smokeloader | 346bf19fd3db13e8e96aee0890638d0d0cd04ac98627ebc8f4165e56a68a76ee

Analysis

max time kernel
92s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

346bf19fd3db13e8e96aee0890638d0d0cd04ac98627ebc8f4165e56a68a76ee.exe
Size

168KB
MD5

4e7eb0701651ed6ccf6425aa1e7035c2
SHA1

d4a47b0c227fa8a426a011c4abdab3d1497a47fd
SHA256

346bf19fd3db13e8e96aee0890638d0d0cd04ac98627ebc8f4165e56a68a76ee
SHA512

9d4edd1ea390f87adc7636f6380d96795ebf2580c67875f26a4ad1a20dd0c20d95d237f4d891a7d81b3a34bd1f1877d26a32ee7cc3256cd8e663f835aac76984
SSDEEP

3072:aOMFLNQ4l8r6DohyfxGMVHjFld56j0RVwE7wQWLc:aNLNBltfPVG0I

Score

10^/10

smokeloader pub1 backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4860	2780	WerFault.exe	80

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	346bf19fd3db13e8e96aee0890638d0d0cd04ac98627ebc8f4165e56a68a76ee.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	346bf19fd3db13e8e96aee0890638d0d0cd04ac98627ebc8f4165e56a68a76ee.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	346bf19fd3db13e8e96aee0890638d0d0cd04ac98627ebc8f4165e56a68a76ee.exe

C:\Users\Admin\AppData\Local\Temp\346bf19fd3db13e8e96aee0890638d0d0cd04ac98627ebc8f4165e56a68a76ee.exe
"C:\Users\Admin\AppData\Local\Temp\346bf19fd3db13e8e96aee0890638d0d0cd04ac98627ebc8f4165e56a68a76ee.exe"
1⤵
- Checks SCSI registry key(s)
PID:2780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 356
  2⤵
  - Program crash
  PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2780 -ip 2780
1⤵
PID:528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2780-1-0x0000000002750000-0x0000000002850000-memory.dmp

Filesize
1024KB

Download
memory/2780-3-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2780-2-0x0000000002730000-0x000000000273B000-memory.dmp

Filesize
44KB

Download
memory/2780-5-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2780-4-0x0000000000400000-0x0000000002718000-memory.dmp

Filesize
35.1MB

Download