smokeloader | 92d74f895798a56cdd1e0b416730e995eaa193ef2ed3fb7855936326019dd93d

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92d74f895798a56cdd1e0b416730e995eaa193ef2ed3fb7855936326019dd93d.exe
Size

172KB
MD5

88a28b818f9782600d08f075abf2a632
SHA1

60083f901ac4c0b5e8dd0b78b739df6cd9cf84c3
SHA256

92d74f895798a56cdd1e0b416730e995eaa193ef2ed3fb7855936326019dd93d
SHA512

7533c77ffc23aab88136d7ffdc197d8c0b032ee52658eda20fc7776ad38340dc0505857e0cc13cee0d5996896ba7b4a7e45f825061af2797b7d33579bf593c30
SSDEEP

3072:/R5RL3RccKGpeek2KOQT5+LbzKNO1KuU3:p5RL3RccDee6xMLbze7

Score

10^/10

smokeloader pub2 backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

smokeloader

Version

2022

http://evilos.cc/tmp/index.php

http://gebeus.ru/tmp/index.php

http://office-techs.biz/tmp/index.php

http://cx5519.com/tmp/index.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

1160
Executes dropped EXE 1 IoCs

Processes:

hterjeh

pid process

2652 hterjeh

pid	process
1160

pid	process
2652	hterjeh

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

92d74f895798a56cdd1e0b416730e995eaa193ef2ed3fb7855936326019dd93d.exehterjeh

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	92d74f895798a56cdd1e0b416730e995eaa193ef2ed3fb7855936326019dd93d.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	92d74f895798a56cdd1e0b416730e995eaa193ef2ed3fb7855936326019dd93d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hterjeh
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hterjeh
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hterjeh
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	92d74f895798a56cdd1e0b416730e995eaa193ef2ed3fb7855936326019dd93d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

92d74f895798a56cdd1e0b416730e995eaa193ef2ed3fb7855936326019dd93d.exe

pid	process
1936	92d74f895798a56cdd1e0b416730e995eaa193ef2ed3fb7855936326019dd93d.exe
1936	92d74f895798a56cdd1e0b416730e995eaa193ef2ed3fb7855936326019dd93d.exe
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

92d74f895798a56cdd1e0b416730e995eaa193ef2ed3fb7855936326019dd93d.exehterjeh

pid process

1936 92d74f895798a56cdd1e0b416730e995eaa193ef2ed3fb7855936326019dd93d.exe
2652 hterjeh

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 2448 wrote to memory of 2652	2448	taskeng.exe	hterjeh
PID 2448 wrote to memory of 2652	2448	taskeng.exe	hterjeh
PID 2448 wrote to memory of 2652	2448	taskeng.exe	hterjeh
PID 2448 wrote to memory of 2652	2448	taskeng.exe	hterjeh

C:\Users\Admin\AppData\Local\Temp\92d74f895798a56cdd1e0b416730e995eaa193ef2ed3fb7855936326019dd93d.exe
"C:\Users\Admin\AppData\Local\Temp\92d74f895798a56cdd1e0b416730e995eaa193ef2ed3fb7855936326019dd93d.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1936

C:\Windows\system32\taskeng.exe
taskeng.exe {80396E00-BFCB-468D-BBCF-911D81CA194C} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2448

C:\Users\Admin\AppData\Roaming\hterjeh
C:\Users\Admin\AppData\Roaming\hterjeh
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2652

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\hterjeh
Filesize
172KB

MD5
88a28b818f9782600d08f075abf2a632

SHA1
60083f901ac4c0b5e8dd0b78b739df6cd9cf84c3

SHA256
92d74f895798a56cdd1e0b416730e995eaa193ef2ed3fb7855936326019dd93d

SHA512
7533c77ffc23aab88136d7ffdc197d8c0b032ee52658eda20fc7776ad38340dc0505857e0cc13cee0d5996896ba7b4a7e45f825061af2797b7d33579bf593c30

Download Submit
memory/1160-4-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1160-16-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1936-1-0x0000000002810000-0x0000000002910000-memory.dmp

Filesize
1024KB

Download
memory/1936-3-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1936-2-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/1936-8-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1936-5-0x0000000000400000-0x0000000002719000-memory.dmp

Filesize
35.1MB

Download
memory/2652-15-0x0000000000400000-0x0000000002719000-memory.dmp

Filesize
35.1MB

Download
memory/2652-19-0x0000000000400000-0x0000000002719000-memory.dmp

Filesize
35.1MB

Download