smokeloader | 9f2f9e8b9a0f30c47e9f33be828338020ad47af9a8b2b943cf7594a0e63dbcea

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08-11-2024 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

623587ed0d43d6dd6fd9dd93d632722df1f8b217.exe
Size

261KB
MD5

71f991391d6e71dbc7aa00ea8460a29d
SHA1

623587ed0d43d6dd6fd9dd93d632722df1f8b217
SHA256

9f2f9e8b9a0f30c47e9f33be828338020ad47af9a8b2b943cf7594a0e63dbcea
SHA512

54a556822ab6be93bb70bca8656ea74c8e378e88a2e1eca8c2ede52f1e03744bb405a1d3dbe0ce0f0599f4909c1c5d82a1c4f3a09917e9acd677121a93d92396
SSDEEP

6144:izvCUwbvILuzv6Lsb1Vizb68aVGDUaZ7H08MnLYy:iWdvIqz6Lsb1MujGwm7U8MnLY

Score

10^/10

smokeloader backdoor discovery trojan

Malware Config

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Smokeloader family
smokeloader

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2448	2876	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	623587ed0d43d6dd6fd9dd93d632722df1f8b217.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2448	2876	623587ed0d43d6dd6fd9dd93d632722df1f8b217.exe	30
PID 2876 wrote to memory of 2448	2876	623587ed0d43d6dd6fd9dd93d632722df1f8b217.exe	30
PID 2876 wrote to memory of 2448	2876	623587ed0d43d6dd6fd9dd93d632722df1f8b217.exe	30
PID 2876 wrote to memory of 2448	2876	623587ed0d43d6dd6fd9dd93d632722df1f8b217.exe	30

C:\Users\Admin\AppData\Local\Temp\623587ed0d43d6dd6fd9dd93d632722df1f8b217.exe
"C:\Users\Admin\AppData\Local\Temp\623587ed0d43d6dd6fd9dd93d632722df1f8b217.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 136
  2⤵
  - Program crash
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2876-1-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/2876-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2876-2-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/2876-4-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download