MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 067439eef145d00e29640554bedb7458e1e56861ed5a1a9cfaed14205d8682ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 13


Intelligence 13 IOCs 3 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 067439eef145d00e29640554bedb7458e1e56861ed5a1a9cfaed14205d8682ef
SHA3-384 hash: 78431d6b6a2fc4a9dd3ed4ccebbf8fe913a714dd39c5d360faca85cac3cf8d74d68b015e2eb46a6c531eb85d0d24363e
SHA1 hash: b719cb78850d68b7254f1f3fafd44c380a9c1734
MD5 hash: ac8faa9df081aeb5c859f0f906568692
humanhash: south-golf-eighteen-muppet
File name:ac8faa9df081aeb5c859f0f906568692.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:294'400 bytes
First seen:2022-03-08 23:50:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3eef4090e823297f158db506eb4add6c (2 x Smoke Loader, 1 x DanaBot, 1 x RedLineStealer)
ssdeep 6144:qBy5cNZlhtOIq/f5KP1AFchyfTRBJ+HYPtIUzyhmxSJVvoq8:EvNZUB35KNAFrTRH+4Pt14
Threatray 2'726 similar samples on MalwareBazaar
TLSH T154549E10AAA0C035F5F712F84A7A936CB93E7AA05B7490CB53D56AE957346E0FC3131B
File icon (PE):PE icon
dhash icon 2dac1378319b9b91 (29 x Smoke Loader, 23 x RedLineStealer, 22 x Amadey)
Reporter abuse_ch
Tags:exe Smoke Loader


Avatar
abuse_ch
Smoke Loader C2:
http://101.99.95.5/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://101.99.95.5/ https://threatfox.abuse.ch/ioc/393044/
5.206.224.220:81 https://threatfox.abuse.ch/ioc/393052/
2.56.56.116:5766 https://threatfox.abuse.ch/ioc/393128/

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/248516/
Detection(s):
Win.Dropper.Generickdz-9939781-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for synchronization primitives
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for the window
Creating a file in the Windows subdirectories
DNS request
Launching a process
Running batch commands
Creating a process with a hidden window
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Forced shutdown of a system process
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8692/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6227ebe8dfdfa8501c7cebcd/reports/96ef53ea-0d4f-4466-9315-d18bfcd8e399/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/758ce3dd-59a0-4005-842f-f669a4e41546
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/953050
Signature
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution of Suspicious File Type Extension
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 585531 Sample: pujCISR4zF.exe Startdate: 09/03/2022 Architecture: WINDOWS Score: 100 30 Found malware configuration 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected SmokeLoader 2->34 36 4 other signatures 2->36 7 pujCISR4zF.exe 2->7         started        10 fvfgdfu 2->10         started        process3 signatures4 46 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->46 12 pujCISR4zF.exe 7->12         started        48 Multi AV Scanner detection for dropped file 10->48 50 Machine Learning detection for dropped file 10->50 52 Contains functionality to inject code into remote processes 10->52 54 Injects a PE file into a foreign processes 10->54 15 fvfgdfu 10->15         started        process5 signatures6 56 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->56 58 Maps a DLL or memory area into another process 12->58 60 Checks if the current machine is a virtual machine (disk enumeration) 12->60 17 explorer.exe 2 12->17 injected 62 Creates a thread in another existing process (thread injection) 15->62 process7 dnsIp8 26 file-coin-host-12.com 45.8.124.53, 49730, 80 SELECTELRU Russian Federation 17->26 28 host-data-coin-11.com 17->28 22 C:\Users\user\AppData\Roaming\fvfgdfu, PE32 17->22 dropped 24 C:\Users\user\...\fvfgdfu:Zone.Identifier, ASCII 17->24 dropped 38 System process connects to network (likely due to code injection or exploit) 17->38 40 Benign windows process drops PE files 17->40 42 Deletes itself after installation 17->42 44 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->44 file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/067439eef145d00e29640554bedb7458e1e56861ed5a1a9cfaed14205d8682ef/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2022-03-08 23:51:10 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
24 of 27 (88.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=az2dt3xrixia4kleavkl5w3uldq6k2db5vnbvhh25ukcaxmgqlxq._file
Verdict:
malicious
Similar samples:
06de7a6020311d1148c053a1b4d620a556e4ec46c670b44f1f280b4fbd68dfd2
Smoke Loader
20ed18cbc1527dec58a455f647eb689f80873fb28c668758f65eb22c91880898
Smoke Loader
4b415f57ac7f2c6fbe7c0a984e819197866fa04b9f88651ab6ede076a7c76c60
Smoke Loader
773be0566a9429af2d1daf0d63ad488047a79747cfb910b115af939bfd1bd533
Smoke Loader
7a0ace49d3bdeb09fd1b43f8676d83862f15119039eaddf428e560eeea0eaa5c
Smoke Loader
81dd784ad8e4a6924b1b0ee5ebf09d3018e3bda4225f3c89439e8846cf5e09d9
Smoke Loader
92658a69d2939c08c0b2e75389b34b787da9c32c38742827f8bd85ccb549efc9
Smoke Loader
b0d747fcff4576bf28d31bc2e7d681c5c08310ef212c96e63b7e60db6d015ec7
Smoke Loader
bef679a7a5813bf427d09590de7d2f483f8607c44172738aaee3760262eb29a8
Smoke Loader
+ 2'716 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/220308-3v5wxabfd6/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
SmokeLoader
Malware Config
C2 Extraction:
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Unpacked files
SH256 hash:
788f723ebfe0110232b52ee15345acc5f74a53ea45e5f422dc5ce2eb5833fadc
MD5 hash:
198ff357daf4345c9fc869616b139381
SHA1 hash:
24c9899b296cf004e400b77e72b89f42bb726f37
Link:
https://www.unpac.me/results/318aa33b-e563-471c-9259-a3e2ad1279f1/
Parent samples :
3c6f5e38acd57a6372e44dc341bf46060fef8c8b0e1dd3ffa38b21ddaddc3773
6861cdee1ee282ee8c69e31503d95291409907d8b27538f8082adb00205ad105
ccf4e081582226315f3a2bc171b604e3911d0225cc85e18188872ea9832a5388
be1c79275d836696a00b258d15a8b337a8c9beb8198a5bd3d5aaf64d660c8005
53bcd8239258dcbb10f9d3b6d057103c18fe3dd614c5809053426b01b741500d
SH256 hash:
067439eef145d00e29640554bedb7458e1e56861ed5a1a9cfaed14205d8682ef
MD5 hash:
ac8faa9df081aeb5c859f0f906568692
SHA1 hash:
b719cb78850d68b7254f1f3fafd44c380a9c1734
Link:
https://www.unpac.me/results/318aa33b-e563-471c-9259-a3e2ad1279f1/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/067439eef145/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/067439eef145d00e29640554bedb7458e1e56861ed5a1a9cfaed14205d8682ef

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 067439eef145d00e29640554bedb7458e1e56861ed5a1a9cfaed14205d8682ef

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2059403/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/248516/

Comments