smokeloader | 1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4

General

Target

1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe
Size

307KB
MD5

14bc49a4e337e1d9629ae9be1955ca6c
SHA1

6875af987f3092686e0fb6e627088b6565434eee
SHA256

1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4
SHA512

461c45c30378ae8ab3fd891dbe743f866861ec02027290de97326b6bdd2d20e10499c424bf202b531651633bdf2c75a2c6a505b8cd76daf17e4d3dea4b8e8312
SSDEEP

3072:mrU1NornrRpzp+1Y3Xwr+1cEFws13ppVuCC3FVwCL6BhsAH1fQQJGESXFqNcB:mtVqiCE1MCC3FephTH1fQQJGfXecB

Score

10^/10

smokeloader pub3 backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

smokeloader

Version

2022

C2

http://nidoe.org/tmp/index.php

http://sodez.ru/tmp/index.php

http://uama.com.ua/tmp/index.php

http://talesofpirates.net/tmp/index.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

1256
Executes dropped EXE 1 IoCs

Processes:

jbjwvie

pid process

1536 jbjwvie

pid	process
1256

pid	process
1536	jbjwvie

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exejbjwvie

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jbjwvie
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jbjwvie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jbjwvie

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe

pid	process
2188	1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe
2188	1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exejbjwvie

pid process

2188 1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe
1536 jbjwvie
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1256
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1256
1256
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1256
1256

description	pid	process
Token: SeShutdownPrivilege	1256

pid	process
1256
1256

pid	process
1256
1256

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1636 wrote to memory of 1536	1636	taskeng.exe	jbjwvie
PID 1636 wrote to memory of 1536	1636	taskeng.exe	jbjwvie
PID 1636 wrote to memory of 1536	1636	taskeng.exe	jbjwvie
PID 1636 wrote to memory of 1536	1636	taskeng.exe	jbjwvie

C:\Users\Admin\AppData\Local\Temp\1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe
"C:\Users\Admin\AppData\Local\Temp\1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2188

C:\Windows\system32\taskeng.exe
taskeng.exe {527C2AE5-1232-4241-A5F3-8C4821D3D142} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Roaming\jbjwvie
C:\Users\Admin\AppData\Roaming\jbjwvie
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1536

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\jbjwvie
Filesize
307KB

MD5
14bc49a4e337e1d9629ae9be1955ca6c

SHA1
6875af987f3092686e0fb6e627088b6565434eee

SHA256
1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4

SHA512
461c45c30378ae8ab3fd891dbe743f866861ec02027290de97326b6bdd2d20e10499c424bf202b531651633bdf2c75a2c6a505b8cd76daf17e4d3dea4b8e8312

Download Submit
memory/1256-4-0x0000000002DA0000-0x0000000002DB6000-memory.dmp

Filesize
88KB

Download
memory/1256-29-0x0000000003010000-0x0000000003026000-memory.dmp

Filesize
88KB

Download
memory/1536-32-0x0000000000400000-0x000000000403D000-memory.dmp

Filesize
60.2MB

Download
memory/2188-1-0x00000000041B0000-0x00000000042B0000-memory.dmp

Filesize
1024KB

Download
memory/2188-3-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2188-2-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2188-8-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2188-5-0x0000000000400000-0x000000000403D000-memory.dmp

Filesize
60.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads