MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 094b5a3566d3cada4bd90443fd68c250a3f6cae4592e82314bf31ea3067a4ce4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 094b5a3566d3cada4bd90443fd68c250a3f6cae4592e82314bf31ea3067a4ce4
SHA3-384 hash: ad0604a2d726e5b72bf3fdb80c93d29c914bf802a735c299b9b2783fcaca4953a7c32b02c012691f9582cf2edca1e8ef
SHA1 hash: 08b7bc30505c55408519c3592315fa731258e214
MD5 hash: 5c5f1337d7431b869a69fe7dbeabeb8b
humanhash: mexico-spring-salami-speaker
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:308'736 bytes
First seen:2022-11-23 02:31:01 UTC
Last seen:2022-11-23 04:27:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a2621436f4406f4307af4f1128888722 (4 x Smoke Loader, 2 x Amadey, 2 x RedLineStealer)
ssdeep 6144:OSitWLVRVlSabh8pRP/pErX4lO6fE6Nn:gcLVRVsTpRP6rDJ6N
Threatray 13'618 similar samples on MalwareBazaar
TLSH T10264BEC17590C861C3570277C925CFA0E629AC35FE239A77275F662EED302D3966232E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 480c1c4c4f590b04 (26 x Amadey, 24 x Smoke Loader, 7 x Tofsee)
Reporter jstrosch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2022-11-23 02:33:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9c07241c-fc9c-4e3e-8291-904e7c715131

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/337414/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.30313.3963.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Reading critical registry keys
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult greyware packed
Link:
https://www.filescan.io/uploads/637d85e794f9bac087b31910/reports/aaacb1de-723d-4ce0-963a-5581d0101b18/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/deb05286-3a96-49c7-8053-53d6b7106cda
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1119384
Signature
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 752101 Sample: file.exe Startdate: 23/11/2022 Architecture: WINDOWS Score: 100 38 Malicious sample detected (through community Yara rule) 2->38 40 Yara detected SmokeLoader 2->40 42 C2 URLs / IPs found in malware configuration 2->42 44 2 other signatures 2->44 8 file.exe 2->8         started        11 dedgrfw 2->11         started        process3 signatures4 62 Contains functionality to inject code into remote processes 8->62 64 Injects a PE file into a foreign processes 8->64 13 file.exe 8->13         started        66 Machine Learning detection for dropped file 11->66 16 dedgrfw 11->16         started        process5 signatures6 68 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 13->68 70 Maps a DLL or memory area into another process 13->70 72 Checks if the current machine is a virtual machine (disk enumeration) 13->72 18 explorer.exe 3 13->18 injected 74 Creates a thread in another existing process (thread injection) 16->74 process7 dnsIp8 36 dropbuyinc.ga 34.174.217.42, 49695, 80 ATGS-MMD-ASUS United States 18->36 32 C:\Users\user\AppData\Roaming\dedgrfw, PE32 18->32 dropped 34 C:\Users\user\...\dedgrfw:Zone.Identifier, ASCII 18->34 dropped 46 System process connects to network (likely due to code injection or exploit) 18->46 48 Benign windows process drops PE files 18->48 50 Injects code into the Windows Explorer (explorer.exe) 18->50 52 3 other signatures 18->52 23 explorer.exe 6 18->23         started        26 explorer.exe 18->26         started        28 explorer.exe 18->28         started        30 6 other processes 18->30 file9 signatures10 process11 signatures12 54 Found evasive API chain (may stop execution after checking mutex) 23->54 56 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->56 58 Tries to steal Mail credentials (via file / registry access) 23->58 60 3 other signatures 23->60
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/094b5a3566d3cada4bd90443fd68c250a3f6cae4592e82314bf31ea3067a4ce4/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2022-11-23 02:32:08 UTC
File Type:
PE (Exe)
Extracted files:
66
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bffvunlg2pfnus6zarb722gckcr7nsxelexiemkl6mpkgbt2jtsa._file
Verdict:
malicious
Similar samples:
595d937d157e6f16ad36ed379bc3294a6197c73a9eeab95299b9983c72eb737a
Smoke Loader
6a37c10bfbb386f63bfa5e3a4894a9c24defa658a69dc3c65c5bb7a5e5c9fac7
Smoke Loader
750af2e33ff183e381e853af4fd7a4b16500639a6d109e1600a04f5fba65caed
Smoke Loader
86def4439d70e908478819d3bed01ff8f47b1e1ccb2a82181aa2b7bfa51911d0
Smoke Loader
8899958981ad8306e8f0e85287deeb5b1010fb2b18502b45699d32101073ee08
Smoke Loader
ce877bcac7c0915e6cbe3f26a321d090cf8574075884f8daa95f2e48b3c6ca58
Smoke Loader
d446638e0c33cac500a0ad1ffb6a864e810de514b91e1a3918fe8d6df68dbb32
Smoke Loader
f22438602ba14721a94cb6adf773a302fb4c1127279a105c9e35ab429ef2c856
Smoke Loader
f86ee47a389088c698657b5c59ef560de1e91df3a1e537391f2b05fda4f3ecd5
Smoke Loader
fd23182c7a2c38c46d831d48a03b7a4c9385c04f89032b667d18dc43e144f4f4
Smoke Loader
+ 13'608 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/221123-czp35scc51/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Detects Smokeloader packer
SmokeLoader
Unpacked files
SH256 hash:
724991a25cfa339cab84a0dfeb54ba06386a632c49e889886d6ba7762dfe227b
MD5 hash:
93c32e3a8ee875b7794a83b1452b2424
SHA1 hash:
ca62dfeecd20e68aa1b758145b641d9cee111a64
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/9b3727f7-29c2-49b4-8af2-ca36c5bbe7c8/
Parent samples :
26830e88292cdfeab59323f086caccd21a4b8a8681270b7af1cb9f7905160381
094b5a3566d3cada4bd90443fd68c250a3f6cae4592e82314bf31ea3067a4ce4
SH256 hash:
094b5a3566d3cada4bd90443fd68c250a3f6cae4592e82314bf31ea3067a4ce4
MD5 hash:
5c5f1337d7431b869a69fe7dbeabeb8b
SHA1 hash:
08b7bc30505c55408519c3592315fa731258e214
Link:
https://www.unpac.me/results/9b3727f7-29c2-49b4-8af2-ca36c5bbe7c8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/094b5a3566d3cada4bd90443fd68c250a3f6cae4592e82314bf31ea3067a4ce4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 094b5a3566d3cada4bd90443fd68c250a3f6cae4592e82314bf31ea3067a4ce4

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/337414/

Comments