MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 237097d56dbe6e685d11f86815a8fa3a5e51b1f48e80a9f7e51d1cfabe0ae4aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	237097d56dbe6e685d11f86815a8fa3a5e51b1f48e80a9f7e51d1cfabe0ae4aa
SHA3-384 hash:	5c9e02f988eb749f0fc052d327a5e730892eba64587899c57ef647d2228b4a3fe7a7e5b08a1d3d6a0b71a98448a91c7f
SHA1 hash:	80556a73afc5117f345e69271e59f57591f2bf61
MD5 hash:	5a2eea919b3fc175feaf7943d5d257bc
humanhash:	shade-october-bravo-two
File name:	5a2eea919b3fc175feaf7943d5d257bc.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	327'168 bytes
First seen:	2020-10-06 05:22:01 UTC
Last seen:	2020-10-06 05:52:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	14e0cb129edb8b637fbb4294b1b6d709 (1 x Smoke Loader)
ssdeep	3072:OJNNMFvhbiIZywOY2h+P1+X+JIguBzjVsPH77:zvbiIvDDJIBzCfX
Threatray	121 similar samples on MalwareBazaar
TLSH	08649E10BFE1C032C15348344471A360E63B7D166A38DA87FFA52F6A6E346C117BB75A
Reporter	abuse_ch
Tags:	exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/68368/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Sending a UDP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Connection attempt

Sending an HTTP POST request

Connection attempt to an infection source

Deleting of the original file

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/482233

Signature

Benign windows process drops PE files

Binary contains a suspicious time stamp

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Renames NTDLL to bypass HIPS

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to download HTTP data from a sinkholed server

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/237097d56dbe6e685d11f86815a8fa3a5e51b1f48e80a9f7e51d1cfabe0ae4aa/

Threat name:

Win32.Trojan.Kryptik

Status:

Malicious

First seen:

2020-10-06 05:06:42 UTC

AV detection:

15 of 29 (51.72%)

Threat level:

5/5

Verdict:

malicious

Smoke Loader

5acec93c640ee499d02f78f646af7cf65605a56fc20add62c4dabdb402943114

Smoke Loader

7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91

Smoke Loader

89e0507c4dc79363bdfbdc93dcbaa19084553db2c7fe3a8f746ff973b155c62a

Smoke Loader

95a4cf409c7e7813bfa744598bee2e0e572b2d05ec31622867237ea6dab8a813

Smoke Loader

9b28aa737bbfec90341c6a42e2d44f3308659e4fb9dd42d98a0b46cde7aaed63

Smoke Loader

c9b99232e093a959beaecf8d48616b40716fa2b9b6eaf25fed234dfe28e8f2fe

Smoke Loader

d95b7c505dbb3905f88c71bb1efedfe716a0d65862a622eb932f3d774a07a740

Smoke Loader

e237d6e3b44c0bcacf4eff59f58c8028a48c0675f283adc96490ae6daf645bd7

Smoke Loader

f43fa7b7115450b5a3b8b97c6f578afe6c55692a06d1f872415d547c570da288

Smoke Loader

+ 111 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

trojan backdoor family:smokeloader

Link:

https://tria.ge/reports/201006-6gfwn9hj5a/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Deletes itself

Loads dropped DLL

SmokeLoader

Malware Config

C2 Extraction:

http://informatioshopname.ru/
http://ukronet.ru/
http://gmbshop.ru/
http://ucar.ug/
http://woproperty.xyz/
http://smatrhouseforyou.ru/
http://maningfarmllc.ru/

Unpacked files

SH256 hash:

237097d56dbe6e685d11f86815a8fa3a5e51b1f48e80a9f7e51d1cfabe0ae4aa

MD5 hash:

5a2eea919b3fc175feaf7943d5d257bc

SHA1 hash:

80556a73afc5117f345e69271e59f57591f2bf61

Link:

https://www.unpac.me/results/1cf0c70b-512d-4009-af0f-356b7b2881aa/

SH256 hash:

5152fd00b855c069182e9ef3d9306181ee5a9803b599453f0038bd2d67c3b1b3

MD5 hash:

8004ec618f6894bb8733775df472cd5e

SHA1 hash:

d7415b4099f9a970f8c67933d708319ef229cfe7

Link:

https://www.unpac.me/results/1cf0c70b-512d-4009-af0f-356b7b2881aa/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Glupteba

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/237097d56dbe6e685d11f86815a8fa3a5e51b1f48e80a9f7e51d1cfabe0ae4aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.