smokeloader | b5d6e4c9e8f6784ccdb4be2d098d8650723d055ce1aff0e0f9a8e8bd8b76c13e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 10:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b5d6e4c9e8f6784ccdb4be2d098d8650723d055ce1aff0e0f9a8e8bd8b76c13e.exe
Size

4.4MB
MD5

c2419da022c7e7cd67bc89bfebe9eac1
SHA1

aa4134dffa803186725e08054465bb20323aa648
SHA256

b5d6e4c9e8f6784ccdb4be2d098d8650723d055ce1aff0e0f9a8e8bd8b76c13e
SHA512

078c28045c9d0360b1b54235b703aa94181f2bbddf82ee4dc9e0c595027a9284560c508a6b6e2bd436e501d99e836a5a809244a666b648d3e5bd18987537c78d
SSDEEP

98304:KfUbh9tSS7jIn148InQMeQYvFgU9rjbXVLoXXfKLwPWwnp:KfU7tr7jInyIR80fSKLA

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 3 IoCs

pid	Process
1708	b5d6e4c9e8f6784ccdb4be2d098d8650723d055ce1aff0e0f9a8e8bd8b76c13e.exe
432	pythonw.exe
884	pythonw.exe

Loads dropped DLL 6 IoCs

pid	Process
1708	b5d6e4c9e8f6784ccdb4be2d098d8650723d055ce1aff0e0f9a8e8bd8b76c13e.exe
432	pythonw.exe
432	pythonw.exe
884	pythonw.exe
884	pythonw.exe
3260	QbnClient.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 884 set thread context of 3620	884	pythonw.exe	96
PID 3620 set thread context of 3260	3620	cmd.exe	99

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
432	pythonw.exe
884	pythonw.exe
884	pythonw.exe
3620	cmd.exe
3620	cmd.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
884	pythonw.exe
3620	cmd.exe
3620	cmd.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 1708	1856	b5d6e4c9e8f6784ccdb4be2d098d8650723d055ce1aff0e0f9a8e8bd8b76c13e.exe	83
PID 1856 wrote to memory of 1708	1856	b5d6e4c9e8f6784ccdb4be2d098d8650723d055ce1aff0e0f9a8e8bd8b76c13e.exe	83
PID 1856 wrote to memory of 1708	1856	b5d6e4c9e8f6784ccdb4be2d098d8650723d055ce1aff0e0f9a8e8bd8b76c13e.exe	83
PID 1708 wrote to memory of 432	1708	b5d6e4c9e8f6784ccdb4be2d098d8650723d055ce1aff0e0f9a8e8bd8b76c13e.exe	94
PID 1708 wrote to memory of 432	1708	b5d6e4c9e8f6784ccdb4be2d098d8650723d055ce1aff0e0f9a8e8bd8b76c13e.exe	94
PID 432 wrote to memory of 884	432	pythonw.exe	95
PID 432 wrote to memory of 884	432	pythonw.exe	95
PID 884 wrote to memory of 3620	884	pythonw.exe	96
PID 884 wrote to memory of 3620	884	pythonw.exe	96
PID 884 wrote to memory of 3620	884	pythonw.exe	96
PID 884 wrote to memory of 3620	884	pythonw.exe	96
PID 3620 wrote to memory of 3260	3620	cmd.exe	99
PID 3620 wrote to memory of 3260	3620	cmd.exe	99
PID 3620 wrote to memory of 3260	3620	cmd.exe	99
PID 3620 wrote to memory of 3260	3620	cmd.exe	99
PID 3620 wrote to memory of 3260	3620	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\b5d6e4c9e8f6784ccdb4be2d098d8650723d055ce1aff0e0f9a8e8bd8b76c13e.exe
"C:\Users\Admin\AppData\Local\Temp\b5d6e4c9e8f6784ccdb4be2d098d8650723d055ce1aff0e0f9a8e8bd8b76c13e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\Temp\{E01EC4C5-0A98-4D29-9340-4C8996167C1C}\.cr\b5d6e4c9e8f6784ccdb4be2d098d8650723d055ce1aff0e0f9a8e8bd8b76c13e.exe
  "C:\Windows\Temp\{E01EC4C5-0A98-4D29-9340-4C8996167C1C}\.cr\b5d6e4c9e8f6784ccdb4be2d098d8650723d055ce1aff0e0f9a8e8bd8b76c13e.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\b5d6e4c9e8f6784ccdb4be2d098d8650723d055ce1aff0e0f9a8e8bd8b76c13e.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\Temp\{E28F820D-152D-4BA2-89AE-49F68EF9DD62}\.ba\pythonw.exe
    "C:\Windows\Temp\{E28F820D-152D-4BA2-89AE-49F68EF9DD62}\.ba\pythonw.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Users\Admin\AppData\Roaming\Archivelocal\pythonw.exe
      C:\Users\Admin\AppData\Roaming\Archivelocal\pythonw.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3620
      - C:\Users\Admin\AppData\Local\Temp\QbnClient.exe
        
        C:\Users\Admin\AppData\Local\Temp\QbnClient.exe
        6⤵
        Loads dropped DLL
        
        PID:3260

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4cde41b0

Filesize
748KB

MD5
0d969eb83e62a79af22bceb48e853362

SHA1
de6cfe066a8d16806e5495d415b0604a74fa2413

SHA256
89050a900a6717f4bd62502b5faf05efedf421dcaf4539627cea4396279ade97

SHA512
40c7251d5e553b9a5d643ebd9f7b2ef48c87b52b291ae4240b6c878207c2adea7c64652b581689340afa1e8bc15853d513ae4121007f4b32afc1068be8646097

Download Submit
C:\Users\Admin\AppData\Local\Temp\QbnClient.exe

Filesize
301KB

MD5
68cefdfbd2e1a35e8c4f144e37d77a76

SHA1
0a6637d5eb3c958a0136358d0290514c7309af73

SHA256
c50bffbef786eb689358c63fc0585792d174c5e281499f12035afa1ce2ce19c8

SHA512
88d79115a6a0c487bd39a00a202f2467f4e05991da780f29f33cfc1ca53d2c6489104d5fbbe7e70167eb20c958b0322690454aec9ab1776d265ab8c558e971f6

Download Submit
C:\Windows\Temp\{E01EC4C5-0A98-4D29-9340-4C8996167C1C}\.cr\b5d6e4c9e8f6784ccdb4be2d098d8650723d055ce1aff0e0f9a8e8bd8b76c13e.exe

Filesize
3.4MB

MD5
7ba236c88f18ee331a7bd1514a942396

SHA1
d91ea05d327db76da7ad69f18b9240f4de1e4bb2

SHA256
8025219c596018de414fff5f8774374229d94c489c1047f68d6166d836de4422

SHA512
17b64f86f1861220f5ee9d14ce9c4286eea050d9ba2ab47c4c1a0cd971e9cd0f594bc4154ec9524ec11b91b90b17592e4a79a1dedb00494bb9f413ae949c39fe

Download Submit
C:\Windows\Temp\{E28F820D-152D-4BA2-89AE-49F68EF9DD62}\.ba\Esquire.dll

Filesize
958KB

MD5
f90f0930e15e5546243c2786bc04cbd8

SHA1
e6a5e0b83bf0f61b372481380f2048d39efd971f

SHA256
42e94b3bfe101e7a955f9379ebb041b8178f525ea8b3670dc330ca6397c004d1

SHA512
c201713b7a27d4a137c6dedecde012a7a9206fb2646877cf246d8b17301a14e1d5328475772a37a15b609ac64b85fb688cd68f510cff87f1502310c319b9478f

Download Submit
C:\Windows\Temp\{E28F820D-152D-4BA2-89AE-49F68EF9DD62}\.ba\marl.tar.gz

Filesize
619KB

MD5
47aa6da84c95a72a3135a97972ff748a

SHA1
ae391d251d816259219bc1f82f24e9957501cda7

SHA256
1151511252b3ac7f6f0d0a78f83507421df44fbf961b42e6ce15f989a1493348

SHA512
e43c727d2e40b228e0193136569f522589b7c73d7759600abb9e19fcc925f4bcbbfab29b722d17cb5b9d6554473a2c0422ef3105c4050d66f44d534872da2042

Download Submit
C:\Windows\Temp\{E28F820D-152D-4BA2-89AE-49F68EF9DD62}\.ba\python310.dll

Filesize
4.3MB

MD5
cc040b4b83d72369f841f841193664d2

SHA1
591a03b2e97536963ee0a7d47bf93755f2c6e375

SHA256
a996dffb0d1337779925abc0d63f60e9f39aa90e8705ade98c53a0ed4024d207

SHA512
4901ec5d81eb5753c5c4b519ee6431d7dfc52e8f4a78bccf5bc886d03fdb3780b9ef0e6befb8b24dbe74cf5a56aadf7295e3b3a373d2a21c71616d2daae165f2

Download Submit
C:\Windows\Temp\{E28F820D-152D-4BA2-89AE-49F68EF9DD62}\.ba\pythonw.exe

Filesize
94KB

MD5
9a4cc0d8e7007f7ef20ca585324e0739

SHA1
f3e5a2e477cac4bab85940a2158eed78f2d74441

SHA256
040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92

SHA512
54636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3

Download Submit
C:\Windows\Temp\{E28F820D-152D-4BA2-89AE-49F68EF9DD62}\.ba\vcruntime140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Windows\Temp\{E28F820D-152D-4BA2-89AE-49F68EF9DD62}\.ba\ventose.wmv

Filesize
66KB

MD5
b7f0587dcc9ab5bc8083dc51a966a6ab

SHA1
b7b6e38a4510a12dc69df2513d789c6884435c5a

SHA256
51a984fd3a661a48d56d27736e6529e181fb88d83b0c7bca8150f1e6c5b1b930

SHA512
42f60ca11a5bd02a1f00a2f821e38ec7fe4c28a9460a72e2cf4fa698765adb0bedd5c23ea1277d092d6f0299b2470fff3152915cec7cda40ed91f7cc75a77007

Download Submit
memory/432-21-0x00007FFF0FC20000-0x00007FFF0FD92000-memory.dmp

Filesize
1.4MB

Download
memory/884-36-0x00007FFF0FC20000-0x00007FFF0FD92000-memory.dmp

Filesize
1.4MB

Download
memory/884-37-0x00007FFF0FC20000-0x00007FFF0FD92000-memory.dmp

Filesize
1.4MB

Download
memory/3260-45-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3260-46-0x0000000074380000-0x00000000755D4000-memory.dmp

Filesize
18.3MB

Download
memory/3260-51-0x00007FFF2E930000-0x00007FFF2EB25000-memory.dmp

Filesize
2.0MB

Download
memory/3260-52-0x0000000000410000-0x00000000004D9000-memory.dmp

Filesize
804KB

Download
memory/3260-54-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3620-40-0x00007FFF2E930000-0x00007FFF2EB25000-memory.dmp

Filesize
2.0MB

Download
memory/3620-42-0x00000000756C0000-0x000000007583B000-memory.dmp

Filesize
1.5MB

Download