MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09b9283286463b35ea2d5abfa869110eb124eb8c1788eb2630480d058e82abf2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	09b9283286463b35ea2d5abfa869110eb124eb8c1788eb2630480d058e82abf2
SHA3-384 hash:	7b75796f0fcda0fae5d41ec816c320beaa5cf394ab9d743294b6e1c23373be787d788105c05b4f206cea1ebbe0eafbd2
SHA1 hash:	6f2d63f7f122a1b946bbd68962d76c9ae2612a33
MD5 hash:	7534dbec27b929c2ecd76499880fd560
humanhash:	indigo-yankee-nuts-charlie
File name:	7534dbec27b929c2ecd76499880fd560.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	315'904 bytes
First seen:	2022-02-03 14:45:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6f6aeb6fc382a28ed1adc7823a20786d (1 x RedLineStealer, 1 x ArkeiStealer, 1 x Smoke Loader)
ssdeep	6144:iYXRXgwctuZ0oD00dgnn3N+UE1DhCD9YGDeDS6evIUKov:pBwfojDH2n9+UE1MDOGDeDhU
Threatray	197 similar samples on MalwareBazaar
TLSH	T111649E10BA90C035F5FB52F8457A936DB93E7EA25B2061CF52E52AEE46346E0DC3131B
File icon (PE):
dhash icon	2dec1378399b9b91 (25 x Smoke Loader, 22 x RedLineStealer, 7 x RaccoonStealer)
Reporter	abuse_ch
Tags:	Dofoil exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

394

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/232270/

Detection(s):

Win.Malware.Dropperx-9938227-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Searching for synchronization primitives

Reading critical registry keys

Sending a custom TCP request

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Creating a file in the %temp% directory

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Creating a file

Creating a process with a hidden window

Launching a process

Unauthorized injection to a recently created process

Query of malicious DNS domain

Sending a TCP request to an infection source

Unauthorized injection to a system process

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5873/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CPUID_Instruction

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61fc315aa0f6a794b33693ea/reports/39aa959c-8a4b-4203-b607-1341ea01a953/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/368c95ad-64ba-43c7-ba1f-59e9d6c859b0

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/933496

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/09b9283286463b35ea2d5abfa869110eb124eb8c1788eb2630480d058e82abf2/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-02-03 13:45:13 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bg4sqmugiy5tl2rnlk72q2irb2ysj24mc6eowjrqjagqlducvpza._file

Verdict:

malicious

Smoke Loader

5879d39a0bab80032ebc751728e034cf7ec7fb30749090b5df8c37100034ef95

Smoke Loader

599a59aba0c234edc2c2799a7a06208d3d112438b1bc49ba5292f111429b9102

Smoke Loader

98ad02342614a473b078f5b12274fa3c9c78779894750fbb7af82664b9e7ffa8

Smoke Loader

c39b797438914c08509ac8824554a65c0b8c6e44b782ae5a2881c008fb2d8ed8

Smoke Loader

cf320b078c782f90983bf12ee8453c94321326a576336f14ef93c9a2f0badbfd

Smoke Loader

ee8b0e0f159d28b8bdf306b5ae9fef26379525cb6f8d07d8855963ceb6a9f7d6

Smoke Loader

f1fe5f2fd945caad71baf13e9e42544c1b2a441ea42391a3a56d2e38dcfe5f50

Smoke Loader

f2e9475cbf8ad93f5762a2b5c02b552d5afe5247c9c14e2c1e72f507807ffbaa

Smoke Loader

f6ee9ff778c9ef5511f2344d2dbf0b199578e19278426ed84c61d4704115ca34

Smoke Loader

+ 187 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor trojan

Link:

https://tria.ge/reports/220203-r4s3xsaef5/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

SmokeLoader

Malware Config

C2 Extraction:

http://host-data-coin-11.com/
http://file-coin-host-12.com/

Unpacked files

SH256 hash:

721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589

MD5 hash:

b984a027c8a2abf874f3eb306a831613

SHA1 hash:

d3b3f8890adc840b0bd411cf304eef15d415ed48

Link:

https://www.unpac.me/results/60535738-6db2-4714-9441-294a4aba41d3/

Parent samples :

fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a

SH256 hash:

09b9283286463b35ea2d5abfa869110eb124eb8c1788eb2630480d058e82abf2

MD5 hash:

7534dbec27b929c2ecd76499880fd560

SHA1 hash:

6f2d63f7f122a1b946bbd68962d76c9ae2612a33

Link:

https://www.unpac.me/results/60535738-6db2-4714-9441-294a4aba41d3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/09b9283286463b35ea2d5abfa869110eb124eb8c1788eb2630480d058e82abf2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

exe 09b9283286463b35ea2d5abfa869110eb124eb8c1788eb2630480d058e82abf2

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2013897/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2020731/

Cape

https://www.capesandbox.com/analysis/232270/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample