MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 059d615ce6dee655959d7feae7b70f3b7c806f3986deb1826d01a07aec5a39cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 059d615ce6dee655959d7feae7b70f3b7c806f3986deb1826d01a07aec5a39cf
SHA3-384 hash: 2e890d7f237b00f4aa3caee7b7cf671ab38e75f42144023d619599600809dd0d851e4dc9eb6845d89b20e73fbc42f52a
SHA1 hash: 5ab7b914582a53bdca1de85f6be5ddf26a1bacfc
MD5 hash: 95962030ed82d12fa0265087ba3a0bf7
humanhash: cup-wolfram-september-winner
File name:triage_dropped_file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:347'136 bytes
First seen:2022-02-18 11:10:14 UTC
Last seen:2022-02-18 13:08:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 73986ba02aa7b8f75d697f013427a88c (1 x Smoke Loader)
ssdeep 6144:T57uhwRNhOb7nfEdBwTQoK4bMiH5Aq1rjqI9CAd+R20iSVnlo:17RzOPfEdKTQoK4zGqJjS7
Threatray 8'719 similar samples on MalwareBazaar
TLSH T1DB74AE00BBA0C03DE1B716F8797993ADA52E7DB19B3551CB62D62AEE06346E0DC71307
File icon (PE):PE icon
dhash icon 2dac137839939b91 (18 x RedLineStealer, 12 x Smoke Loader, 6 x Amadey)
Reporter malwarelabnet
Tags:exe Smoke Loader SmokeLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
307
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://172.245.27.25/10/vbc.exe
Verdict:
No threats detected
Analysis date:
2022-02-18 15:57:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/89e3ecc3-557f-4596-b4a4-f1a55c41dfea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/242517/
Detection(s):
SecuriteInfo.com.Trojan.Encoder.26996.26416.16662.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Launching a process
Reading critical registry keys
Creating a file in the %temp% directory
Setting browser functions hooks
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6591/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
SystemUptime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/620f7ecaac8ad0468b50891f/reports/cc7168b3-f664-4e07-bf33-d90f335d55c4/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/631236bf-0c97-4b3b-9167-05babdf2a354
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/942146
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 574622 Sample: triage_dropped_file Startdate: 18/02/2022 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Antivirus detection for URL or domain 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 3 other signatures 2->41 7 triage_dropped_file.exe 2->7         started        10 sgjrrrv 2->10         started        process3 signatures4 51 Detected unpacking (changes PE section rights) 7->51 53 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 7->53 55 Maps a DLL or memory area into another process 7->55 61 2 other signatures 7->61 12 explorer.exe 3 7->12 injected 57 Multi AV Scanner detection for dropped file 10->57 59 Machine Learning detection for dropped file 10->59 process5 dnsIp6 33 venis.ml 2.57.187.166, 49756, 49762, 80 DTLNRU Russian Federation 12->33 27 C:\Users\user\AppData\Roaming\sgjrrrv, PE32 12->27 dropped 29 C:\Users\user\...\sgjrrrv:Zone.Identifier, ASCII 12->29 dropped 63 Benign windows process drops PE files 12->63 65 Injects code into the Windows Explorer (explorer.exe) 12->65 67 Deletes itself after installation 12->67 69 2 other signatures 12->69 17 explorer.exe 8 12->17         started        21 explorer.exe 12->21         started        23 explorer.exe 12->23         started        25 4 other processes 12->25 file7 signatures8 process9 dnsIp10 31 venis.ml 17->31 43 System process connects to network (likely due to code injection or exploit) 17->43 45 Found evasive API chain (may stop execution after checking mutex) 17->45 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->47 49 4 other signatures 17->49 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/059d615ce6dee655959d7feae7b70f3b7c806f3986deb1826d01a07aec5a39cf/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2022-02-18 08:44:51 UTC
File Type:
PE (Exe)
Extracted files:
47
AV detection:
31 of 42 (73.81%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
07cfb6b285785e234989d0a0d94945a518b31af4a1fe8a37238fb61910a62bdc
Smoke Loader
1e1885766a2d50045f07b07ef4d8f989a578e7cae4696054ff60c0341537d371
Smoke Loader
33e30423aa49be107686f0ee537128f8cd5e30ab0f3dc5c543df8e34aa440067
Smoke Loader
47877f3c1845e3953521074c3e9edf10872e8c3d2ca495dea935bbc6f3b3bc74
Smoke Loader
47ec411eab0aa15619f24caa6256ed4ca5cfc695a26f5b71830b53b07c22b05b
Smoke Loader
7a71c46f5f6f27776603ee0de69e6eb83364942d8af0c16f5b54c14d7faba136
Smoke Loader
808a1353be2e23a511c577b86ca5c2e37ee4a30d8b5abde669e7cc2f9d91d5e2
Smoke Loader
c56be7c521d0f14e957932b89fc10c89ed377a1a7f05acc8d0b0b522b21e588c
Smoke Loader
+ 8'709 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor collection trojan
Link:
https://tria.ge/reports/220218-m99weacdf9/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Drops file in Windows directory
Accesses Microsoft Outlook profiles
Deletes itself
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://venis.ml/
http://tootoo.ga/
http://eyecosl.ga/
http://bullions.tk/
http://mizangs.tw/
http://xpowebs.ga/
Unpacked files
SH256 hash:
2a2a24b2aec961a9bc58a08b3d2ede149b355582922028fc5d34c3ebee530ea4
MD5 hash:
39f7f06c405409ec44bd11d5133b5a23
SHA1 hash:
1a9df8945f1b53dda537be71ad8e782347966432
Link:
https://www.unpac.me/results/87c0aa16-b944-40ff-97ab-97a6dde5072e/
Parent samples :
ee2303e68ac732d267dc3dcffb67e79522616d8c9c0b4a192102e218cd845462
9977d826ef41dc2fc2a1051103e3aa1272b6d14b43008b36895bd6f1e41f278a
44dcc0e960aa0d4f02002d9f77c54fbc851d5839d3724f22fdaa0831204d2fea
9d8c139486e10c18d8aa6534ce12c6dff83fee5b4b6c07e96159e2fe7a74572c
f5b7b1d297d29501b9c0dc22f6eaa32cdfd1dc366a2f23e7920abd9d35bc7558
SH256 hash:
059d615ce6dee655959d7feae7b70f3b7c806f3986deb1826d01a07aec5a39cf
MD5 hash:
95962030ed82d12fa0265087ba3a0bf7
SHA1 hash:
5ab7b914582a53bdca1de85f6be5ddf26a1bacfc
Link:
https://www.unpac.me/results/87c0aa16-b944-40ff-97ab-97a6dde5072e/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/059d615ce6de/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/059d615ce6dee655959d7feae7b70f3b7c806f3986deb1826d01a07aec5a39cf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 059d615ce6dee655959d7feae7b70f3b7c806f3986deb1826d01a07aec5a39cf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2047524/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2047533/
Cape
Cape
https://www.capesandbox.com/analysis/242517/

Comments