MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02de42ef29e6f22450cfb90e359b3669081aa4ea2eb90d0c03654f0315658a12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02de42ef29e6f22450cfb90e359b3669081aa4ea2eb90d0c03654f0315658a12
SHA3-384 hash: 696c1bb35f7145a24c64e29ac23e4814cb5b32f64891c6c5ca1ca62dd828aa9ff0ec320c7dcecc73eee1727efde7a1b7
SHA1 hash: 33cd763e370fcec823c9e711bfd8a3f670e8920c
MD5 hash: a0ace07026e81a7cc74e7f52d5e58ec6
humanhash: item-tango-skylark-seven
File name:a0ace07026e81a7cc74e7f52d5e58ec6.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:347'648 bytes
First seen:2021-11-05 15:22:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2bde03b8e77a01221a51ce447d5c160e (3 x Smoke Loader, 3 x RaccoonStealer, 1 x RedLineStealer)
ssdeep 6144:3N9h23ZQGjJ1t9W9HRvhhs+gVDDIcbYYCQr+J:3N93GjJ79aHRvhhs+gvd+
TLSH T1D3748D006BA1C039F1B252F879B693B9B53A7DA1AB3450CF13D52AEE5A306D0ED70717
File icon (PE):PE icon
dhash icon badacabecee6baa6 (95 x Stop, 87 x RedLineStealer, 62 x Smoke Loader)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/202780/
Detection(s):
Win.Trojan.Generic-9906244-0
Create hunting rule

Win.Dropper.Tofsee-9906245-0
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61854c578eec3805367ff8dc/reports/cebbec9c-f4a4-415d-93e2-982f2b621251/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9cd621a8-d8bf-4eac-b3cb-9fb9dc62f3b5
Result
Threat name:
Clipboard Hijacker KPot SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/884157
Signature
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to infect the boot sector
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Delayed program exit found
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Yara detected KPot
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 516603 Sample: YXgVl4tuXh.exe Startdate: 05/11/2021 Architecture: WINDOWS Score: 100 72 here000000it.is 2->72 80 Antivirus detection for URL or domain 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 Detected unpacking (changes PE section rights) 2->84 86 9 other signatures 2->86 10 YXgVl4tuXh.exe 2->10         started        13 fajhctj 2->13         started        15 svchost.exe 2->15         started        17 10 other processes 2->17 signatures3 process4 dnsIp5 104 Detected unpacking (changes PE section rights) 10->104 106 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 10->106 108 Maps a DLL or memory area into another process 10->108 110 Creates a thread in another existing process (thread injection) 10->110 20 explorer.exe 4 10->20 injected 112 Multi AV Scanner detection for dropped file 13->112 114 Machine Learning detection for dropped file 13->114 116 Checks if the current machine is a virtual machine (disk enumeration) 13->116 118 Changes security center settings (notifications, updates, antivirus, firewall) 15->118 25 MpCmdRun.exe 1 15->25         started        68 127.0.0.1 unknown unknown 17->68 70 192.168.2.1 unknown unknown 17->70 signatures6 process7 dnsIp8 74 5.255.98.133, 49750, 49797, 80 LITESERVERNL Netherlands 20->74 76 189.165.34.138, 49788, 80 UninetSAdeCVMX Mexico 20->76 78 8 other IPs or domains 20->78 52 C:\Users\user\AppData\Roaming\fajhctj, PE32 20->52 dropped 54 C:\Users\user\AppData\Local\Temp\C06B.exe, PE32 20->54 dropped 56 C:\Users\user\AppData\Local\Temp\5EA2.exe, PE32 20->56 dropped 58 3 other malicious files 20->58 dropped 88 System process connects to network (likely due to code injection or exploit) 20->88 90 Benign windows process drops PE files 20->90 92 Deletes itself after installation 20->92 94 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->94 27 5EA2.exe 3 4 20->27         started        31 C06B.exe 20->31         started        33 3732.exe 4 20->33         started        37 2 other processes 20->37 35 conhost.exe 25->35         started        file9 signatures10 process11 file12 60 C:\Users\user\AppData\...\SysPerformance.exe, PE32 27->60 dropped 120 Detected unpacking (changes PE section rights) 27->120 122 Detected unpacking (overwrites its own PE header) 27->122 124 Machine Learning detection for dropped file 27->124 126 Creates autostart registry keys with suspicious names 27->126 39 SysPerformance.exe 27->39         started        128 Contains functionality to infect the boot sector 31->128 62 C:\Users\user\AppData\...\SmartClock.exe, PE32 33->62 dropped 42 SmartClock.exe 33->42         started        64 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 37->64 dropped 66 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 37->66 dropped 130 Multi AV Scanner detection for dropped file 37->130 44 AdvancedRun.exe 1 37->44         started        46 AdvancedRun.exe 37->46         started        signatures13 process14 signatures15 96 Detected unpacking (changes PE section rights) 39->96 98 Detected unpacking (overwrites its own PE header) 39->98 100 Machine Learning detection for dropped file 39->100 102 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 39->102 48 AdvancedRun.exe 44->48         started        50 AdvancedRun.exe 46->50         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02de42ef29e6f22450cfb90e359b3669081aa4ea2eb90d0c03654f0315658a12/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2021-11-05 15:23:06 UTC
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/211105-ssgfescbb4/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Deletes itself
Drops startup file
Downloads MZ/PE file
Executes dropped EXE
SmokeLoader
Malware Config
C2 Extraction:
http://misha.at/upload/
http://roohaniinfra.com/upload/
http://0axqpcc.cn/upload/
http://mayak-lombard.ru/upload/
http://mebel-lass.ru/upload/
http://dishakhan.com/upload/
Unpacked files
SH256 hash:
2d42354cb59833a247375928187032beead3c641520e36824fce6f48b126d8a6
MD5 hash:
38fa5abed729083474ad8e1084b03b6d
SHA1 hash:
707a3feb91f1242f57bdd9fb6b3852462b64a985
Link:
https://www.unpac.me/results/7c333d36-1762-4e01-8b3f-f867621d20a4/
SH256 hash:
02de42ef29e6f22450cfb90e359b3669081aa4ea2eb90d0c03654f0315658a12
MD5 hash:
a0ace07026e81a7cc74e7f52d5e58ec6
SHA1 hash:
33cd763e370fcec823c9e711bfd8a3f670e8920c
Link:
https://www.unpac.me/results/7c333d36-1762-4e01-8b3f-f867621d20a4/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/02de42ef29e6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/02de42ef29e6f22450cfb90e359b3669081aa4ea2eb90d0c03654f0315658a12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 02de42ef29e6f22450cfb90e359b3669081aa4ea2eb90d0c03654f0315658a12

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1744444/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/202780/

Comments