MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f86f65a5437398451da41f7fb8a99dc4b11b39899a3cb73198b814cf7e15101. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	4f86f65a5437398451da41f7fb8a99dc4b11b39899a3cb73198b814cf7e15101
SHA3-384 hash:	9eddb23a06b436edd66c8b6c9fdc0ed323ff860241ea4bfbb13ac108d0403afa47b25fde5275105bfa2acfe586a90c30
SHA1 hash:	f441a46bf156bdb2b3b3be36ac828a49ee82ac64
MD5 hash:	13bb70f2a7ab61da2e0a20297a70a8a5
humanhash:	robin-arkansas-whiskey-bluebird
File name:	13bb70f2a7ab61da2e0a20297a70a8a5.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	287'232 bytes
First seen:	2020-11-11 15:50:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c25051ab6f9bde4873ea577d64187971 (8 x Smoke Loader)
ssdeep	3072:4KKmhTIL8y3ju/5hsEA5pZd9BuJ0LjTT2V7PTiCN04uOU:4BWcL8yi/5hHSf9QJ0LjT6Niw0c
Threatray	126 similar samples on MalwareBazaar
TLSH	0C54AE2176A0C0F2C6A219344864D2905EFAB8315B748AC7775827EA1FF33E16A7DF17
Reporter	abuse_ch
Tags:	exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Packed.Glupteba-9791256-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %temp% directory

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Deleting of the original file

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/531617

Signature

Benign windows process drops PE files

Binary contains a suspicious time stamp

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Renames NTDLL to bypass HIPS

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4f86f65a5437398451da41f7fb8a99dc4b11b39899a3cb73198b814cf7e15101/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2020-11-12 00:03:27 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j6dpmwsug44yiuo2ih37xcuz3rfrdm4ytgr4w4yzroauz57bkeaq._file

Verdict:

suspicious

Smoke Loader

2c10f6776795d59fe038ed6b7ff9e2d1a710a027a35845e34e4cd5fef17892f8

Smoke Loader

2e8088a31e158e71911322a9fda5eaf609616e574d76932f849cc55f2c184211

Smoke Loader

51b64f2828c607dc4ef107428363fe9ad51e09c10e5778537bcf1ffc4c380a23

Smoke Loader

5e893a569533f7464e35b23fd00eefce1fc9af2512d918b73a493ec99b5e31c8

Smoke Loader

76fe343785baa82890e56eafb11c61b0422e7a7820601d3795fd87ec972fba52

Smoke Loader

810054919862bbf27f86e170be95aa80bc516a99704fc46103f24905a8099401

Smoke Loader

860ce43cef0bbd5b0447f02c55a6c0827aa09e3b7d537b1167bd67047980ab93

Smoke Loader

ab3cdb12407fd462c852a5d4565dfde55ff3baaf019f99125970d4355c238a09

Smoke Loader

efa0b8e5a18bc36c173b2b891b7df7dc3b5419c115adb3952c951219a282d25d

Smoke Loader

+ 116 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor trojan

Link:

https://tria.ge/reports/201111-ea9wm45x5n/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Deletes itself

Loads dropped DLL

Executes dropped EXE

SmokeLoader

Malware Config

C2 Extraction:

http://smk10ddde.com/

Unpacked files

SH256 hash:

4f86f65a5437398451da41f7fb8a99dc4b11b39899a3cb73198b814cf7e15101

MD5 hash:

13bb70f2a7ab61da2e0a20297a70a8a5

SHA1 hash:

f441a46bf156bdb2b3b3be36ac828a49ee82ac64

Link:

https://www.unpac.me/results/53c78ada-946d-4ceb-8ce3-7fe75f564b2f/

SH256 hash:

640326eaa9b6d1eebecf4925208ea87f31574b530e81b25575a5ab28f23ba90d

MD5 hash:

701f9a4e569369f69ec1c8d2114f5c09

SHA1 hash:

1964037544e248c943177d19b105e3e5594ca53f

Link:

https://www.unpac.me/results/53c78ada-946d-4ceb-8ce3-7fe75f564b2f/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.