MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26b4090ea03cb2f43a604a162c3784ad904262add41a51117dd7e5e4ccb188de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	26b4090ea03cb2f43a604a162c3784ad904262add41a51117dd7e5e4ccb188de
SHA3-384 hash:	c4b8e41a24ad55b10eb6a3720d16039fefb62e149f30811284668c2acd8823813782de7fd0dc4613859cd13b62e294d3
SHA1 hash:	b1746857545bddb127d31a9d9330267518b890d6
MD5 hash:	dd567d0e96f65f9d3ad4f2104a916afe
humanhash:	freddie-don-moon-magnesium
File name:	rv223.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	257'024 bytes
First seen:	2020-12-24 12:46:12 UTC
Last seen:	2020-12-24 15:03:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	6ed4f5f04d62b18d96b26d6db7c18840 (242 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep	3072:2wQLbYSafkml/iWThU5HLGLyJLzlxDwRj+kPBovwqDeFv1Vfmz8WVo9tRMmE:2fafkw6WThU5rYWzPMt+9vbCF9V+zot
Threatray	993 similar samples on MalwareBazaar
TLSH	68441255EBD483BCF81AAA3DD7052C56060FA73082BD36077DCF9495983A412F80FE6A
Reporter	nao_sec
Tags:	RigEK Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

886

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

rv223.exe

Verdict:

Malicious activity

Analysis date:

2020-12-24 12:44:24 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0f36eac3-613a-4cee-90b9-c9e5f6d3d88f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/109334/

Detection(s):

PUA.Win.Packer.Upx-48

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-4

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Connection attempt

Sending an HTTP POST request

Creating a file in the %temp% directory

Connection attempt to an infection source

Deleting of the original file

Enabling autorun by creating a file

Result

Verdict:

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/569712

Signature

Benign windows process drops PE files

Binary contains a suspicious time stamp

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Renames NTDLL to bypass HIPS

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/26b4090ea03cb2f43a604a162c3784ad904262add41a51117dd7e5e4ccb188de/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2020-12-24 12:47:05 UTC

AV detection:

17 of 29 (58.62%)

Threat level:

5/5

Verdict:

malicious

Smoke Loader

325bc657917b6e6a7fae45b50809420e6eac3e6b5f26ef4bdd6a06e211b8f2ea

Smoke Loader

40e7d0c9f2e846c55ab450848c817c58c1423ec2f9af57595fc8a829af63fa63

Smoke Loader

53cfe75633ae2ccb068192d7071891e758e197d8c4f781b7fdf5b2e6055b496b

Smoke Loader

854d167ff218c5caa012baaa7bb80a2bfdd1ec9c4c6b3a66bef57240ade29422

Smoke Loader

8d866143a0500afc1c1f364ff2602505e9da32ffe774c06565ca985027fd6815

Smoke Loader

8fdda9cf5e6a377ee2a95251b3cddf813824686b679d9b478a7459d1f5c90749

Smoke Loader

e4d86e9fc3eb581d4838ee77239e08dd4e7fb0925471bafac1576ec12d11f1b0

Smoke Loader

ee4a192729f039c2b5829259f58443b9f6564f2d4973e315cc9437bfd166f536

Smoke Loader

f69bdd82ca22268d090832707e37b1cae408ba96476843b55feedac11acc6277

Smoke Loader

+ 983 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor trojan upx

Link:

https://tria.ge/reports/201224-2f24kgtzma/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Deletes itself

Loads dropped DLL

SmokeLoader

Malware Config

C2 Extraction:

http://etasuklavish.today/
http://mragyzmachnobesdi.today/
http://kimchinikuzims.today/
http://slacvostinrius.today/
http://straponuliusyn.today/
http://grammmdinss.today/
http://viprasputinsd.chimkent.su/
http://lupadypa.dagestan.su/
http://stoknolimchin.exnet.su/
http://musaroprovadnikov.live/
http://teemforyourexprensiti.life/
http://stolkgolmishutich.termez.su/
http://roompampamgandish.wtf/

Unpacked files

SH256 hash:

26b4090ea03cb2f43a604a162c3784ad904262add41a51117dd7e5e4ccb188de

MD5 hash:

dd567d0e96f65f9d3ad4f2104a916afe

SHA1 hash:

b1746857545bddb127d31a9d9330267518b890d6

Link:

https://www.unpac.me/results/024f8289-6e7d-41a6-aaea-de976bd4860d/

SH256 hash:

56c69eb6068868cd3eee43217efc865d4213bb0288576fb8f878f82a6006356b

MD5 hash:

93b324173ddc37e20440dc351e99b29e

SHA1 hash:

15ef17d4e94e4cd71afe5b96cdc243893267d45c

Link:

https://www.unpac.me/results/024f8289-6e7d-41a6-aaea-de976bd4860d/

SH256 hash:

87a3c4342a6402d61c4ce13d684a34962b4d2a5b71d698fb0b653265279a14b5

MD5 hash:

ff5ddabdd6a1ba4730b4864ecab29230

SHA1 hash:

66477e07c00471c89414b2906bb95f28a8db613a

Link:

https://www.unpac.me/results/024f8289-6e7d-41a6-aaea-de976bd4860d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.44

Link:

https://yomi.yoroi.company/submissions/26b4090ea03cb2f43a604a162c3784ad904262add41a51117dd7e5e4ccb188de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/109334/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample