MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13314832c817f35c02366a97b2ba739809874c3d56f3b9f67cc41a50a2291ed7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13314832c817f35c02366a97b2ba739809874c3d56f3b9f67cc41a50a2291ed7
SHA3-384 hash: c3340a00aea6c53415e4f35615a6277abc0651da4654f202045e60bd1912e29f84fa3444af47a0aa8910b8b1db3a8c5d
SHA1 hash: 677e391bc3e6f8c43acab0a8dcf945fbf28e8014
MD5 hash: 40e25147b267228112c0cf6ff07b486e
humanhash: cola-colorado-beryllium-pizza
File name:SecuriteInfo.com.W32.AIDetect.malware1.7156.12253
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:162'304 bytes
First seen:2022-05-26 18:35:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0fa6164673c74e6add7990ac47b4ca9b (1 x Smoke Loader)
ssdeep 3072:dSAqXL+KNO7jFiJicwPzeMFBhM5krxvdA65+mBpJG:8XL+378uaMM5UpWTmBH
TLSH T159F37D1032E5C432E29755B64434C3B05E7BBC766E36998F6FC52BB91F262E1DB2430A
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d2b1e4c4ecb987f9 (17 x RedLineStealer, 10 x Smoke Loader, 4 x Amadey)
Reporter SecuriteInfoCom
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
345
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.AIDetect.malware1.7156.12253
Verdict:
No threats detected
Analysis date:
2022-05-26 18:38:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f1a823f1-10ae-40a0-ae48-e621d2093157

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/274815/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.57406.30231.29032.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Sending an HTTP GET request
Launching a process
Reading critical registry keys
Creating a file in the %temp% directory
Launching the default Windows debugger (dwwin.exe)
Setting browser functions hooks
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Unauthorized injection to a browser process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
emotet greyware packed
Link:
https://www.filescan.io/uploads/628fc86d054dcf0ecaf2a9b3/reports/ef83ba32-b687-45e0-96b6-322694f1494a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b1e45d34-3b41-4b48-8ddf-d5a69fb5053d
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1002307
Signature
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 634803 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 26/05/2022 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected SmokeLoader 2->41 43 2 other signatures 2->43 7 SecuriteInfo.com.W32.AIDetect.malware1.7156.exe 2->7         started        10 sscjuib 2->10         started        process3 signatures4 53 Detected unpacking (changes PE section rights) 7->53 55 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 7->55 57 Maps a DLL or memory area into another process 7->57 59 Creates a thread in another existing process (thread injection) 7->59 12 explorer.exe 3 7->12 injected 61 Multi AV Scanner detection for dropped file 10->61 63 Machine Learning detection for dropped file 10->63 65 Checks if the current machine is a virtual machine (disk enumeration) 10->65 process5 dnsIp6 35 xinchichon.co.ug 34.88.93.29, 49778, 49781, 80 GOOGLEUS United States 12->35 27 C:\Users\user\AppData\Roaming\sscjuib, PE32 12->27 dropped 29 C:\Users\user\...\sscjuib:Zone.Identifier, ASCII 12->29 dropped 67 Benign windows process drops PE files 12->67 69 Injects code into the Windows Explorer (explorer.exe) 12->69 71 Deletes itself after installation 12->71 73 2 other signatures 12->73 17 explorer.exe 6 12->17         started        21 explorer.exe 12->21         started        23 explorer.exe 12->23         started        25 13 other processes 12->25 file7 signatures8 process9 dnsIp10 31 xinchichon.co.ug 17->31 45 System process connects to network (likely due to code injection or exploit) 17->45 47 Found evasive API chain (may stop execution after checking mutex) 17->47 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->49 51 4 other signatures 17->51 33 192.168.2.1 unknown unknown 21->33 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13314832c817f35c02366a97b2ba739809874c3d56f3b9f67cc41a50a2291ed7/
Threat name:
Win32.Trojan.Weelsof
Create hunting rule
Status:
Malicious
First seen:
2022-05-26 11:13:17 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cmyuqmwic7zvyarwnkl3fotttaeyotb5k3z3t5t4yqnfbirjd3lq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  6/10
Tags:
collection
Link:
https://tria.ge/reports/220526-w8wrtshhap/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Unpacked files
SH256 hash:
7a747020b42a0aa75b9f8c5d3ad98513b05bbd0ea790b10be318abb196a36e9b
MD5 hash:
c26f94cd7cf7e55c5478b125f1bf7e05
SHA1 hash:
549f960ba135ce4656fee271057bbfaf6c425290
Link:
https://www.unpac.me/results/fa8f0c45-02aa-440e-9b8b-410a90aa9351/
SH256 hash:
13314832c817f35c02366a97b2ba739809874c3d56f3b9f67cc41a50a2291ed7
MD5 hash:
40e25147b267228112c0cf6ff07b486e
SHA1 hash:
677e391bc3e6f8c43acab0a8dcf945fbf28e8014
Link:
https://www.unpac.me/results/fa8f0c45-02aa-440e-9b8b-410a90aa9351/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13314832c817f35c02366a97b2ba739809874c3d56f3b9f67cc41a50a2291ed7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/274815/

Comments