MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4853dce1d9a8c51244022d226378df142740101b09fa321830628612d6e6f284. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4853dce1d9a8c51244022d226378df142740101b09fa321830628612d6e6f284
SHA3-384 hash: 1dbc453ff80c1b289a839147dea6705517d92819d9914a644cca5a479146fd5a090b32d593055d8ccb4dcf9f635a548b
SHA1 hash: 2cb73fdd310fa8f7cde90cfce3074173686398f3
MD5 hash: 0b2a0cb07620ea21cb61d9a0ef9dba48
humanhash: magnesium-network-quebec-magnesium
File name:SecuriteInfo.com.W32.AIDetect.malware1.20229.26823
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:308'736 bytes
First seen:2021-03-11 04:42:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cc4b17d0e5d5a1e26966b8ee27266b0b (5 x Smoke Loader, 1 x DanaBot)
ssdeep 6144:HL8DusAGBjFq/JxydVMtHqTrKRQKduV5SdDJV:HLM3AGBjEJYWqHWsHO
Threatray 291 similar samples on MalwareBazaar
TLSH 88648D30B7A0C034F0B612BC49769379AA297EB1A724A1CF56D02EEB56B46F4DC30757
Reporter SecuriteInfoCom
Tags:Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.AIDetect.malware1.20229.26823
Verdict:
No threats detected
Analysis date:
2021-03-11 04:44:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c9704219-5742-4b9b-b9a4-101c36a72b7c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/123670/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.20229.26823.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% directory
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Launching the default Windows debugger (dwwin.exe)
Launching a process
Searching for the window
Changing a file
Sending a custom TCP request
Connection attempt to an infection source
Forced shutdown of a system process
Deleting of the original file
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/636391
Signature
Benign windows process drops PE files
Binary contains a suspicious time stamp
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Renames NTDLL to bypass HIPS
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 367171 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 11/03/2021 Architecture: WINDOWS Score: 100 52 Yara detected SmokeLoader 2->52 54 Machine Learning detection for sample 2->54 56 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->56 58 Binary contains a suspicious time stamp 2->58 8 SecuriteInfo.com.W32.AIDetect.malware1.20229.exe 2->8         started        11 stfrjgt 2->11         started        13 explorer.exe 4 185 2->13         started        15 SearchUI.exe 2->15         started        process3 signatures4 60 Detected unpacking (changes PE section rights) 8->60 62 Contains functionality to inject code into remote processes 8->62 64 Injects a PE file into a foreign processes 8->64 17 SecuriteInfo.com.W32.AIDetect.malware1.20229.exe 1 8->17         started        66 Machine Learning detection for dropped file 11->66 20 stfrjgt 1 11->20         started        process5 file6 42 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 17->42 44 Renames NTDLL to bypass HIPS 17->44 46 Maps a DLL or memory area into another process 17->46 23 explorer.exe 3 17->23 injected 30 C:\Users\user\AppData\Local\Temp\4DD3.tmp, PE32 20->30 dropped 48 Checks if the current machine is a virtual machine (disk enumeration) 20->48 50 Creates a thread in another existing process (thread injection) 20->50 signatures7 process8 dnsIp9 36 10022020test125831-service1002012510022020.space 23->36 38 10022020newfolder3100231-service1002.space 23->38 40 7 other IPs or domains 23->40 32 C:\Users\user\AppData\Roaming\stfrjgt, PE32 23->32 dropped 34 C:\Users\user\...\stfrjgt:Zone.Identifier, ASCII 23->34 dropped 68 Benign windows process drops PE files 23->68 70 Deletes itself after installation 23->70 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->72 28 WerFault.exe 17 9 23->28         started        file10 signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4853dce1d9a8c51244022d226378df142740101b09fa321830628612d6e6f284/
Threat name:
Win32.Trojan.BotX
Create hunting rule
Status:
Malicious
First seen:
2021-03-11 04:43:05 UTC
AV detection:
18 of 47 (38.30%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0cac1630f56f25462bfc12aeeeb52d4eb515783c5cba8fd74d715e2e46adaca6
Smoke Loader
170ddb2583efd2402e84a7eb2c48754d978c8862e5c033fef9b7df34eadceb52
Smoke Loader
290980462cb21d689c20276b2aac1aa8dc704b237235723e847199a109218e1e
Smoke Loader
4b74a532f2a5da62ae4298b75c9dc13ec959810a66c34aaefdf6b58c067396dd
Smoke Loader
666a5a0354a5f37b2de59a69f8dab856b9f7bb478bbdd2a996e040fe2b839650
Smoke Loader
854d167ff218c5caa012baaa7bb80a2bfdd1ec9c4c6b3a66bef57240ade29422
Smoke Loader
d5efd66f54dce6b51870e40a458fa30de366a2982ab2f83dddff5cb3349f654d
Smoke Loader
e237d6e3b44c0bcacf4eff59f58c8028a48c0675f283adc96490ae6daf645bd7
Smoke Loader
ea8588de894d9657daa047958ca98c5e9549ca25bc09e9df2a9c8ae044daef42
Smoke Loader
f69bdd82ca22268d090832707e37b1cae408ba96476843b55feedac11acc6277
Smoke Loader
+ 281 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor persistence trojan
Link:
https://tria.ge/reports/210311-et8kc7qfhn/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Enumerates connected drives
Deletes itself
Loads dropped DLL
Modifies Installed Components in the registry
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
http://10022020test61-service1002012510022020.website/
http://10022020test51-service1002012510022020.xyz/
http://10022020test41-service100201pro2510022020.ru/
http://10022020yest31-service100201rus2510022020.ru/
http://10022020rest21-service1002012510022020.eu/
http://10022020test11-service1002012510022020.press/
http://10022020newfolder4561-service1002012510022020.ru/
http://10022020rustest213-service1002012510022020.ru/
http://10022020test281-service1002012510022020.ru/
http://10022020test261-service1002012510022020.space/
http://10022020yomtest251-service1002012510022020.ru/
http://10022020yirtest231-service1002012510022020.ru/
Unpacked files
SH256 hash:
dd27344f15277c37d0e13059b5050aa600393af329a4b90b257959d4130e9ff2
MD5 hash:
221ef3f90d75405fdf80addb109faa7f
SHA1 hash:
80f2eec32cd644640a53beddef77d23e4a1bd817
Link:
https://www.unpac.me/results/23fe5598-6b80-40be-8b21-9cff8e563e10/
SH256 hash:
4853dce1d9a8c51244022d226378df142740101b09fa321830628612d6e6f284
MD5 hash:
0b2a0cb07620ea21cb61d9a0ef9dba48
SHA1 hash:
2cb73fdd310fa8f7cde90cfce3074173686398f3
Link:
https://www.unpac.me/results/23fe5598-6b80-40be-8b21-9cff8e563e10/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4853dce1d9a8c51244022d226378df142740101b09fa321830628612d6e6f284

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 4853dce1d9a8c51244022d226378df142740101b09fa321830628612d6e6f284

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1060305/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/123670/

Comments