MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03a8e7d6944e5b0431d732bde69f69c319fc827feca236884605db47d35a3ac3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03a8e7d6944e5b0431d732bde69f69c319fc827feca236884605db47d35a3ac3
SHA3-384 hash: 80112d0da5fd22f019a89441dff3bd98e9e1c6b8ace71cd09b35c44f731be49f49f52547df1f534fe74a11fce0473f8a
SHA1 hash: d0b5670466af3e6df52ae7d8caf9d7ecdb78ce6c
MD5 hash: df1004ebf283062e65e1955c3e08649b
humanhash: carbon-robert-uranus-pip
File name:df1004ebf283062e65e1955c3e08649b.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:351'232 bytes
First seen:2021-11-13 10:26:59 UTC
Last seen:2021-11-13 13:09:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ea99ca467492cc4d133feba5a83ca2ae (4 x RaccoonStealer, 1 x RedLineStealer, 1 x Smoke Loader)
ssdeep 6144:90OcztEcSofb+2aXGbofhK6tQUNIG3NFEz/vplx72:9cztEXof62aWbofhK6tQUNIG3NAp/2
Threatray 2'418 similar samples on MalwareBazaar
TLSH T1F9749D00B6A1C435F5B216F849769369B93F7DA1AB6590CF22C42BEE4634AE0FC31357
File icon (PE):PE icon
dhash icon e8e8e8e8aa66a499 (51 x RaccoonStealer, 27 x ArkeiStealer, 22 x RedLineStealer)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205437/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.8202.31056.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/618f92f93edf00a722d1ceb1/reports/f847ebbd-316d-4f5a-aee8-5a5f1f3c9f4e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0e8f6e99-7c79-4844-87ca-533aca31e1a2
Result
Threat name:
Clipboard Hijacker RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888521
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Delayed program exit found
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Clipboard Hijacker
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 520990 Sample: BUOz83uc5a.exe Startdate: 13/11/2021 Architecture: WINDOWS Score: 100 53 Multi AV Scanner detection for domain / URL 2->53 55 Found malware configuration 2->55 57 Antivirus detection for URL or domain 2->57 59 11 other signatures 2->59 8 BUOz83uc5a.exe 2->8         started        11 wadvrbs 2->11         started        13 wadvrbs 2->13         started        15 SmartClock.exe 2->15         started        process3 signatures4 77 Detected unpacking (changes PE section rights) 8->77 79 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->79 81 Maps a DLL or memory area into another process 8->81 17 explorer.exe 4 8->17 injected 83 Machine Learning detection for dropped file 11->83 85 Checks if the current machine is a virtual machine (disk enumeration) 11->85 87 Creates a thread in another existing process (thread injection) 11->87 process5 dnsIp6 45 membro.at 189.165.53.172, 49774, 49775, 49776 UninetSAdeCVMX Mexico 17->45 47 nutriescapa.com 47.254.172.3, 49789, 49799, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 17->47 49 8 other IPs or domains 17->49 35 C:\Users\user\AppData\Roaming\wadvrbs, PE32 17->35 dropped 37 C:\Users\user\AppData\Local\Temp104.exe, PE32 17->37 dropped 39 C:\Users\user\AppData\Local\Temp\1AA4.exe, PE32 17->39 dropped 41 2 other malicious files 17->41 dropped 61 System process connects to network (likely due to code injection or exploit) 17->61 63 Benign windows process drops PE files 17->63 65 Deletes itself after installation 17->65 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->67 22 E104.exe 4 17->22         started        26 1AA4.exe 2 17->26         started        29 16.exe 17->29         started        31 SmartClock.exe 17->31         started        file7 signatures8 process9 dnsIp10 43 C:\Users\user\AppData\...\SmartClock.exe, PE32 22->43 dropped 69 Detected unpacking (changes PE section rights) 22->69 71 Detected unpacking (overwrites its own PE header) 22->71 73 Machine Learning detection for dropped file 22->73 75 Delayed program exit found 22->75 33 SmartClock.exe 22->33         started        51 185.215.113.29, 1102, 49823 WHOLESALECONNECTIONSNL Portugal 26->51 file11 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/03a8e7d6944e5b0431d732bde69f69c319fc827feca236884605db47d35a3ac3/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2021-11-13 10:27:05 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0537e5b579951c5fcbd64fbf11bb1b0ea70bd9d7984896b5893ba64d06597d6a
Smoke Loader
0bd71ea13d68490c12e62e4a4e8b17839cba71bacbe16653656e89c65a945652
Smoke Loader
218ae2e9ccd0d778ca78c7aa8e9fd7101819507d0f9da4bfbc40687063bd7fd4
Smoke Loader
4af44e0b7a0277b0e21c9edfd65eeb1d833cbfa66b8ba6a933685eff3ce607f2
Smoke Loader
672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8
Smoke Loader
6f279d711337e4691a39d38937f64047e8d07215f4216f195517772ff6a4706f
Smoke Loader
8577213832eecf00f77003ddf49fb6630af4906b10b350f9dd88a899d9720a98
Smoke Loader
a8b37d6b073ee045ae63473cb1a592c974e896b19e3db06d552f955901c06db7
Smoke Loader
d3184ceae376a789ccd61e767da3f21cacd72dfc7162a5e1a9569c7244d0bf9a
Smoke Loader
+ 2'408 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/211113-mg4hxsehe7/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Deletes itself
Drops startup file
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
SmokeLoader
Malware Config
C2 Extraction:
http://membro.at/upload/
http://jeevanpunetha.com/upload/
http://misipu.cn/upload/
http://zavodooo.ru/upload/
http://targiko.ru/upload/
http://vues3d.com/upload/
Unpacked files
SH256 hash:
38b50520397a48d6dc0044fb2aca06b6789cfbe921488422471eab7def65e820
MD5 hash:
67c9034e01a3a23f977b8aa138e88b57
SHA1 hash:
e430b48053c15d914edc1eca59be4964292648c2
Link:
https://www.unpac.me/results/b3570c09-b479-4003-95fb-7fe7667494fa/
SH256 hash:
03a8e7d6944e5b0431d732bde69f69c319fc827feca236884605db47d35a3ac3
MD5 hash:
df1004ebf283062e65e1955c3e08649b
SHA1 hash:
d0b5670466af3e6df52ae7d8caf9d7ecdb78ce6c
Link:
https://www.unpac.me/results/b3570c09-b479-4003-95fb-7fe7667494fa/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 03a8e7d6944e5b0431d732bde69f69c319fc827feca236884605db47d35a3ac3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1780199/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/205437/

Comments