MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d1dbabc1c905c7153847c6bb5b88905942d414c4dbf39e3784dc9a62e1120db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d1dbabc1c905c7153847c6bb5b88905942d414c4dbf39e3784dc9a62e1120db
SHA3-384 hash: dc4fb81ceee8f9eb08e1b4b9bc4061c52afb55c7cbf643d127fd80e53dc4a8fa6624c9679b9348bde409fed67127cfc9
SHA1 hash: 7a6e59e6c01135ab4ec685dc8c6bf7835429c916
MD5 hash: e3686e4e0ed04a1fd38bb5060cb2441e
humanhash: oregon-failed-nineteen-north
File name:e3686e4e0ed04a1fd38bb5060cb2441e.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:297'984 bytes
First seen:2021-06-16 10:16:22 UTC
Last seen:2021-06-16 10:56:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2ab857f73c9912dee0698f559b75c172 (8 x RedLineStealer, 1 x Glupteba, 1 x FickerStealer)
ssdeep 3072:sZCIbJFbQUyeB5cq3Dey3GLtXWxQokuWaPrKrQ1xZB0YWi8y94rMtQiSrX3:sZCYGUyeB57iy3MloRrtxhjtQiSrX3
Threatray 1'619 similar samples on MalwareBazaar
TLSH 57547D20A7A0C434F1F712F899B69379B92E7EB15B3490CF52C51AEA56346E4EC30787
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e3686e4e0ed04a1fd38bb5060cb2441e.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-16 10:39:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/85646d54-b69c-4b17-8b32-0ed20ebe0722

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46496484.3208.27795.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% directory
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending a custom TCP request
Launching a process
Searching for the window
Deleting of the original file
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0b7c0ee7-7c50-4826-9b8e-87755be9d900
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/802914
Signature
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
DLL reload attack detected
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 435322 Sample: xax2K3BWhm.exe Startdate: 16/06/2021 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected SmokeLoader 2->45 47 3 other signatures 2->47 6 ahafdus 2->6         started        9 xax2K3BWhm.exe 2->9         started        11 explorer.exe 2 2->11         started        process3 dnsIp4 49 Multi AV Scanner detection for dropped file 6->49 51 DLL reload attack detected 6->51 53 Detected unpacking (changes PE section rights) 6->53 55 Machine Learning detection for dropped file 6->55 15 ahafdus 1 6->15         started        57 Contains functionality to inject code into remote processes 9->57 59 Injects a PE file into a foreign processes 9->59 19 xax2K3BWhm.exe 1 9->19         started        27 hewilldoit.xyz 185.45.192.246, 443, 49757 HSAE United Arab Emirates 11->27 29 192.168.2.1 unknown unknown 11->29 21 C:\Users\user\AppData\Roaming\ahafdus, PE32 11->21 dropped 23 C:\Users\user\...\ahafdus:Zone.Identifier, ASCII 11->23 dropped 61 System process connects to network (likely due to code injection or exploit) 11->61 63 Benign windows process drops PE files 11->63 65 Performs DNS queries to domains with low reputation 11->65 67 2 other signatures 11->67 file5 signatures6 process7 file8 25 C:\Users\user\AppData\Local\Temp\BCCB.tmp, PE32 15->25 dropped 31 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->31 33 Renames NTDLL to bypass HIPS 15->33 35 Maps a DLL or memory area into another process 15->35 37 Checks if the current machine is a virtual machine (disk enumeration) 19->37 39 Creates a thread in another existing process (thread injection) 19->39 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d1dbabc1c905c7153847c6bb5b88905942d414c4dbf39e3784dc9a62e1120db/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-06-15 22:07:56 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1a78aaf6aae3b9d9a32dc6c8cfe9182043f71a3d44e727464ab95a70fc24bbe8
Smoke Loader
2eafd204076978f8a4a3e39ab0b8dd4cbed9bec5a4ac39146e40d921c8af59ff
Smoke Loader
5e6932fbfebe00b2c44d7e74bb8409b55ad7abe92507c56887ded333684fcd92
Smoke Loader
7f40d0fe270f72aec76ec5348630f3b354ea4dd010d60edcdd865693824981de
Smoke Loader
82c5a4103769e5391fee93ead9d6509dd3eb8186f53ce450f14a22b4f82e968c
Smoke Loader
8f32a2bc4817137939fbd615fbcbab4c93dd0305e9d407ec6de706483c50556e
Smoke Loader
a99dfa4b60347edac3d2083c96df817bc3dfdc3c206be400723abb594cdb510b
Smoke Loader
ad5592929818b5ee09b99dddb8a652d84621e0b70efe51c2f2b6ca54aeaa3713
Smoke Loader
e7e4c086f54086b129715c584777c2d920a9443a6ba85d4ea5e6d63b8eeb5b9e
Smoke Loader
e934da8d0b455bcdf23e6e9c2fa5580982bf2f9b39a5d0246b2f462bbf1ae141
Smoke Loader
+ 1'609 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/210616-2lz3zztfv2/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
SmokeLoader
Malware Config
C2 Extraction:
https://hewilldoit.xyz/zizi/
https://hehasdoneit.xyz/zizi/
Unpacked files
SH256 hash:
e56036dc62f828f3c880f2f4da65c8acdabefea477830c761a86963d85034f7f
MD5 hash:
6e14ee01854e97c68e6f8ab2c605c434
SHA1 hash:
32bd5b8b7cf53bd6e54ec3ca5391f72b3455a7f3
Link:
https://www.unpac.me/results/d2c5c337-13c6-4933-aedf-76c95bb3461f/
SH256 hash:
1d1dbabc1c905c7153847c6bb5b88905942d414c4dbf39e3784dc9a62e1120db
MD5 hash:
e3686e4e0ed04a1fd38bb5060cb2441e
SHA1 hash:
7a6e59e6c01135ab4ec685dc8c6bf7835429c916
Link:
https://www.unpac.me/results/d2c5c337-13c6-4933-aedf-76c95bb3461f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d1dbabc1c905c7153847c6bb5b88905942d414c4dbf39e3784dc9a62e1120db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_smokeloader_a2
Create hunting rule
Author:pnx

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 1d1dbabc1c905c7153847c6bb5b88905942d414c4dbf39e3784dc9a62e1120db

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1364978/
  
Delivery method
Distributed via web download

Comments