• Demystify Cyber

Smoke Loader - December 2021

Updated: Mar 23


Smoke Loader is a bot application that can be used to load other payloads onto an infected system. First seen in 2011 being sold in underground markets, there are times when it seems to go dormant and then suddenly ramps up. It is concerning as it drops other payload, avoids detection, and can steal sensitive data. Some of the samples that Demystify Cyber analysed showed that it drops Racoon Stealer and RedLine malware.


  • Keep software and operating systems patched

  • Use a reputable and up to date anti-virus and have it enabled

  • Consider rules to prevent access to the known malicious IP addresses/URLs

Mitre ATT&CK

Initial access

Initial access via driveby download from a compromised site


T1106: Native API – it dynamically determines API calls - Code function: 0_2_0040B862 __decode_pointer,LoadLibraryA,GetProcAddress,__encode_pointer,InterlockedExchange,FreeLibrary,

T1203: Exploitation for Client Execution – drops PE files File created: fuiubfa.4.dr


T1574.002: DLL Side-Loading – tries to load DLLs

Privleged Esclation

T1055: Process Injection – connects to the malicious urls


T1036: Masquerading - drops files that don’t match the file extension File created: C:\Users\user\AppData\Roaming\fuiubfa

T1497: Virtualization/Sandbox Evasion - Checks for kernel code integrity with NtQuerySystemInformation(CodeIntegrityInformation

T1564.001: Hidden Files and Directories – hides that the exe has been downloaded ofrm the internet File opened: C:\Users\user\AppData\Roaming\fuiubfa:Zone.Identifier read attributes | delete

T1027.002: Software Packing – changes PE section rights Unpacked PE file: 0.2.4voNJxxVOQ.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;

T1070.004: File Deletion – deletes traces of itself after it has successfully downloaded File deleted: c:\users\user\desktop\4vonjxxvoq.exe

Discovery and Collection

T1518.001: Security Software Discovery – checks for a VM environment, looks for common AV solutions, checks for kernel code integrity System information queried: CodeIntegrityInformation

T1082: System Information Discovery – queries the local system’s time, language, reads software policies, queries drivers that are running

T1560: Archive Collected Data – encryption function in the malware to encrypt and compress stolen data located on the infected machine


T1573: Encrypted Channel – encryption function and uses the proxy HTTPS port

T1071: Application Layer Protocol – the urls for the command and control servers were located iwthing the config of the malware, it performs DNS lookup and uses the proxy HTTPS port 443

Written by A. Turner

© A. Turner 2021 https://www.demystifycyber.com.au/

Provided for general information and education purposes

14 views0 comments

Recent Posts

See All