MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 199bc18551e8786a107ed743e9aed93e6128a972bb02d76c88bd0c10687a39ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 199bc18551e8786a107ed743e9aed93e6128a972bb02d76c88bd0c10687a39ab
SHA3-384 hash: f8ac69b735ef4704ce4b5af38ddf575092b06e1688e214bc7ed24335d06a00b9bb3550ff418a9f973475665629e91d34
SHA1 hash: 1a2476e182867a7f48b1fd15c81a65250ab6837f
MD5 hash: 29188c8c6967ad6e80d26d37b083bf80
humanhash: july-harry-mockingbird-oven
File name:29188c8c6967ad6e80d26d37b083bf80.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:154'624 bytes
First seen:2021-11-06 11:22:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash df20e941b7aae524e8c7295e606402fe (3 x RaccoonStealer, 1 x CoinMiner, 1 x RedLineStealer)
ssdeep 1536:+g43iVF0n+us90KSZs1TlOExdNunHeokiuL1FM4AEJTZErYQI2LTMC74e+mfcZ:+8Xi++KqshXywJQbv74ln
TLSH T118E37C1072ECC331E7E31630487CBAB51A7ABC62267054BB37943A2E5E31EF05A66357
File icon (PE):PE icon
dhash icon 480c1c4c4f594b14 (172 x Smoke Loader, 134 x RedLineStealer, 98 x Amadey)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-11-06 05:44:43 UTC
Tags:
loader evasion trojan stealer vidar rat redline opendir
Link:
https://app.any.run/tasks/2dbcda02-b6da-4083-84a1-455fa7ecf9ae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/202916/
Detection(s):
Win.Trojan.Generic-9906289-0
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/618665982084b424af0c474d/reports/044936d0-bbbf-4a04-b366-050b8a78997b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d883bc5c-97f1-4182-8037-7506eab108fe
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/884538
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to infect the boot sector
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 516994 Sample: kuGJ8jIGhH.exe Startdate: 06/11/2021 Architecture: WINDOWS Score: 100 48 Antivirus detection for URL or domain 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected SmokeLoader 2->52 54 Machine Learning detection for sample 2->54 7 kuGJ8jIGhH.exe 2->7         started        10 ssgueid 2->10         started        12 485E.exe 2->12         started        process3 signatures4 64 Detected unpacking (changes PE section rights) 7->64 66 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 7->66 68 Maps a DLL or memory area into another process 7->68 70 Creates a thread in another existing process (thread injection) 7->70 14 explorer.exe 8 7->14 injected 72 Multi AV Scanner detection for dropped file 10->72 74 Machine Learning detection for dropped file 10->74 76 Checks if the current machine is a virtual machine (disk enumeration) 10->76 process5 dnsIp6 34 nutriescapa.com 85.143.175.87, 49800, 49811, 80 TRADERSOFTRU Russian Federation 14->34 36 misha.at 61.255.185.201, 49787, 49789, 49796 SKB-ASSKBroadbandCoLtdKR Korea Republic of 14->36 38 7 other IPs or domains 14->38 26 C:\Users\user\AppData\Roaming\ssgueid, PE32 14->26 dropped 28 C:\Users\user\AppData\Local\Temp\9E7F.exe, PE32 14->28 dropped 30 C:\Users\user\AppData\Local\Temp\8E71.exe, PE32 14->30 dropped 32 2 other malicious files 14->32 dropped 40 System process connects to network (likely due to code injection or exploit) 14->40 42 Benign windows process drops PE files 14->42 44 Deletes itself after installation 14->44 46 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->46 19 485E.exe 14->19         started        22 8E71.exe 14->22         started        24 9E7F.exe 14->24         started        file7 signatures8 process9 signatures10 56 Multi AV Scanner detection for dropped file 19->56 58 Detected unpacking (overwrites its own PE header) 19->58 60 Machine Learning detection for dropped file 19->60 62 Contains functionality to infect the boot sector 19->62
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/199bc18551e8786a107ed743e9aed93e6128a972bb02d76c88bd0c10687a39ab/
Threat name:
Win32.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2021-11-06 06:44:03 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/211106-ng577aecc7/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Deletes itself
Drops startup file
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
SmokeLoader
Malware Config
C2 Extraction:
http://misha.at/upload/
http://roohaniinfra.com/upload/
http://0axqpcc.cn/upload/
http://mayak-lombard.ru/upload/
http://mebel-lass.ru/upload/
http://dishakhan.com/upload/
Unpacked files
SH256 hash:
2d42354cb59833a247375928187032beead3c641520e36824fce6f48b126d8a6
MD5 hash:
38fa5abed729083474ad8e1084b03b6d
SHA1 hash:
707a3feb91f1242f57bdd9fb6b3852462b64a985
Link:
https://www.unpac.me/results/6e53f3ca-d293-4a77-9224-83935c5e8099/
SH256 hash:
199bc18551e8786a107ed743e9aed93e6128a972bb02d76c88bd0c10687a39ab
MD5 hash:
29188c8c6967ad6e80d26d37b083bf80
SHA1 hash:
1a2476e182867a7f48b1fd15c81a65250ab6837f
Link:
https://www.unpac.me/results/6e53f3ca-d293-4a77-9224-83935c5e8099/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/199bc18551e8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/199bc18551e8786a107ed743e9aed93e6128a972bb02d76c88bd0c10687a39ab

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 199bc18551e8786a107ed743e9aed93e6128a972bb02d76c88bd0c10687a39ab

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1755713/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/202916/

Comments