MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5acec93c640ee499d02f78f646af7cf65605a56fc20add62c4dabdb402943114. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5acec93c640ee499d02f78f646af7cf65605a56fc20add62c4dabdb402943114
SHA3-384 hash: d42b0950708392f711598c59035d3a6eb5ae0a8c6b8427d1ff4c06a1c0e515a853bd3c22247101d31d57d4f1d0a00562
SHA1 hash: 33ecbb5082fc244ab7c5492b6ead04c4e6301b71
MD5 hash: a222db8f9ff0e29f79e58a118ce7c9ec
humanhash: lamp-batman-video-one
File name:5acec93c640ee499d02f78f646af7cf65605a56fc20add62c4dabdb402943114
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:942'424 bytes
First seen:2020-09-25 10:34:11 UTC
Last seen:2020-09-25 11:41:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 99c0c4f0bd11259a8f42b56e2b2b5066 (1 x Smoke Loader)
ssdeep 3072:pO1LzxGZ9Vag6ujkyamUoo7Or0WpVyTXTDTVDhdmA:pO1LsAyjZamroJGyTXTDTVDiA
Threatray 140 similar samples on MalwareBazaar
TLSH A115781C76C1EE36E2F766709F4297A046AAFC855FDCEA57E458B33A10707A870C131A
Reporter JAMESWT_WT
Tags:BPIEHUCEMJDCAGIPYY invalid-signature Smoke Loader

Code Signing Certificate

Organisation:BPIEHUCEMJDCAGIPYY
Issuer:BPIEHUCEMJDCAGIPYY
Algorithm:sha1WithRSA
Valid from:Sep 22 07:43:03 2020 GMT
Valid to:Dec 31 23:59:59 2039 GMT
Serial number: -2362D74C5DBE167CB78D499EA5A61475
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 42ED7834B4B78BADBE2FBB4FBF0332B2DDA220D245DDF47182C7781C0BEE4199
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/65792/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader34.51941.14903.5731.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending an HTTP POST request
Deleting of the original file
Enabling autorun by creating a file
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/474999
Signature
Binary contains a suspicious time stamp
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Renames NTDLL to bypass HIPS
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5acec93c640ee499d02f78f646af7cf65605a56fc20add62c4dabdb402943114/
Threat name:
Win32.Trojan.Zurgop
Create hunting rule
Status:
Malicious
First seen:
2020-09-24 09:00:02 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
1765e5f0ee49b2b6cf4a7361bbaac484f15c6c1d003de02338fffdb615e831d8
Smoke Loader
7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91
Smoke Loader
89e0507c4dc79363bdfbdc93dcbaa19084553db2c7fe3a8f746ff973b155c62a
Smoke Loader
95a4cf409c7e7813bfa744598bee2e0e572b2d05ec31622867237ea6dab8a813
Smoke Loader
9b28aa737bbfec90341c6a42e2d44f3308659e4fb9dd42d98a0b46cde7aaed63
Smoke Loader
a0023ed551a57c336b69dcf494bbf83549ef8ce570fcb273333cf1abbc2863cc
Smoke Loader
d95b7c505dbb3905f88c71bb1efedfe716a0d65862a622eb932f3d774a07a740
Smoke Loader
e237d6e3b44c0bcacf4eff59f58c8028a48c0675f283adc96490ae6daf645bd7
Smoke Loader
f43fa7b7115450b5a3b8b97c6f578afe6c55692a06d1f872415d547c570da288
Smoke Loader
f91f135e5aecd2e2e8d81ac771475de147b858c1807bde08e47cdf68f545d8da
Smoke Loader
+ 130 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
trojan backdoor family:smokeloader
Link:
https://tria.ge/reports/200925-x6v8grkr32/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Deletes itself
Loads dropped DLL
Executes dropped EXE
SmokeLoader
Malware Config
C2 Extraction:
http://xieliorn.com/
http://kavauelo.co/
http://piesislel.is/
http://danae.to/
http://3rdcamp.ga/
http://the3rd.ml/
Unpacked files
SH256 hash:
5acec93c640ee499d02f78f646af7cf65605a56fc20add62c4dabdb402943114
MD5 hash:
a222db8f9ff0e29f79e58a118ce7c9ec
SHA1 hash:
33ecbb5082fc244ab7c5492b6ead04c4e6301b71
Link:
https://www.unpac.me/results/b7601453-59bd-434a-a7ee-a85f51f52d5f/
SH256 hash:
d6ad1a0fd037e7287fa81ecd5775c35145db740e6fdf89d0ac33b2666820aa6b
MD5 hash:
e4e987207ad06472abaa6760a4c5953d
SHA1 hash:
90958747bb667871ed858992620ad9218ea45811
Link:
https://www.unpac.me/results/b7601453-59bd-434a-a7ee-a85f51f52d5f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Smokeloader
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5acec93c640ee499d02f78f646af7cf65605a56fc20add62c4dabdb402943114

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 5acec93c640ee499d02f78f646af7cf65605a56fc20add62c4dabdb402943114

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/65792/
  
URLhaus
https://urlhaus.abuse.ch/url/605892/
  
Delivery method
Distributed via web download

Comments