MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f894e06e5216382a7e3dbe449de7900fdd0b489d7e836eb007cfe59c0f41ae0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f894e06e5216382a7e3dbe449de7900fdd0b489d7e836eb007cfe59c0f41ae0
SHA3-384 hash: 286d0673cfc7c92abb24f6975943ca3119fcaf7f57226e919d7697bab662314c72d4511bd17307e731c9621a41a6e0aa
SHA1 hash: 187cc9dc8436021fde4575afb9a4b1ea2afbb99a
MD5 hash: 1313175470e5c024f9d74e38a4c9ceb2
humanhash: venus-muppet-west-beryllium
File name:1313175470e5c024f9d74e38a4c9ceb2.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:253'952 bytes
First seen:2023-05-31 07:56:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9844fba67f0c450c411fe3395f872b3b (4 x Smoke Loader, 1 x Rhadamanthys, 1 x Stop)
ssdeep 3072:8dQOczktaURVidryrHdVBtYXlVhO0c+aKBPbtiHr45Zj3d1DABa5M:EQHzkFVgE9VBtKM0c+16HEj30a5
Threatray 148 similar samples on MalwareBazaar
TLSH T164443A1392E07D54E76B4B729E2E86E8371EB6108F5B3779321ABA2F04F05B2D163711
TrID 39.5% (.EXE) InstallShield setup (43053/19/16)
28.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.6% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 0008084800080800 (1 x Smoke Loader)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
244
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
1313175470e5c024f9d74e38a4c9ceb2.exe
Verdict:
Malicious activity
Analysis date:
2023-05-31 08:03:27 UTC
Tags:
installer loader smoke trojan
Link:
https://app.any.run/tasks/6d3202ed-8517-4e9c-a3ac-d70336845c11

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/393944/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Sending a custom TCP request
Creating a process from a recently created file
Query of malicious DNS domain
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed xpack
Link:
https://www.filescan.io/uploads/6476fdd04642400a7af8f133/reports/cc5b5c58-cf2f-4856-88e9-9ddb497b9ef0/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/0f894e06e5216382a7e3dbe449de7900fdd0b489d7e836eb007cfe59c0f41ae0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b354d678-f05e-40e0-8a38-af5e91f6761d
Result
Threat name:
RHADAMANTHYS, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1245836
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected RHADAMANTHYS Stealer
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 878856 Sample: ArfO1dskin.exe Startdate: 31/05/2023 Architecture: WINDOWS Score: 100 56 Snort IDS alert for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 9 other signatures 2->62 8 ArfO1dskin.exe 2->8         started        11 cgawuwe 2->11         started        13 7BF0.exe 2->13         started        process3 signatures4 78 Detected unpacking (changes PE section rights) 8->78 80 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->80 82 Maps a DLL or memory area into another process 8->82 84 Creates a thread in another existing process (thread injection) 8->84 15 explorer.exe 1 7 8->15 injected 86 Multi AV Scanner detection for dropped file 11->86 88 Machine Learning detection for dropped file 11->88 90 Checks if the current machine is a virtual machine (disk enumeration) 11->90 process5 dnsIp6 42 shsplatform.co.uk 80.66.203.53, 443, 49721 UKFASTGB United Kingdom 15->42 44 58.235.189.192, 49711, 49714, 49723 SKB-ASSKBroadbandCoLtdKR Korea Republic of 15->44 46 5 other IPs or domains 15->46 32 C:\Users\user\AppData\Roaming\cgawuwe, PE32 15->32 dropped 34 C:\Users\user\AppData\Local\Temp\9879.exe, PE32 15->34 dropped 36 C:\Users\user\AppData\Local\Temp\7BF0.exe, PE32 15->36 dropped 38 C:\Users\user\...\cgawuwe:Zone.Identifier, ASCII 15->38 dropped 48 System process connects to network (likely due to code injection or exploit) 15->48 50 Benign windows process drops PE files 15->50 52 Deletes itself after installation 15->52 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->54 20 certreq.exe 1 15->20         started        23 9879.exe 1 15->23         started        26 7BF0.exe 15->26         started        file7 signatures8 process9 dnsIp10 64 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->64 66 Tries to steal Mail credentials (via file / registry access) 20->66 68 Tries to harvest and steal browser information (history, passwords, etc) 20->68 70 Tries to harvest and steal Bitcoin Wallet information 20->70 28 conhost.exe 20->28         started        40 179.43.162.23, 49728, 49731, 8509 PLI-ASCH Panama 23->40 72 Detected unpacking (changes PE section rights) 23->72 74 Detected unpacking (overwrites its own PE header) 23->74 76 Machine Learning detection for dropped file 23->76 30 WerFault.exe 23->30         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f894e06e5216382a7e3dbe449de7900fdd0b489d7e836eb007cfe59c0f41ae0/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2023-05-30 14:47:03 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
25 of 37 (67.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b6eu4bxfefryfj7d3psetxtzad65bnej27udn2yapt7ftqhudlqa._file
Verdict:
malicious
Similar samples:
0dea9d29d4aedc99d8becf261b8ebae1238d7131f9751a9e8874af4bf2b76f2f
Smoke Loader
0ed203a02f9c7f7e9794a8fbb4871fc8d2aa2e52f59897915c9afb402f768aaf
Smoke Loader
1a4f5436d9f0db76723176d443957cecc657eeb3c71e53023fc855bb30320392
Smoke Loader
54c3132ced005758148cd36e63a125bfb4deac0378d3ed9b692bb0b61233785d
Smoke Loader
83513ead85629fb300aba6a80e3a110031b7c8c51ff13029459e720169c20b09
Smoke Loader
9a320124fdf55f46111de1f805c054477a7db5c9bcbf1894f8e7fed2d7c1fe28
Smoke Loader
c50a6cf3d7972da6118f7b3ea0a9ffca7f6f3bfe927c3ebc6596bbbe05e6e43e
Smoke Loader
d0f226d5fad04eabbb87c62ed71a5372c604cbfdf0132c9928b4f4185e341875
Smoke Loader
d798d19c9afba75e37b86a4ef463eeda471e40a95695588e4435c0f65588847b
Smoke Loader
e17930c252820f7d0465c3bdbea3612a843b2ec58a7837203046031cbb932947
Smoke Loader
+ 138 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:pub5 backdoor collection trojan
Link:
https://tria.ge/reports/230531-js9yasdf39/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Program crash
Accesses Microsoft Outlook profiles
Executes dropped EXE
Downloads MZ/PE file
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://aapu.at/tmp/
http://poudineh.com/tmp/
http://firsttrusteedrx.ru/tmp/
http://kingpirate.ru/tmp/
Unpacked files
SH256 hash:
7b0e25c99ef33caed24b3102cee5b9c345c9f138246e5daa2f00d561670fb34e
MD5 hash:
98f0c51fae13a11fa6851bd32dd450d9
SHA1 hash:
7f4f555598a5fa24fb79da8696ebe218f92b6561
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/60ae34f8-30d2-49cd-9adf-1a6d9a2af01e/
Parent samples :
0f894e06e5216382a7e3dbe449de7900fdd0b489d7e836eb007cfe59c0f41ae0
a9d1c36b151cbd42b112cfb10ec35fa05174f40a89876d2e66f1e9abf011af61
90e12268c6886da75cf395936df7635c52dfcd3bcf074396dd9c97fa55c9eb5b
0b7609e449e5872e1223c2ae6f26253640b0cb7981e7721e5b3a25a28a1fe579
e82edb85f46bde98da82a2c3df1178e85774cd0415e9e998325a59b8a28b8ba6
64c99e86f8722c5b825250b3302a2eafc652a09108a3213e124f173f10be2eeb
13a43acaf411468a1ddfa5f221464f0ead5221a8694bb1027273206ecfa2e336
6aa14b8612361f8cd34a86edcf341aaee819fb9a0cc18d51165e52afdcbe5e60
68af9af3506c7a35ef60026b6662cbc1fda0b36007a6eb48a974e4d7574db21f
81d2aa64b3f784fc0dab7694d106bedbd193786ab47dd064c0c5a8714d3fcaff
abd8284914e8bc1309c13903e7b41b1af552c80598982c9e8fbe35e88eda9315
SH256 hash:
0f894e06e5216382a7e3dbe449de7900fdd0b489d7e836eb007cfe59c0f41ae0
MD5 hash:
1313175470e5c024f9d74e38a4c9ceb2
SHA1 hash:
187cc9dc8436021fde4575afb9a4b1ea2afbb99a
Link:
https://www.unpac.me/results/60ae34f8-30d2-49cd-9adf-1a6d9a2af01e/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0f894e06e521/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0f894e06e5216382a7e3dbe449de7900fdd0b489d7e836eb007cfe59c0f41ae0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 0f894e06e5216382a7e3dbe449de7900fdd0b489d7e836eb007cfe59c0f41ae0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2647269/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/393944/

Comments