MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38e999b667e1396ec4793fd9bd4f5abfde6f5ef3c5faaebfcd29d345350cf76f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	38e999b667e1396ec4793fd9bd4f5abfde6f5ef3c5faaebfcd29d345350cf76f
SHA3-384 hash:	e771f0c7a75154b295cfb31bd1a1e0273a09f62b0152d52ee5b6f59f4a959fb523412901a48d05099e4e87641ba4d2de
SHA1 hash:	03097a9a1d2824a16a3a84c4c765c0fc09954153
MD5 hash:	212817a2439b3d3b034ce5ddf32b69b0
humanhash:	dakota-four-delta-stairway
File name:	212817a2439b3d3b034ce5ddf32b69b0.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	311'808 bytes
First seen:	2022-12-20 09:47:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2672dcb5d3f18e5d541d0c4a1fc7ed24 (12 x Smoke Loader, 9 x Tofsee, 1 x CoinMiner)
ssdeep	3072:z4z3Ls+mjpEE75l71MAQnUt1J1tWvvXnx+NasdASy65/1E3ZJyyjXgKG0xOKbyD9:C3LKqEmU9X6vXBn63QZImQKG0
Threatray	14'793 similar samples on MalwareBazaar
TLSH	T13964D0E033B0E872C962F6B14D2AC7D46E2EB8224964C62F761F361F6DB02D19576317
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	fcfc94949494dcc0 (3 x Smoke Loader, 1 x ArkeiStealer, 1 x Tofsee)
Reporter	abuse_ch
Tags:	exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

167

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

smoke

ID:

File name:

212817a2439b3d3b034ce5ddf32b69b0.exe

Verdict:

Malicious activity

Analysis date:

2022-12-20 09:47:56 UTC

Tags:

trojan loader smoke

Link:

https://app.any.run/tasks/114dab33-aacb-4f07-8b8c-d60f54c92d6b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

SmokeLoader

Link:

https://www.capesandbox.com/analysis/348293/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for synchronization primitives

Reading critical registry keys

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Sending an HTTP GET request

Creating a process from a recently created file

Query of malicious DNS domain

Sending a TCP request to an infection source

Unauthorized injection to a system process

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Gathering data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cbc0471f-2e67-4bf8-b0a0-a19fa475ac9b

Result

Threat name:

Pushdo, SmokeLoader

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1137818

Signature

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Drops PE files to the user root directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to resolve many domain names, but no domain seems valid

Writes to foreign memory regions

Yara detected Backdoor Pushdo

Yara detected SmokeLoader

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/38e999b667e1396ec4793fd9bd4f5abfde6f5ef3c5faaebfcd29d345350cf76f/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2022-12-20 05:40:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 40 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hduztnth4e4w5rdzh7m32t22x7pg6xxtyx5k5p6nfhjuknim65xq._file

Verdict:

malicious

Smoke Loader

6398eedbd6e607201e5d45ae0e6e8d77c0be0192b1603723b331958c7f460d5c

Smoke Loader

6fd73cc771295020132bff6d8cc6f7017c160e5e728f3e3fc2e7ebcd362f36ce

Smoke Loader

72844b2e6bd944f5dc28f0d7f03d45470aa098e7bd7f136977b61456cc210d9a

Smoke Loader

790113514a3ecca90d821e512b077ae3609bd1d5a0ba281c4bfd66984f0575e6

Smoke Loader

81f3a2b4d61c482d118d57f730657a3ddb68d0261cae8f5497765b5af4950ea8

Smoke Loader

ae9fc18e886fbf5071040cfe4ca2545ba25492c6fc43b9c10dc7c43520e6360c

Smoke Loader

b1bc71ae3b3f875ff87559e30f790a236d66aedd796fc6ef5ef9d4ca7ecb76da

Smoke Loader

e2fff4046bc76c585b24c5844f3ca0c45ce7dad03ac6bf15dde0bc410d0d684c

Smoke Loader

fa15592090d229e8590382d35f4015b268be58e855370df4214c95274d6be3d5

Smoke Loader

+ 14'783 additional samples on MalwareBazaar

Result

Malware family:

systembc

Score:

10/10

Tags:

family:danabot family:smokeloader family:systembc backdoor banker discovery trojan

Link:

https://tria.ge/reports/221220-lssp5ahb83/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of SetThreadContext

Checks installed software on the system

Loads dropped DLL

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Danabot

Detects Smokeloader packer

SmokeLoader

SystemBC

Malware Config

C2 Extraction:

109.205.214.18:443

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/03b86b7b-d4fa-45c7-9a31-12fe04a8289b

Unpacked files

SH256 hash:

cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383

MD5 hash:

cb4573fa9acae5c637fced7e7cb8192c

SHA1 hash:

d2145f53a192e768b8bfbf9b633941790424ff7f

Detections:

win_smokeloader_a2

SmokeLoaderStage2

Link:

https://www.unpac.me/results/ba88cdf0-973e-4c30-8e99-1810956a36e5/

Parent samples :

3b73e1cb5c1c3d233475e948a28edfbd7c464a7b7d550229955863d037a5f80c
de558a99c1d4f7035d717797fd54546bd8a563ea308856d6c776da4ac40e447c
e114b82dbb273f622092d7d379134f861879aea5c30855a9056d4b12299a4d0e
7cfa689eff77cd7a4162aa23bc8ee895cde76e042192eea618f3fb8f49ff4a30
ae95ce71367c487132095a7eb1dd2a93c7137cc596a390be560a6afa656754ff
d57ed914bd4e2ce9a741f527cdc6424ed00442ae82e99c81168b78ef7409ab37
a729b1edad51cceeac9a61f69e17f984d48983a9ca72a4bef36a6f48bae3611b
230a95dac1fdef00e1904669c4dfba51e077ccaabf663d0a1da9ef33f7ab5edb
e97eee4a59c1b94dfa4b759b89c68d213a2e585496b76b4233aa25079e6793e6
49453ac2bac7c816c02746c300aa90d8c645ac0d21d317bf6c1774f02508f718
2215fbfce2b9d29e5cf5da500b6e3e9a8b073c70165d3e21f6339133653aae87
4dc0de570728f75f844c7afb84ac6c809ef4620dac3b12a884ff9916f5b5b0ee
a1262ba069d6bf2d8569a43a4387f8423547f6f704f873ff08a3ee49f9e026cc
5f85758bb282680a9e3fcaa5676eaa25eb33703ae01954becfa883f6b47640da
cea5368149853373e7b3bc8c9f0ad2e3eb6c668b5a43af5bce1e2cf52366289a
bdef8b9c80a18a245d62ee4454dcc910912b589d9cc774a97049b47465820a30
61a252f24dadeb189da7930fc6807cdaa5c7c64d9d7bac1f6191aa71461a32b3
96499061f3cc12472b80926473bab2afd322b22637be12bc22cdfabcd143e149
04b0601a18d27105b71c35d5623d9f93b1860b07cc262fcdebe54ec99f9a05ce
65c66c06b934ddfa0e90df3fa57097fd85a8381edb43a75b320f88452b1b047f
73a9cb67da90dae4ee505f8dd558b0285d12e7f439a3a1b6859607c4c16031ff
ead7dd6f405550ced3745cfc15320bfd5fc5dedd1bcac65bf63833679365c353
88084fb90df134bad9d49e08773094b07b7ad521e33204ca32472792ccd2d972
38e999b667e1396ec4793fd9bd4f5abfde6f5ef3c5faaebfcd29d345350cf76f
881c03c857c94709c03fcfbd8cf9bfc11b3d1f3579f0198a88e646d62575ee58
af15f13244a94810f88fb859feffdcdd6793c1eb7298e71060f7181fc6f76e8b
71fa869efa924ab2112f97f4eeaee7062bddd34811ea29a8bb406047f08f9fc0
e5a0952711c2ab163c97a9b13e762724e3e9dc0fce6fe3a128900215baa45eab
c5072261b7b27698e90066a45e204fc5db137427d22133d6a34dfbce68a26e13
76e20bad590b31cd07652c1f1f7caddf4902bd344c4a2935abf3828e77a014cb
a2109e1dd33e4b0e486d0432a2a938775bfd74d14cb247ea7f91c791cc1943f5
89f601f3894c7831084af6e25ef673f67624a7afb93e8004e321af7202940997
cbbb43906ef2d45a68bfc7759bfa621a7878573c426076024f43113892fb8933
2f322ccd5f31968a168f37aab62f4d772dd485343994ac43e171f8e1deea08c1
45f886f87e8f5a34c1f5675dd91666da03065db2255cf9794c0941b730ca2d84
86fe386cc3662c6b8228b24edd8b41be9cb586b68cb33e6d2633dc79baf383ac
e07c6bdc0cde40da74a909112f3326f7a0a091517161221607e9b77032b6b990
e53a167c6e80f9392389e002cf0609f7f4b2cef439bb589459c07a8a5b9de8a1

SH256 hash:

38e999b667e1396ec4793fd9bd4f5abfde6f5ef3c5faaebfcd29d345350cf76f

MD5 hash:

212817a2439b3d3b034ce5ddf32b69b0

SHA1 hash:

03097a9a1d2824a16a3a84c4c765c0fc09954153

Link:

https://www.unpac.me/results/ba88cdf0-973e-4c30-8e99-1810956a36e5/

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/38e999b667e1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/38e999b667e1396ec4793fd9bd4f5abfde6f5ef3c5faaebfcd29d345350cf76f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

exe 38e999b667e1396ec4793fd9bd4f5abfde6f5ef3c5faaebfcd29d345350cf76f

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2432863/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/348293/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample