MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03d92e1238fcdb64e522bad8b8c152d85de2036a6aedf152e5c3bf24d3017d07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03d92e1238fcdb64e522bad8b8c152d85de2036a6aedf152e5c3bf24d3017d07
SHA3-384 hash: 0fb97dfd1070065d2b672a5dc3baaf9077400ed2d0fb3d14e2c383cae841b2948e79850dfd358c414126d7baa3bd000a
SHA1 hash: f2b7b19491d83cb0c19d626cea7cd2fb3f2f3250
MD5 hash: f369588812d6152ee6ea28bb247458e5
humanhash: nitrogen-green-west-beryllium
File name:f369588812d6152ee6ea28bb247458e5.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:167'936 bytes
First seen:2021-03-23 11:06:22 UTC
Last seen:2021-03-23 12:37:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 324f7a23dd9ee2981a38a6a6d641842c (3 x CryptBot, 1 x Smoke Loader, 1 x Loki)
ssdeep 3072:kHJSXdhmkL0VJtkdr7uYdUn/2tlcGPGPSkceLRRnjRSUPYm:gJISi6Udr1tlcGPE8e/njQaYm
Threatray 284 similar samples on MalwareBazaar
TLSH E1F39E1172E0C073E1571A760896C6B50A3AFCB65B3157CB3B902B6E5F363E19A3A347
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
464
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f369588812d6152ee6ea28bb247458e5.exe
Verdict:
Suspicious activity
Analysis date:
2021-03-23 11:23:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a2a0fefd-497b-40ce-b8ac-237180d21fff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/126564/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader38.9606.13236.5726.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Sending a custom TCP request
Connection attempt
Deleting of the original file
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/649849
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Renames NTDLL to bypass HIPS
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 373883 Sample: 37Lr8nr9qj.exe Startdate: 23/03/2021 Architecture: WINDOWS Score: 100 29 Multi AV Scanner detection for domain / URL 2->29 31 Found malware configuration 2->31 33 Antivirus detection for URL or domain 2->33 35 5 other signatures 2->35 6 37Lr8nr9qj.exe 1 2->6         started        9 iuggctb 1 2->9         started        process3 file4 37 Detected unpacking (changes PE section rights) 6->37 39 Renames NTDLL to bypass HIPS 6->39 41 Maps a DLL or memory area into another process 6->41 12 explorer.exe 2 6->12 injected 17 C:\Users\user\AppData\Local\Temp\9419.tmp, PE32 9->17 dropped 43 Machine Learning detection for dropped file 9->43 45 Checks if the current machine is a virtual machine (disk enumeration) 9->45 47 Creates a thread in another existing process (thread injection) 9->47 signatures5 process6 dnsIp7 23 autopartswarehouses.ru 185.14.31.88, 49724, 49726, 49727 ITLDC-NLUA Ukraine 12->23 25 gmbshop.ru 93.170.123.43, 443, 49722, 49723 IHOR-ASRU Czech Republic 12->25 27 7 other IPs or domains 12->27 19 C:\Users\user\AppData\Roaming\iuggctb, PE32 12->19 dropped 21 C:\Users\user\...\iuggctb:Zone.Identifier, ASCII 12->21 dropped 49 System process connects to network (likely due to code injection or exploit) 12->49 51 Benign windows process drops PE files 12->51 53 Deletes itself after installation 12->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->55 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/03d92e1238fcdb64e522bad8b8c152d85de2036a6aedf152e5c3bf24d3017d07/
Threat name:
Win32.Spyware.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-03-23 10:13:08 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=apms4ery7tnwjzjcxlmlrqks3bo6ea3knlw7cuxfyo7sjuybpudq._file
Verdict:
malicious
Similar samples:
12a7fa081db7ec58b5ea6c233b34bc99ff96c0ba8b3920e1c60edf961b9ff941
Smoke Loader
2fd307854f54e5099e4eb4ced197cddfb7167367cf2a1a09c8f9e82ee6ff07b8
Smoke Loader
65ddf9aab27a629c12e3547e41cae654ef6988a9b071cd75b47941d1f80f6c25
Smoke Loader
843659a7eb9e5e312df2394a3dba6e3d5b0d82470f8028cc3380e536095011b9
Smoke Loader
873150eaed078d700bc9de93bd92bc085b822aa26239ddeff03a79aab1beb05f
Smoke Loader
87cd4125176db45ac6d32ff5979fcaf1d29eeac328323f545326bf0d63400967
Smoke Loader
8c9604ea096cd0a680d183f1f9b2a53d2cce276c7d86efdf21d3dd6bffead1f5
Smoke Loader
d0bbe394dbe2655583c0407a6a4501f3834b9420d3ae3c9774b44d0006814821
Smoke Loader
dcb02549ffe1d2212dbddc97bf48fc57965ca634ff30665cdeb085e60ae73690
Smoke Loader
dfe63ab07debce44c455949381d819eeef9a4e71ad2b681b3369130b51b33237
Smoke Loader
+ 274 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/210323-l1h8l1my2x/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Deletes itself
Loads dropped DLL
SmokeLoader
Malware Config
C2 Extraction:
http://smbproperty.ru/
http://gmbshop.ru/
http://baksproperty.gov.ug/
http://magistralpsw.ru/
http://mpmanagertzz.ru/
http://powerglasspot.ru/
http://autopartswarehouses.ru/
http://memoloves.ru/
http://alfavanilin.ru/
Unpacked files
SH256 hash:
cd134fe58081acd7559cfcab15a717c7f9bc8947e94b539660975bebf8546f13
MD5 hash:
01a9c23c98d12fb28009e2de85352385
SHA1 hash:
947c4181eddfdde49342dc9566654d80062bfbd2
Link:
https://www.unpac.me/results/d0fd28f2-065a-45c7-8dd7-f288ddb109f6/
SH256 hash:
03d92e1238fcdb64e522bad8b8c152d85de2036a6aedf152e5c3bf24d3017d07
MD5 hash:
f369588812d6152ee6ea28bb247458e5
SHA1 hash:
f2b7b19491d83cb0c19d626cea7cd2fb3f2f3250
Link:
https://www.unpac.me/results/d0fd28f2-065a-45c7-8dd7-f288ddb109f6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Azorult
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/03d92e1238fcdb64e522bad8b8c152d85de2036a6aedf152e5c3bf24d3017d07

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_smokeloader_a2
Create hunting rule
Author:pnx

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 03d92e1238fcdb64e522bad8b8c152d85de2036a6aedf152e5c3bf24d3017d07

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/949301/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/126564/

Comments