MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 380352f1c2acc2574f8eb08b31232252835758f1c35229c07ae48b375508adf0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 380352f1c2acc2574f8eb08b31232252835758f1c35229c07ae48b375508adf0
SHA3-384 hash: 07fc1ce3a7ab3045b689ee71e96709765c6f86898287c8c9092a80932070c6569b19265983d55df87c8128875599c303
SHA1 hash: a1d1ef852d252d15d5941defc7b61cca9fc30c25
MD5 hash: 47db896b82f4207a7d2ce151f04761aa
humanhash: india-neptune-angel-carpet
File name:47db896b82f4207a7d2ce151f04761aa
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:181'760 bytes
First seen:2022-04-25 16:19:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 480c874302fc8eb293e686340caabe12 (9 x RedLineStealer, 1 x Smoke Loader)
ssdeep 1536:0+cQHnTqlqe+vpPI7NuGwduLSwzUuwmSbpWuoeYIJmg//MONMa+ynWzZBprCzB:rc6TKwCdpKuw51/1RXMO2FpGzB
Threatray 9'221 similar samples on MalwareBazaar
TLSH T11504AE117BF1C033D0A349305974D6A2AA6FFCA26B7045CB27A8C27D2E712D18EB5767
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 480c1c4c4f594b14 (172 x Smoke Loader, 134 x RedLineStealer, 98 x Amadey)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
274
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/266489/
Detection(s):
Win.Malware.Filerepmalware-9941437-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Query of malicious DNS domain
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6266ca09fac433a7cc860371/reports/aa48f29f-4196-4a91-9e66-f7e9f83cbadc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/105696d0-455a-49a6-a73c-336ff194b81b
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/982578
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution of Suspicious File Type Extension
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 615068 Sample: uHqzhVgnuU Startdate: 25/04/2022 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Antivirus detection for URL or domain 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 4 other signatures 2->47 8 uHqzhVgnuU.exe 2->8         started        11 rfgwsbg 2->11         started        process3 signatures4 57 Contains functionality to inject code into remote processes 8->57 59 Injects a PE file into a foreign processes 8->59 13 uHqzhVgnuU.exe 8->13         started        61 Multi AV Scanner detection for dropped file 11->61 16 rfgwsbg 11->16         started        process5 signatures6 71 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 13->71 73 Maps a DLL or memory area into another process 13->73 75 Checks if the current machine is a virtual machine (disk enumeration) 13->75 18 explorer.exe 3 13->18 injected 77 Creates a thread in another existing process (thread injection) 16->77 process7 dnsIp8 37 afrocalite.ga 176.57.214.40, 49754, 49755, 80 TIMEWEB-ASRU Russian Federation 18->37 33 C:\Users\user\AppData\Roaming\rfgwsbg, PE32 18->33 dropped 35 C:\Users\user\...\rfgwsbg:Zone.Identifier, ASCII 18->35 dropped 49 Benign windows process drops PE files 18->49 51 Injects code into the Windows Explorer (explorer.exe) 18->51 53 Deletes itself after installation 18->53 55 2 other signatures 18->55 23 explorer.exe 12 18->23         started        27 explorer.exe 18->27         started        29 explorer.exe 18->29         started        31 6 other processes 18->31 file9 signatures10 process11 dnsIp12 39 afrocalite.ga 23->39 63 System process connects to network (likely due to code injection or exploit) 23->63 65 Found evasive API chain (may stop execution after checking mutex) 23->65 67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->67 69 4 other signatures 23->69 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/380352f1c2acc2574f8eb08b31232252835758f1c35229c07ae48b375508adf0/
Threat name:
Win32.Trojan.RealProtectPENGSD
Create hunting rule
Status:
Malicious
First seen:
2022-04-25 01:45:39 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
32 of 41 (78.05%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
38ccecf332445e56428fba1f9352f2977b3afdfe31f84d69ea50129079d9344b
Smoke Loader
49c7ce5e90b5bce33ac0ea6f02d309e030e81462e290e83403048822e52b1500
Smoke Loader
780aee300d0f8eba4233484b475aa6a0109e40d0bec49d1d7fd4435846ca6608
Smoke Loader
808a1353be2e23a511c577b86ca5c2e37ee4a30d8b5abde669e7cc2f9d91d5e2
Smoke Loader
b8e63ce3226f61cde7d51196c3ca300ca39882f4715e87938ed5d3ae68ef879d
Smoke Loader
cc15573c85379c9dd96f926c62a62f402a95052ed65b616daf881e0dae9ee674
Smoke Loader
cdcb92f83216720f2d567392a6a4d9bc1b90b3f900b783934a402d310ae5ff46
Smoke Loader
ef538d7c9dbc1375659c258adcc719b020621b8ced9666032ec2a823192a5608
Smoke Loader
+ 9'211 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/220425-ts3jbscfd7/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
SmokeLoader
Malware Config
C2 Extraction:
http://afrocalite.ga/
http://clasique.ga/
http://cretenom.ga/
Unpacked files
SH256 hash:
254a4eff70b7e509a262c8087e676e64aadb6a551d798ebf031788dc882dfee0
MD5 hash:
024bbea044eb00a9eca604a2c5c36ddf
SHA1 hash:
5bb8d5b48b6d13738f1750c5ee5562766fb0389a
Link:
https://www.unpac.me/results/d595573c-0222-40c4-a87f-cd0138682891/
SH256 hash:
380352f1c2acc2574f8eb08b31232252835758f1c35229c07ae48b375508adf0
MD5 hash:
47db896b82f4207a7d2ce151f04761aa
SHA1 hash:
a1d1ef852d252d15d5941defc7b61cca9fc30c25
Link:
https://www.unpac.me/results/d595573c-0222-40c4-a87f-cd0138682891/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/380352f1c2ac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/380352f1c2acc2574f8eb08b31232252835758f1c35229c07ae48b375508adf0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb
Create hunting rule
Author:@stvemillertime
Description:Searching for PE files with PDB path keywords, terms or anomalies.
Rule name:pdb2
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 380352f1c2acc2574f8eb08b31232252835758f1c35229c07ae48b375508adf0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2163850/
Cape
Cape
https://www.capesandbox.com/analysis/266489/

Comments


Avatar
zbet commented on 2022-04-25 16:19:12 UTC

url : hxxp://198.23.212.189/110/vbc.exe