MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45ca998d1635449e0022fae1b23affef9cbbc10ae555a7001b73b6f863585766. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45ca998d1635449e0022fae1b23affef9cbbc10ae555a7001b73b6f863585766
SHA3-384 hash: f7f3f0af947cbd92b9d0648d74fef18771fb6b86b48152373acc997a4656532e2b68e69df1b0626452109f3fe1f4aa89
SHA1 hash: 2e7d532c6cd4f5502f9c65b329397158393a4cc6
MD5 hash: e4f88c1aa49a3b0810e1b48a2ba6a6e8
humanhash: illinois-october-xray-connecticut
File name:SecuriteInfo.com.W32.AIDetectGBM.malware.01.25871.27351
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:292'352 bytes
First seen:2021-02-21 11:54:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1e5595c61ce7c73ba766ac6905c9b53 (1 x Smoke Loader, 1 x TriumphLoader)
ssdeep 6144:UwlhoXLJKhCqGQVj59FDUSr5/g0ZLkdATWb/BOa:9NGQl5jt5o0ZOyw/E
Threatray 231 similar samples on MalwareBazaar
TLSH 3A547E00BBA0C439F7BB13F44DB6936CA9397EA16B2450CB52D52AEE56346E0EC31357
Reporter SecuriteInfoCom
Tags:Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118141/
Detection(s):
SecuriteInfo.com.W32.AIDetectGBM.malware.01.25871.27351.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file
Creating a window
Launching a process
Searching for the window
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Deleting a recently created file
Replacing files
Connection attempt to an infection source
Deleting of the original file
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/613414
Signature
Benign windows process drops PE files
Binary contains a suspicious time stamp
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Renames NTDLL to bypass HIPS
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 355723 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 21/02/2021 Architecture: WINDOWS Score: 100 57 Multi AV Scanner detection for domain / URL 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Yara detected SmokeLoader 2->61 63 2 other signatures 2->63 8 SecuriteInfo.com.W32.AIDetectGBM.malware.01.25871.exe 1 2->8         started        11 wffeaij 1 2->11         started        process3 file4 65 Detected unpacking (changes PE section rights) 8->65 67 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->67 69 Renames NTDLL to bypass HIPS 8->69 14 explorer.exe 5 8->14 injected 37 C:\Users\user\AppData\Local\Temp\1F19.tmp, PE32 11->37 dropped 71 Maps a DLL or memory area into another process 11->71 73 Checks if the current machine is a virtual machine (disk enumeration) 11->73 75 Creates a thread in another existing process (thread injection) 11->75 signatures5 process6 dnsIp7 45 losm.ch 162.0.235.69, 49730, 80 NAMECHEAP-NETUS Canada 14->45 47 jibw.top 34.105.179.188, 49727, 49728, 49729 GOOGLEUS United States 14->47 39 C:\Users\user\AppData\Roaming\wffeaij, PE32 14->39 dropped 41 C:\Users\user\...\wffeaij:Zone.Identifier, ASCII 14->41 dropped 43 C:\Users\user\AppData\Local\Temp\13CC.exe, PE32 14->43 dropped 49 Benign windows process drops PE files 14->49 51 Injects code into the Windows Explorer (explorer.exe) 14->51 53 Deletes itself after installation 14->53 55 2 other signatures 14->55 19 13CC.exe 2 14->19         started        22 explorer.exe 14->22         started        file8 signatures9 process10 file11 27 C:\Users\user\AppData\Local\Temp\...\13CC.tmp, PE32 19->27 dropped 24 13CC.tmp 26 114 19->24         started        process12 file13 29 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 24->29 dropped 31 C:\Program Files (x86)\...\is-HAKOB.tmp, PE32 24->31 dropped 33 C:\Program Files (x86)\...\is-GI31V.tmp, PE32 24->33 dropped 35 33 other files (none is malicious) 24->35 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/45ca998d1635449e0022fae1b23affef9cbbc10ae555a7001b73b6f863585766/
Threat name:
Win32.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2021-02-21 10:17:13 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0969327fda05101320538ec7c3df4ca3a024fdffc9ff58bcf5570a0960bd9df7
Smoke Loader
170ddb2583efd2402e84a7eb2c48754d978c8862e5c033fef9b7df34eadceb52
Smoke Loader
4b1f2c18b149fd0e878c362ffba50bb553d7bea93a795b33e398d032dc0b7663
Smoke Loader
6745aeb1cc8de5e42a94850247ea3d54c65865c95c2492006cf8a7b44da2a961
Smoke Loader
7af038d2f4f41c0d130aaa1e4557d821e2b7f4c6bda2be44300e229cd5c721df
Smoke Loader
8287906a9a9338d4bc89276bf8086347d32120cf3a5075e16d105d610c3e4da5
Smoke Loader
c17029c38a9daf87e7e19c2e241e9a0eaba1979787f26de55dcd66980b015f00
Smoke Loader
cb76c19c178a71a5115ee308b51de416255de06d4e8226fdda8e59275a519c14
Smoke Loader
dc0715adb07b65af47d660aa7582f9ecdfc770606f1a852fe1aa7a643bba7543
Smoke Loader
e7e4c086f54086b129715c584777c2d920a9443a6ba85d4ea5e6d63b8eeb5b9e
Smoke Loader
+ 221 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor discovery trojan
Link:
https://tria.ge/reports/210221-7z552jczke/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Checks installed software on the system
Deletes itself
Loads dropped DLL
Executes dropped EXE
SmokeLoader
Unpacked files
SH256 hash:
5238243128b2fd3fe6792809699da27f5d7c925272113a14d469940c3127cefc
MD5 hash:
b4c90db6aff1234e77a40ec93a8bda1f
SHA1 hash:
2d4efcc51916cb0b746511738fd9ada117852625
Link:
https://www.unpac.me/results/e813dfb3-b9ef-46d5-8907-2717a78873e3/
SH256 hash:
45ca998d1635449e0022fae1b23affef9cbbc10ae555a7001b73b6f863585766
MD5 hash:
e4f88c1aa49a3b0810e1b48a2ba6a6e8
SHA1 hash:
2e7d532c6cd4f5502f9c65b329397158393a4cc6
Link:
https://www.unpac.me/results/e813dfb3-b9ef-46d5-8907-2717a78873e3/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_smokeloader_a2
Create hunting rule
Author:pnx

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 45ca998d1635449e0022fae1b23affef9cbbc10ae555a7001b73b6f863585766

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1022106/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/118141/

Comments