MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02f6651a25fefd7f952cd2b2dc74c4b2155b8a96e0caf6127f0eb966b5cd9426. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02f6651a25fefd7f952cd2b2dc74c4b2155b8a96e0caf6127f0eb966b5cd9426
SHA3-384 hash: 5841c8c46345182f63e91e7cd0e04800dc2315e1e2965517e4adf540d933b4011447a93c9caf9a9765abeb4435f6527e
SHA1 hash: 038077c602dbdc0afecd8449dbad0f15df16ac30
MD5 hash: 9ef687c54c8b67d33e8bcd521024d271
humanhash: spring-april-nineteen-indigo
File name:SecuriteInfo.com.Win32.TrojanX-gen.19321.7615
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:251'392 bytes
First seen:2023-09-19 15:32:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 82fc6aa150be346f557bda3dbcb8fac7 (7 x Smoke Loader, 2 x Tofsee, 2 x RedLineStealer)
ssdeep 3072:PZChq7imQyw6xSavtuZrHf7ZB7YaaC9jjNVvSxz5zFSls:P77imJwtjjjNVqxNzFS
Threatray 2'578 similar samples on MalwareBazaar
TLSH T17C34CF21B7E1C832D0AB56304570CA791E7BBC22A675C18F27E41F3A2E703C15EBA756
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 70d0dcd0c4d0d2dd (1 x TeamBot, 1 x Smoke Loader)
Reporter SecuriteInfoCom
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.TrojanX-gen.19321.7615
Verdict:
Malicious activity
Analysis date:
2023-09-19 16:47:45 UTC
Tags:
loader smoke
Link:
https://app.any.run/tasks/67b422e7-2002-4b39-bc83-e3419f26d594

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/449702/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.19321.7615.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Sending a custom TCP request
Unauthorized injection to a system process
Enabling autorun by creating a file
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware lolbin masquerade shell32
Link:
https://www.filescan.io/uploads/6509bf3133582f234efc364d/reports/83884098-f085-4512-9a04-1cc260b295c5/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/02f6651a25fefd7f952cd2b2dc74c4b2155b8a96e0caf6127f0eb966b5cd9426
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dca5aa60-7f92-476b-8d17-ffac80bc560d
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1310866
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1310866 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 19/09/2023 Architecture: WINDOWS Score: 100 26 Found malware configuration 2->26 28 Malicious sample detected (through community Yara rule) 2->28 30 Antivirus detection for URL or domain 2->30 32 4 other signatures 2->32 6 SecuriteInfo.com.Win32.TrojanX-gen.19321.7615.exe 2->6         started        9 thsfdvr 2->9         started        process3 signatures4 34 Detected unpacking (changes PE section rights) 6->34 36 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 6->36 38 Maps a DLL or memory area into another process 6->38 46 2 other signatures 6->46 11 explorer.exe 4 3 6->11 injected 40 Antivirus detection for dropped file 9->40 42 Multi AV Scanner detection for dropped file 9->42 44 Machine Learning detection for dropped file 9->44 process5 dnsIp6 20 181.170.86.159, 49729, 49734, 49735 TelecomArgentinaSAAR Argentina 11->20 22 190.224.203.37, 49725, 49755, 49764 TelecomArgentinaSAAR Argentina 11->22 24 10 other IPs or domains 11->24 16 C:\Users\user\AppData\Roaming\thsfdvr, PE32 11->16 dropped 18 C:\Users\user\...\thsfdvr:Zone.Identifier, ASCII 11->18 dropped 48 System process connects to network (likely due to code injection or exploit) 11->48 50 Benign windows process drops PE files 11->50 52 Deletes itself after installation 11->52 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->54 file7 signatures8
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/02f6651a25fefd7f952cd2b2dc74c4b2155b8a96e0caf6127f0eb966b5cd9426/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-09-19 15:33:07 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=al3gkgrf736x7fjm2kzny5gewikvxcuw4dfpmet7b24wnnonsqta._file
Verdict:
malicious
Similar samples:
02a2eb47b6d8711c8a76cf30e0835a91ae9289540cfc9091ce837b809932c507
Smoke Loader
0c26ec308dc78ef090ebec907e1eb15d6dfdc28a85fa27e0a945fc5354a3e5f9
Smoke Loader
6ba6ba1ad5f6525a76e854affad5bb28d1e59c93bd26d88a9cf1da7b84ed3b27
Smoke Loader
80c8b0971ef6542ced612e91aff7bca5d0ae3462a62b20eea298e3ac20d4df2e
Smoke Loader
93c048fa590c3fc63003ccec29071f13aebda830c4094430445fd996d8cca072
Smoke Loader
b1a03e848235832237fff6c73ddfb785968b66ee3683c2dc1ec1e6be516ac461
Smoke Loader
b92797965358585eadbe928c2b8531c5575caa87cbcef1171a48f1941a10b740
Smoke Loader
de8385440c23789f44c418bdf2e30578559b1c6b142c820f081f81280d1c0888
Smoke Loader
e2890e9fa0e086c87f866ebcf6b83fed7029cc9221ecc19318af45a8608a11e8
Smoke Loader
e7b2ce3363313b6bcc7651b591e5fe8280f0ca40bd1e7652f6376cc3100cc441
Smoke Loader
+ 2'568 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:pub1 backdoor trojan
Link:
https://tria.ge/reports/230919-sy682ahh8v/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Uses Task Scheduler COM API
Deletes itself
SmokeLoader
Malware Config
C2 Extraction:
http://gudintas.at/tmp/
http://pik96.ru/tmp/
http://rosatiauto.com/tmp/
http://kingpirate.ru/tmp/
Unpacked files
SH256 hash:
f8e33fe12c8d4ea39089e504e4071cee057a69cd4f7198b1b96d6841d73037c5
MD5 hash:
369bfea70013cbf36679b6e8edb298a5
SHA1 hash:
575e3646997d3ffa0267ac4dd989e97436ea31cf
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/0672088f-4651-4187-9d4b-88cc12aef5cd/
Parent samples :
cf006190a75a8fa6faf74c6200d7d56d0bb4ed0cd140a328537d3096ecd07a32
a2260ac65c2814e6a0e7b839474a298333f2a4a7ac60af12861dcc9edf5a6019
fefa50ffd7c9e19b4c4d84e664b894c6377196942024b71ee371c466d194ee9c
581407074ab82ef32bfaaa4bd7a6bc4da38ca7c4ad8f91166c2be4325ae000f9
947fb340a672bd684a18ab7aeb7fe28cd9f2eee3c0de99c205f3a4a39aad12c0
f5b5c89e8d4e216a731c5fa57e53ebd9012c41f2d65c0c48eb45ccac021b4311
77fcb3294002ee5ecfbd36825e19d038a4d7d213734758dae1fa731bfa2b1058
4201248030180127dc4299a4dbcc6cde35beaafbefd9a25ffb3093d3e35f5dc2
2a8bad21145b4d758332588fb79ef6bcb2aa95bd7de7a2d8c0777e6f7146b115
8c8545f91021086b21437241273005f51f0d05c46a434e9dd4076d6b98aa5c76
c55c92457d03edbc7ec6f2c1ed55ca5e79d66d5ee568beab370229cd278649b1
57023d355566b1bff7490a5bc5c4380e013b2b4fb68152c8118be21718e53329
9efbde4de467c8a82b270b40c014c4243284b016bd2788164d85012f36aed0ad
8bbbf51d4c5404915d1b306121e0226d1f23e88acf635c8cb4f4461dbe142838
06f3c31343921c5f63bc0803569db1a31f0ecdf6029f167dcc234754eabacc9b
9e7c8aea93412acc8d8de3a956e8485a86caf40c626b2abd491bd5404df1bfbb
56be912ce754d75f3385dab925ee34d9a0a1e07fe841c6a2e9adafa8021c99bc
aa918d4dd7706951fc290b6a5d3ba0e48acc5443056894ee3aad1baa52f412ba
5543fd0c115a8af9e627936be64a3f0fafc187665d000954ef32da675ec76a2c
306c89756cc1899b6f76dd3e7b68dcb0b4581a152f14df79ff167f0627c85424
6ea8ce3dab88347218d50dd6b92433f9849086080ad2d31a08aad73a3fd35ff7
aa38ec70b85a9e070536db5b73e65f116023b1d414bbc517c06aae7d6a3aa942
3cbbbd55fe8f11d140207ab210179a8a783b1d6975b82107ccd9344d5454194e
02f6651a25fefd7f952cd2b2dc74c4b2155b8a96e0caf6127f0eb966b5cd9426
cd07ecda2eefa380e4145bc61de665e4685634cf155ee8e2221a01765d2a8378
83f3f206fe4cc3ce88d84364f970ed0ced22d05f418b7760eae1e6fb2178a33c
f28743ef69738184972b65c6b04cae600f1d01ace14a9c1cd1eab7224274812e
a9f3066845f3f00c34bd13812d9b2db561ec77824aa0ece2fca57f0071847d38
739c8d45ca4059f0b591bd553bdab486519b663fb092ad11868a8c6c3d9ec022
a76ac34a9fc8146224d737ebb15bdbf2e35acd67e274ad328fcab5b99f8a99c1
31e54f46b20976c9779d4fde6282ec9fc581b50646a802a517e827c5e7a6aebb
84a2a39c8624e70794650b0ce2c465edb00d4008e4676216e601e062ff982c08
e31e7dac8306f497a88a1c6c51677a08e5b772f38a903abf7029dc907773ccec
a9c5516972bc66b765e441a967eb97ec21c8b0b0b6d0c44180d0317d45fe378a
13f0797738f385a0330c1790cbdf50b0b245aae08345827936582b9369485b15
8a3258d8e2ddf101c043d08960fcab0dacddf2cbd49a5da71156ed2c74a7987b
875263c84abb9b3e5fbdf864f5389b7f863afe454c03f6c0d8bda8fe29db705d
SH256 hash:
02f6651a25fefd7f952cd2b2dc74c4b2155b8a96e0caf6127f0eb966b5cd9426
MD5 hash:
9ef687c54c8b67d33e8bcd521024d271
SHA1 hash:
038077c602dbdc0afecd8449dbad0f15df16ac30
Link:
https://www.unpac.me/results/0672088f-4651-4187-9d4b-88cc12aef5cd/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/02f6651a25fe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/02f6651a25fefd7f952cd2b2dc74c4b2155b8a96e0caf6127f0eb966b5cd9426

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 02f6651a25fefd7f952cd2b2dc74c4b2155b8a96e0caf6127f0eb966b5cd9426

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2712491/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2712462/
Cape
Cape
https://www.capesandbox.com/analysis/449702/

Comments