smokeloader | 02f86c67205d49488a1877958949126ce5f953945a027761dd71f1bdf62aa3c2

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-09-2024 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3ee74a1002972ecf8098fc33c181bf0N.exe
Size

111KB
MD5

c3ee74a1002972ecf8098fc33c181bf0
SHA1

5485f8410ebe6feff63fc1eaf04698573ed0c08d
SHA256

02f86c67205d49488a1877958949126ce5f953945a027761dd71f1bdf62aa3c2
SHA512

b266dd99ad9138ee76db3818c522302a2fd3bb45d34630d131c7f9cb69f5a008b68d99210b406b60992e20f73812be07c3858d57c33a16ba0fda470bd954f2d0
SSDEEP

3072:36rxD6ApK4zjJof3688o0fjmBB6SH6zay4uko:sxD6Mbo0fCX6+Ruj

Score

10^/10

smokeloader ku11 backdoor discovery trojan

Malware Config

Extracted

Family

smokeloader

Botnet

ku11

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Loads dropped DLL 1 IoCs

pid	Process
2736	c3ee74a1002972ecf8098fc33c181bf0N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2528	2736	WerFault.exe	27

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c3ee74a1002972ecf8098fc33c181bf0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2528	2736	c3ee74a1002972ecf8098fc33c181bf0N.exe	28
PID 2736 wrote to memory of 2528	2736	c3ee74a1002972ecf8098fc33c181bf0N.exe	28
PID 2736 wrote to memory of 2528	2736	c3ee74a1002972ecf8098fc33c181bf0N.exe	28
PID 2736 wrote to memory of 2528	2736	c3ee74a1002972ecf8098fc33c181bf0N.exe	28

C:\Users\Admin\AppData\Local\Temp\c3ee74a1002972ecf8098fc33c181bf0N.exe
"C:\Users\Admin\AppData\Local\Temp\c3ee74a1002972ecf8098fc33c181bf0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 164
  2⤵
  - Program crash
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\5C1B.tmp

Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
memory/2736-0-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2736-2-0x0000000000190000-0x000000000019A000-memory.dmp

Filesize
40KB

Download
memory/2736-1-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/2736-6-0x0000000000190000-0x000000000019A000-memory.dmp

Filesize
40KB

Download