MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21eb22a05f3420b16e1c0eb5082956f699b4a0484aba9b09e8ad40fd9610bfb2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21eb22a05f3420b16e1c0eb5082956f699b4a0484aba9b09e8ad40fd9610bfb2
SHA3-384 hash: 61ec57c0fd5af1eb45b51f95b9489766d3d752b2523be12194b5a7a0541b6a245d0d37e3b49f3a3b7ac020ab59301489
SHA1 hash: 795b18f872c49244d8fe18f020420c6b127ec90c
MD5 hash: 16a6948195680e4c8ee3ff87b248e2d9
humanhash: potato-fix-oregon-kitten
File name:16a6948195680e4c8ee3ff87b248e2d9.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:329'216 bytes
First seen:2022-04-14 19:57:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7000d5eb0b3dd576216127dff01322b2 (1 x Smoke Loader)
ssdeep 3072:OXiZaIJzVLAqg24Jntx8lluouIuO51Ar95Ewi2Huu1jUnE5F1IptIIjV189n6nfg:jw0V/oJnt6VuOMkJ2HO9jD8JaIUyJvb
Threatray 4'215 similar samples on MalwareBazaar
TLSH T15464392F7048E0EDD455A4B97AA8E64A7154B9F0A6789C033EC56F5AC4B02DF8732F43
TrID 38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.0% (.EXE) Win64 Executable (generic) (10523/12/4)
8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
584
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
16a6948195680e4c8ee3ff87b248e2d9.exe
Verdict:
Suspicious activity
Analysis date:
2022-04-14 20:25:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b5ee0cb2-fd3b-4b0e-adca-c9cb8a1e400a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263853/
Detection(s):
SecuriteInfo.com.Variant.Lazy.168098.17552.18609.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Launching cmd.exe command interpreter
Launching a process
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13916/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed shell32.dll
Link:
https://www.filescan.io/uploads/62587cd6eab80a7a6c15afb9/reports/1c6c2d9f-49af-4ecf-9b3c-61c91e94cf8a/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e06cebb9-ffe3-4757-adb0-1ba2b9333379
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/977169
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
System process connects to network (likely due to code injection or exploit)
Uses ipconfig to lookup or modify the Windows network settings
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 609659 Sample: i4LctBjLzU.exe Startdate: 14/04/2022 Architecture: WINDOWS Score: 100 48 Multi AV Scanner detection for domain / URL 2->48 50 Found malware configuration 2->50 52 Antivirus detection for URL or domain 2->52 54 4 other signatures 2->54 8 i4LctBjLzU.exe 2->8         started        11 jhtiafc 2->11         started        13 msiexec.exe 2->13         started        process3 signatures4 64 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->64 66 Maps a DLL or memory area into another process 8->66 68 Checks if the current machine is a virtual machine (disk enumeration) 8->68 15 explorer.exe 5 8->15 injected 70 Multi AV Scanner detection for dropped file 11->70 72 Machine Learning detection for dropped file 11->72 74 Creates a thread in another existing process (thread injection) 11->74 process5 dnsIp6 36 oakland-studio.video 143.198.125.86, 443, 49748, 49749 LDCOMNETFR United States 15->36 38 192.168.2.1 unknown unknown 15->38 32 C:\Users\user\AppData\Roaming\jhtiafc, PE32 15->32 dropped 34 C:\Users\user\...\jhtiafc:Zone.Identifier, ASCII 15->34 dropped 40 System process connects to network (likely due to code injection or exploit) 15->40 42 Benign windows process drops PE files 15->42 44 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->44 46 4 other signatures 15->46 20 cmd.exe 1 15->20         started        file7 signatures8 process9 signatures10 56 Uses ipconfig to lookup or modify the Windows network settings 20->56 23 WMIC.exe 1 20->23         started        26 WMIC.exe 1 20->26         started        28 WMIC.exe 1 20->28         started        30 13 other processes 20->30 process11 signatures12 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 23->58 60 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 23->60 62 Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes) 23->62
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/21eb22a05f3420b16e1c0eb5082956f699b4a0484aba9b09e8ad40fd9610bfb2/
Threat name:
Win32.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2022-04-14 19:58:07 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
11 of 42 (26.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ehvsfic7gqqlc3q4b22qqkkw62m3jicijk5jwcpivvap3fqqx6za._file
Verdict:
malicious
Similar samples:
49c7ce5e90b5bce33ac0ea6f02d309e030e81462e290e83403048822e52b1500
Smoke Loader
55cc28579df82facc52da954c7ef0956e665883ffcd00963d110c894a80cbba3
Smoke Loader
780aee300d0f8eba4233484b475aa6a0109e40d0bec49d1d7fd4435846ca6608
Smoke Loader
85134cb676ed53bbdaeb39546ac147a5b8eaf6f8afb45050ee92880cb5eb5f69
Smoke Loader
9e49724e1da8cfc7d1f78b25eca2459b3031aaf502290de20b22abe3fba99deb
Smoke Loader
cc15573c85379c9dd96f926c62a62f402a95052ed65b616daf881e0dae9ee674
Smoke Loader
cdcb92f83216720f2d567392a6a4d9bc1b90b3f900b783934a402d310ae5ff46
Smoke Loader
dfd82ea53bb1196fc2e079063358063b524142778c754259045e4541c60d7c1d
Smoke Loader
+ 4'205 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor evasion suricata trojan
Link:
https://tria.ge/reports/220414-yptjgadfgr/
Behaviour
Checks SCSI registry key(s)
Enumerates processes with tasklist
Gathers network information
Gathers system information
Modifies Internet Explorer settings
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Deletes itself
Executes dropped EXE
Modifies Windows Firewall
SmokeLoader
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
Malware Config
C2 Extraction:
https://oakland-studio.video/search.php
https://seattle-university.video/search.php
Unpacked files
SH256 hash:
21eb22a05f3420b16e1c0eb5082956f699b4a0484aba9b09e8ad40fd9610bfb2
MD5 hash:
16a6948195680e4c8ee3ff87b248e2d9
SHA1 hash:
795b18f872c49244d8fe18f020420c6b127ec90c
Link:
https://www.unpac.me/results/93cfda96-cbf2-410f-b62f-2e49b7d768b2/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/21eb22a05f34/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/21eb22a05f3420b16e1c0eb5082956f699b4a0484aba9b09e8ad40fd9610bfb2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 21eb22a05f3420b16e1c0eb5082956f699b4a0484aba9b09e8ad40fd9610bfb2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2141096/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/263853/

Comments