Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
02-07-2024 23:31
General
-
Target
37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe
-
Size
40KB
-
MD5
c280b435ae8e9bcf43b221df43e9fc65
-
SHA1
5185a39475de9e0b98f1faba04a9e3bf9e3d5d76
-
SHA256
fa39d4dbbf0828f381cf30adfb6b5f3c207e86d22eccbfcc4d4ecd90573e4b6b
-
SHA512
1ab923c51af946ea21fef2056618b4180ae9933ee9befe100d61e6039cfc8a959c9e8ecccf0edbb6d23c545f8f81336c5555eb8694bb0c89b600a8aa2f7dd878
-
SSDEEP
768:Z/8mWE+vcY96DhR8ZSDc28hO3c3VgDeoVZnE:2a+0Y96DhR8658533s
Score
10/10
Malware Config
Extracted
Family
smokeloader
Botnet
pub1
Extracted
Family
smokeloader
Version
2022
C2
http://evilos.cc/tmp/index.php
http://gebeus.ru/tmp/index.php
http://office-techs.biz/tmp/index.php
http://cx5519.com/tmp/index.php
rc4.i32
rc4.i32
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe"C:\Users\Admin\AppData\Local\Temp\37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1040-0-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/1040-2-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/1192-1-0x00000000024A0000-0x00000000024B6000-memory.dmpFilesize
88KB