHA512
cd3d95081a385db6167068a43e927ce450da0ad58add5e9882af54e63c40f74c3bc903f62fa3c8fba00cdc743a08cadfa7d2f190a62648f7bdf0f376fd45e119

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Eva
Filesize
8KB

MD5
3e1810f589d8150d793a2c37fa7f5f1c

SHA1
def0e663b443ad59916389e12dbc683ac63588ef

SHA256
e14f8b41926cb04a1c4fced906196ff15e987a89ae8ddc906d2d4c7ccd075a6f

SHA512
ba3a5fd0a30cc54b440e9c13b061628c2037044d96db6d0132433d62ccd8261f87f636be59a3545e0ad53dabe939a560e1f3eb61f3534e4fb757b1de523786c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hon
Filesize
256KB

MD5
bd673916d377edc0766b9bdcdf0bd7c7

SHA1
d967cc371085b5dc430f85c1128fdfdce83dc38b

SHA256
cac7bf46fc8cba66bfd9cea2da8884aeb5b95a580207b926f4d4b84edf21b55d

SHA512
d92c428b2b398d2470ae8087ef8e3128b221cf7731b1461a99ffd4e474e176c1e558e7828dbf09122a3e3cb4a28ee3e14e6daf301c5ab572641b264d24de6e29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sapphire
Filesize
207B

MD5
a5cde500d1db6a63c99d2711f6628601

SHA1
6b17d82b42d0bf7e37de08545a7f310565fba7e6

SHA256
5e65d778ca46c8619a15f27fd156f4603b357bb58f47a0e47cd1db36ed8750c7

SHA512
6c5612b70b7ed81fcf5deb4b5259884fc64cc3b66e431710784c3e9e2f93eb9aab39fbbf71b2c24548d8397ab5ae899c40427bf328e35cd8dfac154c6c0fcb07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sustained
Filesize
18KB

MD5
1eb069a51524c43c3f55564346859e68

SHA1
5402dccf904132ee5fc86b82e512af830a410fbd

SHA256
3abc358356fd8f311dfa62fff7cfd0938e065e779613dd8a15d20efa23ca201d

SHA512
83c45c308ae5bacd2877d15bf853eefc5d3dfbcba663f450d4dbde6207bca07e3a716e68812c3141b2d2cfd93a027af392501e105180d6d5d8197bb1208665ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Vic
Filesize
126KB

MD5
8273ad98033324191048b5e37ad2e84c

SHA1
ac8e6fa17ca35f6934200ebc4bfbd326219c9dba

SHA256
3280ece8ebb88ff6660d76d250b7d6ed295f2bd5983272b47f298daac15d7efb

SHA512
3a75d3cd2ba645e5e8f6ae37444ff2ba96234a7ab7f5eec38a13caa959f42d648310710a7b3bd6bf6ae7f6357773d26c095daaf3373a23c8297fe9037c0b6e31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Wherever
Filesize
61KB

MD5
198fa81b8b37d09238bcc92fa94c894c

SHA1
71e9219258f485a388d79b05f83e953f5c04ceec

SHA256
195e5d7e0081e2ac1c8d9537ffe0103d5e5968edcc2a16dcf5530095127121a6

SHA512
fcbdf7603dff2b89c7d42b1576f725754b45eeb516cac9fea32719eec0e74f4a384df19137f64f08461e4988b88bfa9ac51a08deb54bb985ad8326c6bf7d85af

Download Submit
memory/3392-30-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3392-31-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download