MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16ab238a5b8fc0de74ddda698db8182e8193e65f7003124a0f954313cf86e048. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16ab238a5b8fc0de74ddda698db8182e8193e65f7003124a0f954313cf86e048
SHA3-384 hash: 23c2991d51dd445d14e916536487f1a9763e946358cca3cc933e22817a3fcd04a9b84e86e41df9212c9b58cf1e1a2932
SHA1 hash: 74f5bcbf952ec920291a910301afbb3c10dfc148
MD5 hash: e31a18f7be10ea5242c5573fb5574cb3
humanhash: thirteen-bluebird-magnesium-comet
File name:e31a18f7be10ea5242c5573fb5574cb3.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:561'432 bytes
First seen:2022-05-09 13:55:02 UTC
Last seen:2022-05-09 14:54:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 69 x LummaStealer, 61 x Rhadamanthys)
ssdeep 1536:Srae78zjORCDGwfdCSog01313qs5g8ApbptUqAgQbVKfc2Q+8iAF:aahKyd2n31T5IplqTXVKfUDF
Threatray 267 similar samples on MalwareBazaar
TLSH T16DC426C573949053EC575A304EA383CA9729FCD0BE34359B2365F32E0B3AAD26E65706
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon f0e2fc66fcdccccc (4 x Smoke Loader)
Reporter abuse_ch
Tags:exe Smoke Loader


Avatar
abuse_ch
Payload URL:
http://www.agies.org/wp-content/uploads/2018/11/cp/VirtuaWinPortable_Ltsjlawx.png

Intelligence

File Origin
# of uploads :
2
# of downloads :
235
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e31a18f7be10ea5242c5573fb5574cb3.exe
Verdict:
No threats detected
Analysis date:
2022-05-09 19:49:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/940ac6af-b2b4-43da-9200-cb0b4025e072

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.15930.26672.30898.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Running batch commands
Launching a process
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/16789/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack.dll control.exe explorer.exe overlay packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/62791d4abd5c76586e251446/reports/dcc86077-4a90-4d0d-9f3c-487f3b2d3421/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cedbebf5-1d02-46d0-b3d1-ac0609985f13
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/990204
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
PE file has a writeable .text section
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 622714 Sample: UIINQ67NHs.exe Startdate: 09/05/2022 Architecture: WINDOWS Score: 100 94 Snort IDS alert for network traffic 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 Antivirus detection for URL or domain 2->98 100 3 other signatures 2->100 11 UIINQ67NHs.exe 1 3 2->11         started        14 iwjjeuc 2->14         started        17 rundll32.exe 2->17         started        process3 file4 66 C:\Users\user\AppData\Local\...\Setup_ovl.exe, PE32 11->66 dropped 19 Setup_ovl.exe 16 7 11->19         started        128 Antivirus detection for dropped file 14->128 130 Machine Learning detection for dropped file 14->130 132 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 14->132 134 3 other signatures 14->134 signatures5 process6 dnsIp7 70 agies.org 107.191.100.214, 49786, 49807, 80 RAMNODEUS United States 19->70 72 tiny.one 188.114.96.10, 443, 49785, 49806 CLOUDFLARENETUS European Union 19->72 74 www.agies.org 19->74 62 C:\Users\...\Qvnpvpsjytnmpplecijdxtgp1125.exe, PE32 19->62 dropped 64 C:\Users\user\AppData\Roaming\...\Bzjwtf.exe, PE32 19->64 dropped 104 Creates multiple autostart registry keys 19->104 106 Injects a PE file into a foreign processes 19->106 24 Qvnpvpsjytnmpplecijdxtgp1125.exe 19->24         started        27 cmd.exe 1 19->27         started        29 Setup_ovl.exe 19->29         started        file8 signatures9 process10 signatures11 108 Antivirus detection for dropped file 24->108 110 Machine Learning detection for dropped file 24->110 112 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 24->112 114 3 other signatures 24->114 31 explorer.exe 2 4 24->31 injected 36 conhost.exe 27->36         started        38 timeout.exe 1 27->38         started        process12 dnsIp13 84 ghahantellorb.com 5.101.65.162, 49808, 49809, 80 PINDC-ASRU Russian Federation 31->84 58 C:\Users\user\AppData\Roaming\iwjjeuc, PE32 31->58 dropped 60 C:\Users\user\AppData\Local\Temp\B98.exe, PE32+ 31->60 dropped 86 Benign windows process drops PE files 31->86 88 Injects code into the Windows Explorer (explorer.exe) 31->88 90 Writes to foreign memory regions 31->90 92 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->92 40 explorer.exe 8 31->40         started        44 B98.exe 1 3 31->44         started        47 Bzjwtf.exe 14 4 31->47         started        49 explorer.exe 31->49         started        file14 signatures15 process16 dnsIp17 76 ghahantellorb.com 40->76 116 System process connects to network (likely due to code injection or exploit) 40->116 118 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 40->118 120 Tries to steal Mail credentials (via file / registry access) 40->120 122 Tries to harvest and steal browser information (history, passwords, etc) 40->122 68 C:\Users\user\AppData\Local\...\Setup_ovl.exe, PE32+ 44->68 dropped 124 Antivirus detection for dropped file 44->124 126 Creates multiple autostart registry keys 44->126 51 Setup_ovl.exe 44->51         started        78 www.agies.org 47->78 80 tiny.one 47->80 82 agies.org 47->82 54 cmd.exe 47->54         started        file18 signatures19 process20 signatures21 102 Antivirus detection for dropped file 51->102 56 conhost.exe 54->56         started        process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/16ab238a5b8fc0de74ddda698db8182e8193e65f7003124a0f954313cf86e048/
Threat name:
Win64.Trojan.Hulk
Create hunting rule
Status:
Malicious
First seen:
2022-05-09 14:18:35 UTC
AV detection:
9 of 40 (22.50%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1799e80fe0e05e3e784de5536df1713309a3b345ea3dbd920acfff477735afbd
Smoke Loader
29478db896444dc2bed1ae2346fcb41e505152127be5d1798851964210c264a7
Smoke Loader
41534cbdad51e3ae39a1346396ff9706c1e24a27a8051f2bb4c92148edb741d8
Smoke Loader
b206c2d164d66dcd9fad4cffdcb28d73eb64d2f663f1de6fb90cc10b47665c41
Smoke Loader
b78667f1cef6431d75363f045981883b31b0e10925b4218b392c3fa5f044735e
Smoke Loader
d952e6902baf966ee83e4036999827263a7132ca1dde7f4eab1797f9fbb75051
Smoke Loader
+ 257 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220509-q74hdsgcfj/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Executes dropped EXE
Unpacked files
SH256 hash:
16ab238a5b8fc0de74ddda698db8182e8193e65f7003124a0f954313cf86e048
MD5 hash:
e31a18f7be10ea5242c5573fb5574cb3
SHA1 hash:
74f5bcbf952ec920291a910301afbb3c10dfc148
Link:
https://www.unpac.me/results/3f7122f1-df9f-4e74-8624-694081b2758f/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/16ab238a5b8f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.21
Link:
https://yomi.yoroi.company/submissions/16ab238a5b8fc0de74ddda698db8182e8193e65f7003124a0f954313cf86e048

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
URLhaus
https://urlhaus.abuse.ch/url/2186871/

Comments