MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20e5638ca01e002577718352ea43e153c176e6305010d7a65983112510056041. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20e5638ca01e002577718352ea43e153c176e6305010d7a65983112510056041
SHA3-384 hash: db2c0d25a9c5ab0ad01d3b11afe69034586a2f694539cf0ae0157305c17dc8fd783c736daa76aa93264498255c0a8cad
SHA1 hash: 49581eca8c2b321cabfec01e9a7c5fecbf6b2dcf
MD5 hash: c25218fcf7bce8f3b6431d8125e2e898
humanhash: pluto-social-friend-ten
File name:SecuriteInfo.com.Trojan.GenericKD.46394915.32529.19426
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:2'514'944 bytes
First seen:2021-06-03 23:49:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:/HPzLYQ/EoGfeDZCGZAaRNin4X85S3GbloL0lZEbN9LcT6IE8/k+k:/vP3wICGZBHs5S2blowlZEbN9LcT6C/O
Threatray 790 similar samples on MalwareBazaar
TLSH 37C53349F60F42D7DC07BDF94224F08E359A77B64B45CADBFFA05D709829250287BA81
Reporter SecuriteInfoCom
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
350
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.GenericKD.46394915.32529.19426
Verdict:
Malicious activity
Analysis date:
2021-06-03 23:52:24 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/3d494fcc-a355-4387-9d3a-1f482f277819

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Fabookie
Create hunting rule
Link:
https://www.capesandbox.com/analysis/164516/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/797034
Signature
.NET source code contains very large strings
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Detected VMProtect packer
DLL reload attack detected
Drops PE files to the document folder of the user
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample is protected by VMProtect
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 429430 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 04/06/2021 Architecture: WINDOWS Score: 100 124 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->124 126 Multi AV Scanner detection for domain / URL 2->126 128 Found malware configuration 2->128 130 14 other signatures 2->130 9 SecuriteInfo.com.Trojan.GenericKD.46394915.32529.exe 7 2->9         started        process3 file4 76 C:\Users\user\AppData\Local\...\md7_7dfj.exe, PE32 9->76 dropped 78 C:\Users\user\AppData\Local\Temp\junliu.exe, PE32 9->78 dropped 80 C:\Users\user\AppData\...\jhuuee-ultra.exe, PE32 9->80 dropped 82 3 other malicious files 9->82 dropped 12 junliu.exe 6 9->12         started        16 Wsss.exe 9->16         started        18 jhuuee-ultra.exe 1 1 9->18         started        21 2 other processes 9->21 process5 dnsIp6 84 C:\Users\user\AppData\Local\...\install.dll, PE32 12->84 dropped 86 C:\Users\user\AppData\...\adobe_caps.dll, PE32 12->86 dropped 162 Antivirus detection for dropped file 12->162 164 Machine Learning detection for dropped file 12->164 23 rundll32.exe 12->23         started        26 conhost.exe 12->26         started        166 Multi AV Scanner detection for dropped file 16->166 168 DLL reload attack detected 16->168 170 Hides threads from debuggers 16->170 172 Injects a PE file into a foreign processes 16->172 28 Wsss.exe 16->28         started        31 cmd.exe 16->31         started        33 WerFault.exe 16->33         started        102 uyg5wye.2ihsfa.com 18->102 104 uyg5wye.2ihsfa.com 88.218.92.148, 49721, 80 ENZUINC-US Netherlands 18->104 112 3 other IPs or domains 18->112 88 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 18->88 dropped 174 May check the online IP address of the machine 18->174 36 jfiag3g_gg.exe 1 18->36         started        38 jfiag3g_gg.exe 18->38         started        40 jfiag3g_gg.exe 18->40         started        42 5 other processes 18->42 106 news-systems.xyz 21->106 108 101.36.107.74, 49714, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 21->108 110 iplogger.org 88.99.66.31, 443, 49715, 49722 HETZNER-ASDE Germany 21->110 90 C:\Users\user\Documents\...\md7_7dfj.exe, PE32 21->90 dropped 176 Drops PE files to the document folder of the user 21->176 178 Tries to harvest and steal browser information (history, passwords, etc) 21->178 file7 180 Performs DNS queries to domains with low reputation 102->180 signatures8 process9 dnsIp10 132 Contains functionality to infect the boot sector 23->132 134 Contains functionality to inject threads in other processes 23->134 136 Contains functionality to inject code into remote processes 23->136 150 5 other signatures 23->150 44 svchost.exe 23->44 injected 47 svchost.exe 23->47 injected 49 svchost.exe 23->49 injected 59 2 other processes 23->59 92 C:\Users\user\AppData\Local\Temp\204.tmp, PE32 28->92 dropped 138 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 28->138 140 Renames NTDLL to bypass HIPS 28->140 142 Maps a DLL or memory area into another process 28->142 144 Checks if the current machine is a virtual machine (disk enumeration) 28->144 51 explorer.exe 28->51 injected 55 conhost.exe 31->55         started        57 timeout.exe 31->57         started        98 104.42.151.234 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 33->98 146 Antivirus detection for dropped file 36->146 148 Multi AV Scanner detection for dropped file 36->148 100 192.168.2.1 unknown unknown 38->100 file11 signatures12 process13 dnsIp14 152 System process connects to network (likely due to code injection or exploit) 44->152 154 Sets debug register (to hijack the execution of another thread) 44->154 156 Modifies the context of a thread in another process (thread injection) 44->156 61 svchost.exe 44->61         started        66 svchost.exe 44->66         started        114 203.159.80.147 LOVESERVERSGB Netherlands 51->114 116 172.67.134.204 CLOUDFLARENETUS United States 51->116 68 C:\Users\user\AppData\Roaming\dggbwdh, PE32 51->68 dropped 70 C:\Users\user\AppData\Local\Temp\F2A.exe, PE32 51->70 dropped 72 C:\Users\user\AppData\Local\Temp\B41.exe, PE32 51->72 dropped 74 C:\Users\user\AppData\Local\Temp\114E.exe, PE32 51->74 dropped 158 Benign windows process drops PE files 51->158 160 Hides that the sample has been downloaded from the Internet (zone.identifier) 51->160 file15 signatures16 process17 dnsIp18 118 104.21.21.221 CLOUDFLARENETUS United States 61->118 120 172.67.200.215 CLOUDFLARENETUS United States 61->120 94 C:\Users\user\AppData\...\Login Data.tmp, SQLite 61->94 dropped 96 C:\Users\user\AppData\Local\...\Cookies.tmp, SQLite 61->96 dropped 182 Query firmware table information (likely to detect VMs) 61->182 184 Tries to harvest and steal browser information (history, passwords, etc) 61->184 122 email.yg9.me 198.13.62.186 AS-CHOOPAUS United States 66->122 file19 signatures20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/20e5638ca01e002577718352ea43e153c176e6305010d7a65983112510056041/
Threat name:
ByteCode-MSIL.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2021-05-29 20:56:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
26 of 47 (55.32%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
04361291bf3ae8acd73f886bf5cab71fa35097256e12c0bb1b2360d4603a40e7
Smoke Loader
0e63f296fdc309cb1e487cd1a549d029d2a9144b8a050db274901030dc6ec0f3
Smoke Loader
418c5fa990720936d23f83e5bd72b11d4bbf045b33e60efe09e28aa074eac424
Smoke Loader
604d21a93ab88cdc9d0b609e73766a13e5959644eb35c7bc4fa8967378846004
Smoke Loader
6a966d8a8bc18b016f35a159c110eb8dd5527b83e39db5fa7300e4634c9cb096
Smoke Loader
864ef1321215c0dad7c8677e3c18942b111468c63358475baa71fb1679c25096
Smoke Loader
cb3c387163302fbf8ddb4c13e9d786c1070a4185a74bdd3faebd1649d02b2b30
Smoke Loader
da19103e927e19daedc51212deb60ceca403e3e9876c52a9dec41d7e6215929b
Smoke Loader
ea50cc254fa1cc865d19d13bbdf206dc69092d6f723cb56a3843d74ba83e64a0
Smoke Loader
ff4a3e44fcd1cfbbf10ac318aca7559e0c20d0563e11e8a98e21e09e97ca68d3
Smoke Loader
+ 780 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:plugx family:raccoon family:redline family:smokeloader botnet:28198d4512d0cf31c204eddceb4471d79950b588 backdoor discovery evasion infostealer spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210603-5xb3yhf4wj/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
VMProtect packed file
PlugX
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://venosur.top/
http://nabudar.top/
Unpacked files
SH256 hash:
20e5638ca01e002577718352ea43e153c176e6305010d7a65983112510056041
MD5 hash:
c25218fcf7bce8f3b6431d8125e2e898
SHA1 hash:
49581eca8c2b321cabfec01e9a7c5fecbf6b2dcf
Link:
https://www.unpac.me/results/5e4d597d-3cd3-4be9-8648-94dee21b8495/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/20e5638ca01e002577718352ea43e153c176e6305010d7a65983112510056041

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 20e5638ca01e002577718352ea43e153c176e6305010d7a65983112510056041

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/164516/
  
URLhaus
https://urlhaus.abuse.ch/url/1321125/
  
Delivery method
Distributed via web download

Comments