MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b911df18337cc69e42d8c16ab58856af2722c7618146a491c9efe54aa73fdbe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	2b911df18337cc69e42d8c16ab58856af2722c7618146a491c9efe54aa73fdbe
SHA3-384 hash:	606ec46f7e66e2d1758504f2026e832d66acd09df3e2ba9e2bd37541f0fb0f93bd8e246d106bd9230f129eb90d1dd890
SHA1 hash:	beb9a2689b12f5efa50792409c7fb8e813e3c39d
MD5 hash:	b9c6c88fefc90618d568ed4eab543558
humanhash:	five-freddie-william-potato
File name:	SecuriteInfo.com.Win32.GenKryptik.ELUY.3072
Download:	download sample
File size:	114'576 bytes
First seen:	2020-06-04 13:31:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	80a8667e5efadfdd6dde3af4dc7eaf39
ssdeep	1536:Kxah2BYOVMsGZLt6WmFk1ZFVXz4HE7bhjXj:+aRa2HL7Ekxjz
Threatray	152 similar samples on MalwareBazaar
TLSH	7CB35A22B42CAEECF49F50719D801CF297D15DE2D911067F31FA7FA627F0E428A09996
Reporter	SecuriteInfoCom

Code Signing Certificate

Organisation:	CEKTEKWXYTETHOVVGW
Issuer:	CEKTEKWXYTETHOVVGW
Algorithm:	sha1WithRSA
Valid from:	May 23 19:52:25 2020 GMT
Valid to:	Dec 31 23:59:59 2039 GMT
Serial number:	-2D702F2B6BFAB243B9A3ECB3219E078E
Thumbprint Algorithm:	SHA256
Thumbprint:	A6CF96DED5C43638804D44B0FF36B3419FCB3CF6371B464EF0E4A14FB7612AE5
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

1

# of downloads :

69

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Win32.GenKryptik.ELUY.3072.UNOFFICIAL

PUA.Win.Adware.Browsefox-6628766-0

PUA.Win.Trojan.Generic-6629274-0

Gathering data

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2020-06-04 10:55:13 UTC

File Type:

PE (Exe)

Extracted files:

25

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Verdict:

malicious

Similar samples:

2ba5b16b9ce46066c1122bad1fc5feb3de0743451c6603b98e3d0ffe6f9cc019

7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91

95a4cf409c7e7813bfa744598bee2e0e572b2d05ec31622867237ea6dab8a813

9b28aa737bbfec90341c6a42e2d44f3308659e4fb9dd42d98a0b46cde7aaed63

cb663a4fa79cb0fcb52c3049b65b1a012c45e72badc13c931fc2c72a8a94dcca

d7a340421f260de130a285233b110130fbccd2f26f1f70fc1600bf2855073017

d95b7c505dbb3905f88c71bb1efedfe716a0d65862a622eb932f3d774a07a740

e237d6e3b44c0bcacf4eff59f58c8028a48c0675f283adc96490ae6daf645bd7

e7c777cc2838334214d3349178f52cd2fdce9138cbd51de1c62bcc73a3478a4f

e91568f40d148d2bdf04cf14156febbbb0d72e10b876c38d0900e0a66cb8706f

+ 142 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor cryptone packer trojan

Link:

https://tria.ge/reports/201109-y1afjb6y9j/

Behaviour

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Deletes itself

Loads dropped DLL

Executes dropped EXE

CryptOne packer

SmokeLoader

Malware Config

C2 Extraction:

http://transvil2.xyz/index.php

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 2b911df18337cc69e42d8c16ab58856af2722c7618146a491c9efe54aa73fdbe

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/379067/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample