MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24c3fd88b8af64d4e5d3b1258287ad25e79840034dc57f19e51d0df59a5daa72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	24c3fd88b8af64d4e5d3b1258287ad25e79840034dc57f19e51d0df59a5daa72
SHA3-384 hash:	ccab80a121f067c0429781e91ae09a937de0685c621a633eca32bdbb80171004e2e8f50c6192be12747fbbf942bd4ff8
SHA1 hash:	266ea247e152793bc065214f806ac8f500f5e117
MD5 hash:	e4dcfb88beaaece0aef84c81b9b6091a
humanhash:	double-dakota-spring-carbon
File name:	http___bproperty.ru_localmod_nmode.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	187'904 bytes
First seen:	2020-10-29 23:24:18 UTC
Last seen:	2020-10-30 00:55:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	abfa101af28ab849ba27fbb04dd528dc (3 x Bunitu, 3 x RaccoonStealer, 2 x Tofsee)
ssdeep	3072:HjiX0DJif+NNmrRzOX1cWWlP2qYNWJrgBBy7D0oFWXyS5OpIgm+dB:HF1WoWmBBycoF+lgFB
Threatray	177 similar samples on MalwareBazaar
TLSH	7004AE3131C2C0B2D59725B644A4CBB55EFB787902366A8F6FDA05BD4F187EA87A030D
Reporter	Racco42
Tags:	exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/81068/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader35.9206.26992.14687.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %temp% directory

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Connection attempt

Sending an HTTP POST request

Connection attempt to an infection source

Deleting of the original file

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/516553

Signature

Benign windows process drops PE files

Binary contains a suspicious time stamp

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Renames NTDLL to bypass HIPS

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to download HTTP data from a sinkholed server

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/24c3fd88b8af64d4e5d3b1258287ad25e79840034dc57f19e51d0df59a5daa72/

Threat name:

Win32.Backdoor.Mokes

Status:

Malicious

First seen:

2020-10-29 18:45:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=etb73cfyv5snjzotwesyfb5nextzqqadjxcx6gpfdug7lgs5vjza._file

Verdict:

malicious

Smoke Loader

91647ac947d5d5d3a0dc69e98070bfc2f9841d7839b579d69c524b02869a497f

Smoke Loader

95a4cf409c7e7813bfa744598bee2e0e572b2d05ec31622867237ea6dab8a813

Smoke Loader

9b28aa737bbfec90341c6a42e2d44f3308659e4fb9dd42d98a0b46cde7aaed63

Smoke Loader

a0023ed551a57c336b69dcf494bbf83549ef8ce570fcb273333cf1abbc2863cc

Smoke Loader

b566ebf0eb9ddf87b1392a660af7b1826e80427ec8352cdcc29e49d226f13184

Smoke Loader

c9b99232e093a959beaecf8d48616b40716fa2b9b6eaf25fed234dfe28e8f2fe

Smoke Loader

e237d6e3b44c0bcacf4eff59f58c8028a48c0675f283adc96490ae6daf645bd7

Smoke Loader

ee4a192729f039c2b5829259f58443b9f6564f2d4973e315cc9437bfd166f536

Smoke Loader

f85b4fcd61a36635fe0e40af704b607ab33afdc97131c14fd958f6ae101ad1da

Smoke Loader

+ 167 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor trojan

Link:

https://tria.ge/reports/201029-yz5j43k9xe/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Program crash

Deletes itself

Loads dropped DLL

Executes dropped EXE

SmokeLoader

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

http://manufature2020.ru/
http://informatioshopname.ru/
http://jpproperty.ru/
http://gmbshop.ru/
http://ucar.ug/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/81068/

URLhaus

https://urlhaus.abuse.ch/url/768254/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample