smokeloader | 610edded4b537b64563e6f8aa35199aeb794d2011ceb36bc00551e4f84c803ad

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56b9bba4f6d51f0a1c21d62614d87f946ae7464629ef27abc48ecf14dd1e684e.exe
Size

186KB
MD5

75e60b6084c6716bba7f221ef5e0ccf3
SHA1

03b9529cdb1ef763dfad4e89e1f68d5fcb4ec4c2
SHA256

56b9bba4f6d51f0a1c21d62614d87f946ae7464629ef27abc48ecf14dd1e684e
SHA512

d1bc21b931f300c724d2bd0f1891deb656304fc0e77ee95b26d47e7020a000311b2aed9c33578607cac7a228147d3e6950e14d2a73bd1bca177a53074da315e6
SSDEEP

3072:xKy4fUvJnLIWsWHrWo5svBmujw3KmpaDNPm5EWybG:sy3LIWsY836KZDZm5EWy

Score

10^/10

smokeloader 2023 backdoor discovery trojan

Malware Config

Extracted

Family

smokeloader

Botnet

2023

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Smokeloader family
smokeloader
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2568 1668 WerFault.exe 56b9bba4f6d51f0a1c21d62614d87f946ae7464629ef27abc48ecf14dd1e684e.exe

pid	pid_target	process	target process
2568	1668	WerFault.exe	56b9bba4f6d51f0a1c21d62614d87f946ae7464629ef27abc48ecf14dd1e684e.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

56b9bba4f6d51f0a1c21d62614d87f946ae7464629ef27abc48ecf14dd1e684e.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56b9bba4f6d51f0a1c21d62614d87f946ae7464629ef27abc48ecf14dd1e684e.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

56b9bba4f6d51f0a1c21d62614d87f946ae7464629ef27abc48ecf14dd1e684e.exe

description	pid	process	target process
PID 1668 wrote to memory of 2568	1668	56b9bba4f6d51f0a1c21d62614d87f946ae7464629ef27abc48ecf14dd1e684e.exe	WerFault.exe
PID 1668 wrote to memory of 2568	1668	56b9bba4f6d51f0a1c21d62614d87f946ae7464629ef27abc48ecf14dd1e684e.exe	WerFault.exe
PID 1668 wrote to memory of 2568	1668	56b9bba4f6d51f0a1c21d62614d87f946ae7464629ef27abc48ecf14dd1e684e.exe	WerFault.exe
PID 1668 wrote to memory of 2568	1668	56b9bba4f6d51f0a1c21d62614d87f946ae7464629ef27abc48ecf14dd1e684e.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\56b9bba4f6d51f0a1c21d62614d87f946ae7464629ef27abc48ecf14dd1e684e.exe
"C:\Users\Admin\AppData\Local\Temp\56b9bba4f6d51f0a1c21d62614d87f946ae7464629ef27abc48ecf14dd1e684e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 136
  2⤵
  - Program crash
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1668-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1668-1-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/1668-3-0x0000000000400000-0x000000000064C000-memory.dmp

Filesize
2.3MB

Download