MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30a0834cb7fcd0232929e53c63e45fce83704c31fbcf1c32bb5a37db6be84931. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30a0834cb7fcd0232929e53c63e45fce83704c31fbcf1c32bb5a37db6be84931
SHA3-384 hash: 7752549d5a6a368dcc99c2082f5445db809b5f2545cd654592d0bf0aa744968904e237e3efd96ee70b0577e16d6e3236
SHA1 hash: b41df43848ce4fc86e81ae6b6f4706e09b1da432
MD5 hash: 028bda2c761bfaf2666e2cc90b09f948
humanhash: uniform-south-mountain-winner
File name:028bda2c761bfaf2666e2cc90b09f948.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:342'528 bytes
First seen:2021-12-16 08:49:52 UTC
Last seen:2021-12-16 11:17:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4dbb8565a3af7ad0eaed683cddb0f9e1 (7 x RedLineStealer, 1 x Smoke Loader)
ssdeep 6144:E75UX8V/Qajuj/NQ5kC3QhD8MMCL8mmayOaW8EQpw:4EfuYQp3QhD8VCL7may0Yp
Threatray 3'132 similar samples on MalwareBazaar
TLSH T117748D006AE1C035F1B752F45AB6A77DA53E3EA16B3490CF13D516EA5A786E0EC3031B
File icon (PE):PE icon
dhash icon b2dacabecee6baa2 (33 x RedLineStealer, 30 x Smoke Loader, 28 x Stop)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
287
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://92.255.85.131/img/rundll32.exe
Verdict:
Malicious activity
Analysis date:
2021-12-16 05:14:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cd8095ab-2f9f-454f-bd75-c5e7b53d050b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/214516/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.8050.4642.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Searching for synchronization primitives
DNS request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Running batch commands
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2206/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61bafdbf6daa353fa3b4d66a/reports/2ce15b48-531b-4612-b179-d5ade90bec0c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0cbca32c-a5ca-4af6-a468-c40887011c67
Result
Threat name:
Phoenix Miner SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/908375
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Phoenix Miner
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 540852 Sample: uWyOk2mCws.exe Startdate: 16/12/2021 Architecture: WINDOWS Score: 100 91 raw.githubusercontent.com 2->91 93 github.com 2->93 111 Antivirus detection for dropped file 2->111 113 Multi AV Scanner detection for dropped file 2->113 115 Multi AV Scanner detection for submitted file 2->115 117 5 other signatures 2->117 11 uWyOk2mCws.exe 2->11         started        13 wbgchuj 2->13         started        signatures3 process4 signatures5 16 uWyOk2mCws.exe 11->16         started        143 Machine Learning detection for dropped file 13->143 19 wbgchuj 13->19         started        process6 signatures7 103 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 16->103 105 Maps a DLL or memory area into another process 16->105 107 Checks if the current machine is a virtual machine (disk enumeration) 16->107 21 explorer.exe 3 5 16->21 injected 109 Creates a thread in another existing process (thread injection) 19->109 process8 dnsIp9 95 92.255.85.131, 49767, 49771, 80 SOVTEL-ASRU Russian Federation 21->95 73 C:\Users\user\AppData\Roaming\wbgchuj, PE32 21->73 dropped 75 C:\Users\user\AppData\Local\Temp\567.exe, PE32+ 21->75 dropped 77 C:\Users\user\...\wbgchuj:Zone.Identifier, ASCII 21->77 dropped 121 System process connects to network (likely due to code injection or exploit) 21->121 123 Benign windows process drops PE files 21->123 125 Injects code into the Windows Explorer (explorer.exe) 21->125 127 3 other signatures 21->127 26 567.exe 1 22 21->26         started        31 RegHost.exe 14 21->31         started        33 explorer.exe 21->33         started        35 2 other processes 21->35 file10 signatures11 process12 dnsIp13 97 github.com 140.82.121.4, 443, 49772, 49773 GITHUBUS United States 26->97 99 raw.githubusercontent.com 185.199.108.133, 443, 49774, 49777 FASTLYUS Netherlands 26->99 83 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 26->83 dropped 85 C:\Users\user\AppData\Roaming\...\7z.exe, PE32+ 26->85 dropped 87 C:\Users\user\AppData\Roaming\...\7z.dll, PE32+ 26->87 dropped 89 2 other files (none is malicious) 26->89 dropped 129 Detected unpacking (overwrites its own PE header) 26->129 131 Machine Learning detection for dropped file 26->131 133 Writes to foreign memory regions 26->133 135 Modifies the context of a thread in another process (thread injection) 26->135 37 bfsvc.exe 1 26->37         started        40 cmd.exe 1 26->40         started        42 cmd.exe 1 26->42         started        52 2 other processes 26->52 101 192.168.2.1 unknown unknown 31->101 137 Allocates memory in foreign processes 31->137 139 Hides threads from debuggers 31->139 141 Injects a PE file into a foreign processes 31->141 44 cmd.exe 31->44         started        46 cmd.exe 31->46         started        48 conhost.exe 31->48         started        50 bfsvc.exe 31->50         started        file14 signatures15 process16 signatures17 119 Hides threads from debuggers 37->119 54 conhost.exe 37->54         started        56 7z.exe 2 40->56         started        59 conhost.exe 40->59         started        61 conhost.exe 42->61         started        63 7z.exe 1 42->63         started        65 7z.exe 44->65         started        67 conhost.exe 44->67         started        69 conhost.exe 46->69         started        71 7z.exe 46->71         started        process18 file19 79 C:\Users\user\AppData\...\RegHost_Temp.exe, PE32+ 56->79 dropped 81 C:\Users\user\AppData\...\RegData_Temp.exe, PE32+ 65->81 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30a0834cb7fcd0232929e53c63e45fce83704c31fbcf1c32bb5a37db6be84931/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-12-16 08:50:08 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gcqigtfx7ticgkjj4u6ghzc7z2bxatbr7phrymv3li35w27ijeyq._file
Verdict:
malicious
Similar samples:
1a78aaf6aae3b9d9a32dc6c8cfe9182043f71a3d44e727464ab95a70fc24bbe8
Smoke Loader
1b8dab946d42aa832cfd9df68593c311e979491f2bd7df7f6f1acb9427215b68
Smoke Loader
5e6932fbfebe00b2c44d7e74bb8409b55ad7abe92507c56887ded333684fcd92
Smoke Loader
68e731d3431bc9223c2ff57b2d319194c4a6b8027e15c75f16b841bc78499172
Smoke Loader
808a1353be2e23a511c577b86ca5c2e37ee4a30d8b5abde669e7cc2f9d91d5e2
Smoke Loader
82c5a4103769e5391fee93ead9d6509dd3eb8186f53ce450f14a22b4f82e968c
Smoke Loader
91a949a238f887601af94c9ab7921352102b1edc24aba6e4ab6d726a8c314843
Smoke Loader
a99dfa4b60347edac3d2083c96df817bc3dfdc3c206be400723abb594cdb510b
Smoke Loader
ad5592929818b5ee09b99dddb8a652d84621e0b70efe51c2f2b6ca54aeaa3713
Smoke Loader
e934da8d0b455bcdf23e6e9c2fa5580982bf2f9b39a5d0246b2f462bbf1ae141
Smoke Loader
+ 3'122 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor persistence trojan
Link:
https://tria.ge/reports/211216-krlpracdaj/
Behaviour
Checks SCSI registry key(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
SmokeLoader
Malware Config
C2 Extraction:
http://92.255.85.131/
Unpacked files
SH256 hash:
2710783f0590235e3dcc5a2dfbee7d2d1c5ce1717a29bfabc128bab5a91d45d5
MD5 hash:
3d7a4d26a473a3d4c005f995da9cfa52
SHA1 hash:
ad830c9b2a947fed37b8eaf12247e1e58de85d3d
Link:
https://www.unpac.me/results/7959c787-f825-4fbf-8646-a83591693942/
SH256 hash:
30a0834cb7fcd0232929e53c63e45fce83704c31fbcf1c32bb5a37db6be84931
MD5 hash:
028bda2c761bfaf2666e2cc90b09f948
SHA1 hash:
b41df43848ce4fc86e81ae6b6f4706e09b1da432
Link:
https://www.unpac.me/results/7959c787-f825-4fbf-8646-a83591693942/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/30a0834cb7fcd0232929e53c63e45fce83704c31fbcf1c32bb5a37db6be84931

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 30a0834cb7fcd0232929e53c63e45fce83704c31fbcf1c32bb5a37db6be84931

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/214516/
  
URLhaus
https://urlhaus.abuse.ch/url/1888488/
  
Delivery method
Distributed via web download

Comments