MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fe8dd9df4b9740d580524591e85cf9f1f40dc4db0157c7ec4ff23a424338779. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2fe8dd9df4b9740d580524591e85cf9f1f40dc4db0157c7ec4ff23a424338779
SHA3-384 hash: 80860117815ed9339f367dbff38adf7c554c617578a5c9eefb4ad52a3877501a3c809d9a861fadfd58a76ba8a59b420f
SHA1 hash: 44d390989c6eda758ae79f29b828eed29aafe9ea
MD5 hash: d8707a3f53ddef25bb5fdd57d30cbec9
humanhash: princess-venus-jersey-golf
File name:d8707a3f53ddef25bb5fdd57d30cbec9
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:197'632 bytes
First seen:2023-10-02 09:19:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7af6f3315c82464c60fc734ddad5dae4 (4 x Smoke Loader, 1 x Tofsee, 1 x MarsStealer)
ssdeep 3072:VeID6VhHhDpJrzKY91Bc9fHrDhqfvBDZqatU/CcO5mfovVi:ahBDpJrzLBc9AXVZq8U/tQVi
Threatray 4'886 similar samples on MalwareBazaar
TLSH T19C14D0603AF0FCB2E5AB44308575CAA06DBBB8725BB0854F3758162F5E712C1B76A317
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000a088a22129c0 (1 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
305
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/452582/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/651a8b4333582f234e097a4b/reports/2a2d89a4-1128-431a-a542-ba6e3bae4ee0/overview
Verdict:
Malicious
Labled as:
Ransom.E605D898
Link:
https://www.hybrid-analysis.com/sample/2fe8dd9df4b9740d580524591e85cf9f1f40dc4db0157c7ec4ff23a424338779
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7e8d0a4f-47d1-480a-9618-3380b2aeca30
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1317819
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1317819 Sample: uDtn1lMsJR.exe Startdate: 02/10/2023 Architecture: WINDOWS Score: 100 26 Multi AV Scanner detection for domain / URL 2->26 28 Found malware configuration 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 5 other signatures 2->32 6 uDtn1lMsJR.exe 2->6         started        9 irfvbtc 2->9         started        process3 signatures4 34 Detected unpacking (changes PE section rights) 6->34 36 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 6->36 38 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 6->38 46 2 other signatures 6->46 11 explorer.exe 2 9 6->11 injected 40 Multi AV Scanner detection for dropped file 9->40 42 Machine Learning detection for dropped file 9->42 44 Maps a DLL or memory area into another process 9->44 process5 dnsIp6 20 95.158.162.200, 49796, 80 VIDEOSATBG Bulgaria 11->20 22 186.182.55.44, 49798, 49804, 49807 TechtelLMDSComunicacionesInteractivasSAAR Argentina 11->22 24 7 other IPs or domains 11->24 16 C:\Users\user\AppData\Roaming\irfvbtc, PE32 11->16 dropped 18 C:\Users\user\...\irfvbtc:Zone.Identifier, ASCII 11->18 dropped 48 System process connects to network (likely due to code injection or exploit) 11->48 50 Benign windows process drops PE files 11->50 52 Deletes itself after installation 11->52 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->54 file7 signatures8
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2fe8dd9df4b9740d580524591e85cf9f1f40dc4db0157c7ec4ff23a424338779/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-10-02 09:20:05 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f7un3hpuxf2a2wafermr5bopt4pubxcnwakxy7we74r2ijbtq54q._file
Verdict:
malicious
Similar samples:
07f743e4eed0f2153b18bc67b807e5b87e529c7c1cc85fa046a01f9367c95894
Smoke Loader
10988c7fbd4f94110d10d6962cad868080052c4a31e4f46f30f4367d2c0f18b7
Smoke Loader
13dca1d18ac5888b9284efa2797c89acfbba831e42bbd6f575ef9220fcde4968
Smoke Loader
4524b3d7da9557b4a86a91653dbd8298d520e56038bc1e5a663dcb83923c7325
Smoke Loader
552eb6562af0197267e45913bfb6e377078ae847a0a908f41204fc9a6b93f3d4
Smoke Loader
55e862d782e6a2e36efb809824618c127ca221cefcc4dd83971ef88985bd6309
Smoke Loader
659c9acbc97bcec2af59a6d8a750fea3992121eb026aea71efb050d8017ce620
Smoke Loader
712cf06bcef3ff8dccd7d96981de689bd1913610594ea2475aa99eee31654837
Smoke Loader
7f68c5f19e7ba5e178765afe3e3fd09082d38ad58df2a6f6a1bdd9b537beb62d
Smoke Loader
b84dca43f767fdbd21c84088690a3027be608c56ae00568e79ce12225a96d28c
Smoke Loader
+ 4'876 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:pub2 backdoor trojan
Link:
https://tria.ge/reports/231002-laq4ksac64/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Uses Task Scheduler COM API
Deletes itself
SmokeLoader
Malware Config
C2 Extraction:
http://gudintas.at/tmp/
http://pik96.ru/tmp/
http://rosatiauto.com/tmp/
http://kingpirate.ru/tmp/
Unpacked files
SH256 hash:
998d2214e55d69906d35ca50879fff88e9bf0e224e8395800c7422f437ae1bf1
MD5 hash:
cd1261de6639744c3a586541d26cff78
SHA1 hash:
6d34c6fa4706035c67bf50a593790a33383c91da
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/b0a041e7-5018-4666-bd74-8aa7f5c53872/
Parent samples :
2fe8dd9df4b9740d580524591e85cf9f1f40dc4db0157c7ec4ff23a424338779
ea3c57beba44f6c55a756624401781f91ff6ad81d2070e9a1ed7e777f8596902
63051a26214380ad54dde0ce6d6568050a9dda22f2f3f52616c355ee0edf4eda
f9deeaaba4135cc9417f0a39a0b2860c88f91015cdee2dc8649f59800c5ef673
73bf87821c4d157431ad75b465ce9f61486b12e8e3e86505c49a19348a3146d5
17ba75bcbbc244b204a9f2d3981df4c3161f53b47f167a1b953eba08e7a4a394
SH256 hash:
2fe8dd9df4b9740d580524591e85cf9f1f40dc4db0157c7ec4ff23a424338779
MD5 hash:
d8707a3f53ddef25bb5fdd57d30cbec9
SHA1 hash:
44d390989c6eda758ae79f29b828eed29aafe9ea
Link:
https://www.unpac.me/results/b0a041e7-5018-4666-bd74-8aa7f5c53872/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2fe8dd9df4b9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2fe8dd9df4b9740d580524591e85cf9f1f40dc4db0157c7ec4ff23a424338779

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 2fe8dd9df4b9740d580524591e85cf9f1f40dc4db0157c7ec4ff23a424338779

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2715651/
  
URLhaus
https://urlhaus.abuse.ch/url/2715652/
  
URLhaus
https://urlhaus.abuse.ch/url/2715620/
Cape
Cape
https://www.capesandbox.com/analysis/452582/

Comments


Avatar
zbet commented on 2023-10-02 09:19:55 UTC

url : hxxps://dpecalgerie.com/tmp/index1.php