MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5879d39a0bab80032ebc751728e034cf7ec7fb30749090b5df8c37100034ef95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	5879d39a0bab80032ebc751728e034cf7ec7fb30749090b5df8c37100034ef95
SHA3-384 hash:	7fbbdd07e82474075ea348cdb585985910016488896c0d0140cf8c4d984de964d6d50c5bfc5ae16378c6d0bde2397dcb
SHA1 hash:	2f9cd18c2932edc158cd0e590de3048f68b123e2
MD5 hash:	2faf0358aaf0f2b2693eead6f16e0f85
humanhash:	football-seventeen-princess-edward
File name:	2faf0358aaf0f2b2693eead6f16e0f85.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	360'960 bytes
First seen:	2022-01-28 20:55:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1b6a0ed4ec9a2ac94164fc3cb0628915 (2 x Smoke Loader, 1 x ArkeiStealer)
ssdeep	6144:jD366fHkR/L8EW2CpXEkQ5ieu9/gFdGUEHyzTOMiIUH1oz13piPE:jmEgKXQie6oFdLLqMiIKoz10P
Threatray	24 similar samples on MalwareBazaar
TLSH	T138747D10BB90C439F5BB22F4467A93A8A53E7AE15B2450CF53D52AED5B356E0EC3130B
File icon (PE):
dhash icon	25ec137039939b91 (7 x Smoke Loader, 4 x RedLineStealer, 2 x Stop)
Reporter	abuse_ch
Tags:	Dofoil exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

381

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2faf0358aaf0f2b2693eead6f16e0f85.exe

Verdict:

Suspicious activity

Analysis date:

2022-01-28 23:38:28 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/fe7b88d8-9843-41ba-8399-a0615bdfe9b3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/225548/

Detection(s):

SecuriteInfo.com.Trojan.Gozi.850.24619.20440.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

DNS request

Sending a custom TCP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Sending an HTTP GET request

Creating a file in the %temp% directory

Creating a process from a recently created file

Searching for the window

Creating a file

Launching a process

Launching the default Windows debugger (dwwin.exe)

Query of malicious DNS domain

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Sending an HTTP GET request to an infection source

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5433/overview

Behaviour

MalwareBazaar

SystemUptime

CPUID_Instruction

MeasuringTime

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61f45869c4bcf3287a6583e4/reports/957b8b9c-e825-449f-9c8d-0f2c6d88cf36/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ad725de5-053a-464f-8c61-86475e1b198f

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/929975

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5879d39a0bab80032ebc751728e034cf7ec7fb30749090b5df8c37100034ef95/

Threat name:

Win32.Backdoor.Mokes

Status:

Malicious

First seen:

2022-01-29 05:30:07 UTC

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lb45hgqlvoaaglv4oulsrybuz57mp6zqosijbno7rq3raabu56kq._file

Verdict:

malicious

Label(s):

raccoon

Smoke Loader

1a2bc82de6e0c26030a3600c836329329dbcf1d4d84e031a90dd7df5355ed612

Smoke Loader

3d6425cf292c5a78f2014754d8a3368a934110587077584bc54b54642609b1f0

Smoke Loader

3e939dbf512b6f20ccd2c7c4864728bb63e98cdaf6df45791cc9e1d1cc9ea814

Smoke Loader

7972504035b05ba390f0e4083ef1d4ee7725ad5c581ab6beb730425f4b6945ba

Smoke Loader

83d0e70a23c542850312be419a86d0a77390d766ce8b5dd21ab0620c1aec75d3

Smoke Loader

855f3c89419401c9596c74f4a05b3d7cf951c2038513b8b005bcdaf5abff06c4

Smoke Loader

b8868eb87c7cb945704e2d0b8ec2ebdc890cd6df12f9ef0a7295582c7fd0cf1f

Smoke Loader

d8079b19aa1f119485291950ae0580757618dd23c4d18eed64e06aa3a86c1751

Smoke Loader

+ 14 additional samples on MalwareBazaar

Gathering data

Unpacked files

SH256 hash:

196c516ea546fb935ac669681a74a4dc80da79d9088f464f6cc6f126ae934f4e

MD5 hash:

c36de8bc9668ec4eaafca4c349dca0d5

SHA1 hash:

ea2cadfada69b93ca3abeb8b2462c5c18891fabf

Link:

https://www.unpac.me/results/343e332b-d1d5-408a-af8b-b8b10dd05093/

Parent samples :

6b2d7c8bdedb901d80c89717c9889abf169c9059d8bb545af6ca1960660324ad
8928eed86ea55a63e3646bf8ca403b4b1e57702f73c1ecc8fa403b5700a304ef
18ad362dcae8df5827846223c09ceba7766e09733b685d4067ee39037daec452
da39948d95cdbce6e1ca9e0fdbb77080164a379f593e530b5732d3fc38df7bf8
7c74a8c41e24f69015185f78b8fbc177edcbe9d27099e904497b2310999f74cb
92ebb6be19502fe2573a9eac183bcc657b88ac5b0344285d9db409b0a3d88dab
af6fa095b427a0e95dd826696c2b92b0123e688e3c95f6d27825cc2928085d1b
de8099732ee5b73f3fa6d032a74e8576d06663fc16b2c6da27a34444fdced1c8

SH256 hash:

5879d39a0bab80032ebc751728e034cf7ec7fb30749090b5df8c37100034ef95

MD5 hash:

2faf0358aaf0f2b2693eead6f16e0f85

SHA1 hash:

2f9cd18c2932edc158cd0e590de3048f68b123e2

Link:

https://www.unpac.me/results/343e332b-d1d5-408a-af8b-b8b10dd05093/

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/5879d39a0bab/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5879d39a0bab80032ebc751728e034cf7ec7fb30749090b5df8c37100034ef95

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

exe 5879d39a0bab80032ebc751728e034cf7ec7fb30749090b5df8c37100034ef95

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1970217/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1995766/

Cape

https://www.capesandbox.com/analysis/225548/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample