smokeloader | 207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe
Size

3.0MB
MD5

6d847896c20eb21cf6dc6a924138ef32
SHA1

c254273ecdb71e8d9097f726739036a94dd84a90
SHA256

207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd
SHA512

92074de4057f7519cae0eded975479dce2021088b6560f30be8a673fd79c0db4384ff6c09ae81cdba9b61c34415a839a089f6ef05636215ccaf9fc2400d42bf6
SSDEEP

98304:sfUbPHsTPGQE5rSKvY7FPmCOAJC+v6jJcmDcaS:sfUITl4YthO+Ca6VcmcL

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 3 IoCs

Processes:

207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exeRttHlp.exeRttHlp.exe

pid process

3548 207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe
4112 RttHlp.exe
1516 RttHlp.exe

Loads dropped DLL 8 IoCs

Processes:

207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exeRttHlp.exeRttHlp.exeUBA_control.exe

pid	process
3548	207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe
4112	RttHlp.exe
4112	RttHlp.exe
4112	RttHlp.exe
1516	RttHlp.exe
1516	RttHlp.exe
1516	RttHlp.exe
2532	UBA_control.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

RttHlp.execmd.exe

description	pid	process	target process
PID 1516 set thread context of 4480	1516	RttHlp.exe	cmd.exe
PID 4480 set thread context of 2532	4480	cmd.exe	UBA_control.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

RttHlp.exeRttHlp.execmd.exe

pid process

4112 RttHlp.exe
1516 RttHlp.exe
1516 RttHlp.exe
4480 cmd.exe
4480 cmd.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

RttHlp.execmd.exe

pid process

1516 RttHlp.exe
4480 cmd.exe
4480 cmd.exe

pid	process
4112	RttHlp.exe
1516	RttHlp.exe
1516	RttHlp.exe
4480	cmd.exe
4480	cmd.exe

pid	process
1516	RttHlp.exe
4480	cmd.exe
4480	cmd.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exeRttHlp.exeRttHlp.execmd.exe

description	pid	process	target process
PID 4420 wrote to memory of 3548	4420	207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe	207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe
PID 4420 wrote to memory of 3548	4420	207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe	207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe
PID 4420 wrote to memory of 3548	4420	207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe	207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe
PID 3548 wrote to memory of 4112	3548	207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe	RttHlp.exe
PID 3548 wrote to memory of 4112	3548	207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe	RttHlp.exe
PID 3548 wrote to memory of 4112	3548	207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe	RttHlp.exe
PID 4112 wrote to memory of 1516	4112	RttHlp.exe	RttHlp.exe
PID 4112 wrote to memory of 1516	4112	RttHlp.exe	RttHlp.exe
PID 4112 wrote to memory of 1516	4112	RttHlp.exe	RttHlp.exe
PID 1516 wrote to memory of 4480	1516	RttHlp.exe	cmd.exe
PID 1516 wrote to memory of 4480	1516	RttHlp.exe	cmd.exe
PID 1516 wrote to memory of 4480	1516	RttHlp.exe	cmd.exe
PID 1516 wrote to memory of 4480	1516	RttHlp.exe	cmd.exe
PID 4480 wrote to memory of 2532	4480	cmd.exe	UBA_control.exe
PID 4480 wrote to memory of 2532	4480	cmd.exe	UBA_control.exe
PID 4480 wrote to memory of 2532	4480	cmd.exe	UBA_control.exe
PID 4480 wrote to memory of 2532	4480	cmd.exe	UBA_control.exe
PID 4480 wrote to memory of 2532	4480	cmd.exe	UBA_control.exe

C:\Users\Admin\AppData\Local\Temp\207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe
"C:\Users\Admin\AppData\Local\Temp\207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\Temp\{0BEF3DBB-F19D-4862-A4F7-33BF4779E5A7}\.cr\207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe
  "C:\Windows\Temp\{0BEF3DBB-F19D-4862-A4F7-33BF4779E5A7}\.cr\207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe" -burn.filehandle.attached=548 -burn.filehandle.self=544
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Windows\Temp\{EF94A32C-DC95-4A8E-B751-ED9B0663A295}\.ba\RttHlp.exe
    "C:\Windows\Temp\{EF94A32C-DC95-4A8E-B751-ED9B0663A295}\.ba\RttHlp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Users\Admin\AppData\Roaming\AgentNotepad_beta\RttHlp.exe
      C:\Users\Admin\AppData\Roaming\AgentNotepad_beta\RttHlp.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1516
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4480
      - C:\Users\Admin\AppData\Local\Temp\UBA_control.exe
        
        C:\Users\Admin\AppData\Local\Temp\UBA_control.exe
        6⤵
        Loads dropped DLL
        
        PID:2532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4405ea6d

Filesize
750KB

MD5
651614ccb252f5ed96a7cd66380e47b0

SHA1
1aa172ef838d051a0597f9663266809ca9291851

SHA256
dc5818b435b7485afdb7fd50dddad69fb65303254483702a5fe1740c1d45e35a

SHA512
973776982f81f0097f0d9c851a736ca8e1c5ea4c30611032150d1dc6c5767e955d052fa2148d6c30f4ecbe7a6468c5f0aced4c05044c8bb26d36d2e2a59dcaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\UBA_control.exe

Filesize
301KB

MD5
68cefdfbd2e1a35e8c4f144e37d77a76

SHA1
0a6637d5eb3c958a0136358d0290514c7309af73

SHA256
c50bffbef786eb689358c63fc0585792d174c5e281499f12035afa1ce2ce19c8

SHA512
88d79115a6a0c487bd39a00a202f2467f4e05991da780f29f33cfc1ca53d2c6489104d5fbbe7e70167eb20c958b0322690454aec9ab1776d265ab8c558e971f6

Download Submit
C:\Windows\Temp\{0BEF3DBB-F19D-4862-A4F7-33BF4779E5A7}\.cr\207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe

Filesize
2.7MB

MD5
51c6396f186485cc5c7b78c0b12c6080

SHA1
b8adf225ef1652010c0b14df9e60810dc2cc5071

SHA256
08a3ac79c87241a486bd486c417f336f801515ae196d0d4457c572bffce95086

SHA512
43fff91d6a3fb6c1a846de9f5e10ee4cff92a8afab4b922c7342edcc09ca766972ec74e384d987bd0b8f76cd3001165c4ce4a25ade7f0c5e2552a5923e088947

Download Submit
C:\Windows\Temp\{EF94A32C-DC95-4A8E-B751-ED9B0663A295}\.ba\Country.dll

Filesize
268KB

MD5
152d2e72616204365c774410ba243126

SHA1
e1f7edbc74e17a3d2de83273b54f71f36906c05c

SHA256
9d62de209a15955ac366e251c25afc69b6d420b88fd90522efeaeae72712a4ca

SHA512
e60e2c99db99e5839f8825a4db98157d2f20cdc6d4692d031d325d9c230459d14748b466bb7344cdbd724a2fa7bf12dcd157bd1c2645d58490a4e42105f271f9

Download Submit
C:\Windows\Temp\{EF94A32C-DC95-4A8E-B751-ED9B0663A295}\.ba\Register.dll

Filesize
1.0MB

MD5
40b9628354ef4e6ef3c87934575545f4

SHA1
8fb5da182dea64c842953bf72fc573a74adaa155

SHA256
372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12

SHA512
02b0ea82efbfbe2e7308f86bfbec7a5109f3fe91d42731812d2e46aebedce50aabc565d2da9d3fbcd0f46febbff49c534419d1a91e0c14d5a80f06b74888c641

Download Submit
C:\Windows\Temp\{EF94A32C-DC95-4A8E-B751-ED9B0663A295}\.ba\RttHlp.exe

Filesize
135KB

MD5
a2d70fbab5181a509369d96b682fc641

SHA1
22afcdc180400c4d2b9e5a6db2b8a26bff54dd38

SHA256
8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473

SHA512
219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83

Download Submit
C:\Windows\Temp\{EF94A32C-DC95-4A8E-B751-ED9B0663A295}\.ba\aesthete.tar

Filesize
37KB

MD5
b6500c7d86f28103ce38a101463935e7

SHA1
caca60dab0231fecfbea90e6bd3b66e6aae147a5

SHA256
bf896e89241141126c6e1060287d6ddbbcf4b4eecb0069a158e9260f2a1c8c89

SHA512
fbd25f24a04b5afc19bc8d5e247c90835fb277bc8fd160b2b7bc6b0bc15acc9d5db67d63a6f6a9d2f2a6b89ec10828383bff66997017aed6fe3ee4333e423a5f

Download Submit
C:\Windows\Temp\{EF94A32C-DC95-4A8E-B751-ED9B0663A295}\.ba\coronal.html

Filesize
506KB

MD5
70027836924f5aa4475aa017bce9073e

SHA1
eae3b0e38812b09180dda8ae5a1fe02636e42c1a

SHA256
aa515331c99449c42be52bfd4505dbe0a5fee6937e49e473b1f0c3052f160c51

SHA512
b8cbb2dc42620ee8b9aea0ed87bed068cda19d83786a136ef2b4f716c0ab5fa762e408151d6b606cdaed0f007baf098a6a96d24fa2293acb0900b33d0726aeec

Download Submit
C:\Windows\Temp\{EF94A32C-DC95-4A8E-B751-ED9B0663A295}\.ba\rtl120.bpl

Filesize
1.1MB

MD5
b96b64ed4307558b37759450672f7143

SHA1
7e2ebae7cc2eb573cb1ed7207544e10f4ae5aec1

SHA256
69b12de013dea740730d777bcc7cc3ac561d583a2eb6a853524ff03057a430cf

SHA512
d1c2663138b1b3c480cc923aab0337e316a4d0e58e2900099f78d4733851c0f3954e1165475361e790124cc9f7e0a5d8067e9f266bc0e3a29527591f2258a3c5

Download Submit
C:\Windows\Temp\{EF94A32C-DC95-4A8E-B751-ED9B0663A295}\.ba\vcl120.bpl

Filesize
1.9MB

MD5
c594d746ff6c99d140b5e8da97f12fd4

SHA1
f21742707c5f3fee776f98641f36bd755e24a7b0

SHA256
572edb7d630e9b03f93bd15135d2ca360176c1232051293663ec5b75c2428aec

SHA512
33b9902b2cf1154d850779cd012c0285882e158b9d1422c54ea9400ca348686773b6bacb760171060d1a0e620f8ff4a26ecd889dea3c454e8fc5fa59b173832b

Download Submit
memory/1516-46-0x00000000750E0000-0x000000007525B000-memory.dmp

Filesize
1.5MB

Download
memory/1516-47-0x00007FFE2E070000-0x00007FFE2E265000-memory.dmp

Filesize
2.0MB

Download
memory/1516-48-0x00000000750E0000-0x000000007525B000-memory.dmp

Filesize
1.5MB

Download
memory/1516-51-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/2532-68-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2532-65-0x00007FFE2E070000-0x00007FFE2E265000-memory.dmp

Filesize
2.0MB

Download
memory/2532-60-0x0000000073BA0000-0x0000000074DF4000-memory.dmp

Filesize
18.3MB

Download
memory/2532-59-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4112-37-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/4112-36-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/4112-35-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4112-25-0x00007FFE2E070000-0x00007FFE2E265000-memory.dmp

Filesize
2.0MB

Download
memory/4112-24-0x0000000073A70000-0x0000000073BEB000-memory.dmp

Filesize
1.5MB

Download
memory/4480-56-0x00000000750E0000-0x000000007525B000-memory.dmp

Filesize
1.5MB

Download
memory/4480-54-0x00007FFE2E070000-0x00007FFE2E265000-memory.dmp

Filesize
2.0MB

Download