smokeloader | 1b8943b2ccea3ee9e464b5865711db721bae33ca0364630dfa6f75eb7f2c8a47

Resubmissions

29-05-2024 07:43

240529-jkm4kagb72 10

08-05-2024 23:28

240508-3ge4bsde7z 10

Analysis

max time kernel
166s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 23:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99aaffa85ef7f0f16fb71435a1789210_NEIKI.exe
Size

231KB
MD5

99aaffa85ef7f0f16fb71435a1789210
SHA1

2c477e9ef7f055f7dab54078c9aff8eb30694b89
SHA256

1b8943b2ccea3ee9e464b5865711db721bae33ca0364630dfa6f75eb7f2c8a47
SHA512

aadc101a693d8728ade79ebfda7a34010412ed3950bc31801fda9fce160475c28740d17004d4ca25b7796fdce995d30a36bfb96026cc96f5f64d274f84bca5d7
SSDEEP

3072:uI71HpD138zSIQ6WoVTEEiS+IWWWkElI8ULPz6j0kmZorp:F7111MzSoPVTKIWNkEGVH6gvo

Score

10^/10

smokeloader pub1 backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://dpav.cc/tmp/

http://lrproduct.ru/tmp/

http://kggcp.com/tmp/

http://talesofpirates.net/tmp/

http://pirateking.online/tmp/

http://piratia.pw/tmp/

http://go-piratia.ru/tmp/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

3336

pid	process
3336

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

99aaffa85ef7f0f16fb71435a1789210_NEIKI.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	99aaffa85ef7f0f16fb71435a1789210_NEIKI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	99aaffa85ef7f0f16fb71435a1789210_NEIKI.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	99aaffa85ef7f0f16fb71435a1789210_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

99aaffa85ef7f0f16fb71435a1789210_NEIKI.exe

pid	process
4956	99aaffa85ef7f0f16fb71435a1789210_NEIKI.exe
4956	99aaffa85ef7f0f16fb71435a1789210_NEIKI.exe
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

99aaffa85ef7f0f16fb71435a1789210_NEIKI.exe

pid process

4956 99aaffa85ef7f0f16fb71435a1789210_NEIKI.exe
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\99aaffa85ef7f0f16fb71435a1789210_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\99aaffa85ef7f0f16fb71435a1789210_NEIKI.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3336-5-0x0000000002F00000-0x0000000002F16000-memory.dmp

Filesize
88KB

Download
memory/4956-1-0x00000000009D0000-0x0000000000AD0000-memory.dmp

Filesize
1024KB

Download
memory/4956-2-0x0000000000970000-0x000000000097B000-memory.dmp

Filesize
44KB

Download
memory/4956-3-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4956-4-0x0000000000400000-0x00000000007C3000-memory.dmp

Filesize
3.8MB

Download
memory/4956-10-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4956-9-0x0000000000970000-0x000000000097B000-memory.dmp

Filesize
44KB

Download
memory/4956-6-0x0000000000400000-0x00000000007C3000-memory.dmp

Filesize
3.8MB

Download