MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5471697f35a07a9fd686d85d2381e9c5d9c8ea863757e4e4a943ef168775a4c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5471697f35a07a9fd686d85d2381e9c5d9c8ea863757e4e4a943ef168775a4c7
SHA3-384 hash: 01970d76311e3440d1987acd916e4066281d5e0bb417806d9a19c6ddea9e498bcb23260926067b7d9f09d11796cdabc9
SHA1 hash: 1b42eee9f4534c37e7f674ed0825dcfceca48a66
MD5 hash: 4a6c5ebd678fce81e4bceea1fac6a476
humanhash: fifteen-hawaii-butter-mango
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:208'896 bytes
First seen:2024-01-15 10:27:58 UTC
Last seen:2024-01-15 12:50:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6622222a6fbc2c3f83cd5cfc7415ce83 (2 x Tofsee, 2 x Smoke Loader)
ssdeep 3072:6mfHB/kLaZdXUNc8iirJiM21K7uthv1ejSbxJ1zRlH91SNBN7RDxaIp+cmH:6mfHiclVPv1wSbx/zRldIxQco
Threatray 2'153 similar samples on MalwareBazaar
TLSH T192147C1536F1C076F6B3697549B0C7B41E7BB8636A3A95CF2AC406791F266E1CE2030B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 1e65656565a5c55a (1 x RedLineStealer, 1 x Smoke Loader)
Reporter andretavare5
Tags:exe Smoke Loader


Avatar
andretavare5
Sample downloaded from http://galandskiyher5.com/downloads/t100.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
344
Origin country :
US US
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
5471697f35a07a9fd686d85d2381e9c5d9c8ea863757e4e4a943ef168775a4c7.exe
Verdict:
Malicious activity
Analysis date:
2024-01-15 10:29:46 UTC
Tags:
loader smoke smokeloader
Link:
https://app.any.run/tasks/f76b2859-1e00-48fa-930a-a44f9fa61966

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/470900/
Detection(s):
SecuriteInfo.com.Trojan.Siggen23.56162.20248.21951.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed smokeloader
Link:
https://www.filescan.io/uploads/65a508b299da41ccd7d42d39/reports/09aa8669-29b8-4c58-8367-9e25b5f2ec21/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/5471697f35a07a9fd686d85d2381e9c5d9c8ea863757e4e4a943ef168775a4c7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e216157f-5344-4b53-a1c0-78e9b38247fa
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1374698
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1374698 Sample: file.exe Startdate: 15/01/2024 Architecture: WINDOWS Score: 100 23 host-host-file8.com 2->23 25 host-file-host6.com 2->25 39 Snort IDS alert for network traffic 2->39 41 Multi AV Scanner detection for domain / URL 2->41 43 Found malware configuration 2->43 45 6 other signatures 2->45 7 file.exe 2->7         started        10 dwrhtrw 2->10         started        12 dwrhtrw 2->12         started        signatures3 process4 signatures5 47 Detected unpacking (changes PE section rights) 7->47 49 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->49 51 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 7->51 14 explorer.exe 7 3 7->14 injected 53 Multi AV Scanner detection for dropped file 10->53 55 Machine Learning detection for dropped file 10->55 57 Maps a DLL or memory area into another process 10->57 59 Checks if the current machine is a virtual machine (disk enumeration) 12->59 61 Creates a thread in another existing process (thread injection) 12->61 process6 dnsIp7 27 host-host-file8.com 193.106.175.43, 49736, 49739, 49741 IQHOSTRU Russian Federation 14->27 29 host-file-host6.com 104.21.30.102, 49735, 49738, 49740 CLOUDFLARENETUS United States 14->29 19 C:\Users\user\AppData\Roaming\dwrhtrw, PE32 14->19 dropped 21 C:\Users\user\...\dwrhtrw:Zone.Identifier, ASCII 14->21 dropped 31 System process connects to network (likely due to code injection or exploit) 14->31 33 Benign windows process drops PE files 14->33 35 Deletes itself after installation 14->35 37 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->37 file8 signatures9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5471697f35a07a9fd686d85d2381e9c5d9c8ea863757e4e4a943ef168775a4c7
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5471697f35a07a9fd686d85d2381e9c5d9c8ea863757e4e4a943ef168775a4c7/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2024-01-15 10:28:07 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kryws7zvub5j7vug3boshapjyxm4r2ugg5l6jzfjipxrnb3vutdq._file
Verdict:
malicious
Similar samples:
20ea338af45c4221e0ac33de59e84a3cf0d0eed2f609fbad4d3227f5131de0e2
Smoke Loader
54349953542084ceceb6de40c4edc6124bf69ccad39051a62d8e2be651acb9dc
Smoke Loader
7b101e4c3f86d6b121d25c79d718af9b24ad1ba2bbf9ad83dc285b8ba2e4756a
Smoke Loader
8a964d8fb52489ba9086bf0ab5cf8ca7822fe698d03e5e6d5174640f52b8c5ee
Smoke Loader
94f90d551dfd3fc18c3fc5dd7c4b279b2ebc71bbb2df9619731fc1a796c8173a
Smoke Loader
a94c46db65430f4dfd0f41a6c054733038c26b11b584f8bb622d9553df129d2b
Smoke Loader
b64ff9e441be1386300550bfd3f41bae61bebee22c9f858cedcb57d3e143f98a
Smoke Loader
d2036d42cccce6d4084ced4236845ea621d3adf56d47073ec277947408651a95
Smoke Loader
db824ef491d8eb1db6d550b0da1b9d2e6a8b9b7a050f99e9509eb0b522d44b1d
Smoke Loader
f99b65078effe6fb98073119b14ed9e086d8549164a1b5550ddeaeb3cce89354
Smoke Loader
+ 2'143 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:betabot family:smokeloader botnet:t100 backdoor botnet evasion persistence trojan
Link:
https://tria.ge/reports/240115-mhmxkaeagq/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer Protected Mode
Modifies Internet Explorer Protected Mode Banner
Modifies Internet Explorer settings
NTFS ADS
Runs regedit.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
NSIS installer
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks for any installed AV software in registry
Checks whether UAC is enabled
Drops desktop.ini file(s)
Checks BIOS information in registry
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Disables taskbar notifications via registry modification
Disables use of System Restore points
Sets file execution options in registry
Sets service image path in registry
BetaBot
Modifies firewall policy service
Modifies security service
SmokeLoader
Malware Config
C2 Extraction:
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
24169b85f1c66dbcc0ba20996957e77cebecffa1653d959dd4d4fb234fe13d8d
MD5 hash:
7a8cc1709a99a031af6d5f4ba70719e9
SHA1 hash:
46ee7730f42b28a531c0e11c9cf255dc53cc5b96
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/7a840040-a25f-46f5-8ea4-b1e50decaa15/
SH256 hash:
5471697f35a07a9fd686d85d2381e9c5d9c8ea863757e4e4a943ef168775a4c7
MD5 hash:
4a6c5ebd678fce81e4bceea1fac6a476
SHA1 hash:
1b42eee9f4534c37e7f674ed0825dcfceca48a66
Link:
https://www.unpac.me/results/7a840040-a25f-46f5-8ea4-b1e50decaa15/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5471697f35a0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5471697f35a07a9fd686d85d2381e9c5d9c8ea863757e4e4a943ef168775a4c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2748851/
Cape
Cape
https://www.capesandbox.com/analysis/470900/

Comments