MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b8c310ded14940d6d98ba9d1aa5ac67b3c31f2fe5c43bd27ae99ee8cab115f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b8c310ded14940d6d98ba9d1aa5ac67b3c31f2fe5c43bd27ae99ee8cab115f1
SHA3-384 hash: e64bf62143655c49519a810968001cc5555b859c97c69591815db40cd498b16f86969b6afd99b1fc973d5ef748f88e02
SHA1 hash: 43038612eac6fb480d852dd4d59292ac87602bd7
MD5 hash: 5fc7575d913c3b93259f731afb332b99
humanhash: minnesota-oranges-mexico-lion
File name:5fc7575d913c3b93259f731afb332b99.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:269'824 bytes
First seen:2023-11-10 06:59:12 UTC
Last seen:2023-11-10 08:22:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c2c78f70fdf666880d3362a6470ad28e (2 x Smoke Loader, 1 x Heodo, 1 x MarsStealer)
ssdeep 3072:x3UctFg04vUIT5o7UoOGhVaohKOXpagaHEolvNEMbQvQOz1:xUeg04vUU5XoOIVaowMaHEolVMf
Threatray 300 similar samples on MalwareBazaar
TLSH T128445B1352917861EF6306318E2AF2E82E1EBD604F5967BA1E645D2FC9709F1F27230D
TrID 39.5% (.EXE) InstallShield setup (43053/19/16)
28.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.6% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 0001043020200000 (1 x Smoke Loader)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
290
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
5fc7575d913c3b93259f731afb332b99.exe
Verdict:
Malicious activity
Analysis date:
2023-11-10 06:59:47 UTC
Tags:
loader smoke
Link:
https://app.any.run/tasks/30a0a74d-005c-4eb0-8104-cc73e30dfe1c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.28700.7272.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Sending an HTTP GET request
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control greyware lolbin packed shell32
Link:
https://www.filescan.io/uploads/654dd4f80adeb03433537c73/reports/102fcaf8-c076-46c5-beda-acfc67f766d4/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/5b8c310ded14940d6d98ba9d1aa5ac67b3c31f2fe5c43bd27ae99ee8cab115f1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5ab0bc27-4a99-4aab-b819-276e41be406c
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1340313
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1340313 Sample: 3RlxfJ85zX.exe Startdate: 10/11/2023 Architecture: WINDOWS Score: 100 28 mosamamashhad.com 2->28 30 dpav.cc 2->30 40 Multi AV Scanner detection for domain / URL 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 5 other signatures 2->46 8 3RlxfJ85zX.exe 2->8         started        11 rgsirfb 2->11         started        signatures3 process4 signatures5 52 Detected unpacking (changes PE section rights) 8->52 54 Maps a DLL or memory area into another process 8->54 56 Checks if the current machine is a virtual machine (disk enumeration) 8->56 58 Creates a thread in another existing process (thread injection) 8->58 13 explorer.exe 7 5 8->13 injected 60 Multi AV Scanner detection for dropped file 11->60 62 Found evasive API chain (may stop execution after checking system information) 11->62 64 Machine Learning detection for dropped file 11->64 66 2 other signatures 11->66 process6 dnsIp7 34 dpav.cc 189.245.56.15, 49734, 49735, 49736 UninetSAdeCVMX Mexico 13->34 36 175.126.109.15 SKB-ASSKBroadbandCoLtdKR Korea Republic of 13->36 38 mosamamashhad.com 31.25.90.165, 443, 49753 PARVAZ-SYSTEMIR Iran (ISLAMIC Republic Of) 13->38 22 C:\Users\user\AppData\Roaming\rgsirfb, PE32 13->22 dropped 24 C:\Users\user\AppData\Local\Temp\1415.exe, PE32 13->24 dropped 26 C:\Users\user\...\rgsirfb:Zone.Identifier, ASCII 13->26 dropped 68 System process connects to network (likely due to code injection or exploit) 13->68 70 Benign windows process drops PE files 13->70 72 Deletes itself after installation 13->72 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->74 18 1415.exe 13->18         started        file8 signatures9 process10 dnsIp11 32 95.216.26.247, 443, 49756, 49757 HETZNER-ASDE Germany 18->32 48 Multi AV Scanner detection for dropped file 18->48 50 Machine Learning detection for dropped file 18->50 signatures12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5b8c310ded14940d6d98ba9d1aa5ac67b3c31f2fe5c43bd27ae99ee8cab115f1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b8c310ded14940d6d98ba9d1aa5ac67b3c31f2fe5c43bd27ae99ee8cab115f1/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-11-10 06:32:22 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=logdcdpncska23myxkorvjnmm6z4ghzp4xcdxut25gporsvrcxyq._file
Verdict:
malicious
Similar samples:
0004d851f92bfea425f064b898e7668d84a26e12954785ce0ec3b62ff2e34d46
Smoke Loader
0ef76ecabac1c81d4e2ed32c6fd30d846214f385a51523b4b78f105d9eb406a3
Smoke Loader
247eb6cc11d0a92ac985fb99c19dcfe4779878f4989764b8ced06727820ff57c
Smoke Loader
3b73c4da6f2bda6ebc26552afccbfd8c097a5a3195fd2593840d9ea7712b7120
Smoke Loader
5c88a340b3b0502c9777fe6159f01d66875341dc739e23a56a21ee18479890f2
Smoke Loader
6a302e65ae3cd7ceb6a94b2753f1a3223b189355eecbe443b0fd45722a495f48
Smoke Loader
a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271
Smoke Loader
e629fcf41de2187cafd4c8c38b1e9408a5c521d29459971bb96fae5da26fa9d5
Smoke Loader
ecacf78ad957224fcc0afbd65118f2b5e8e2eda5daef0e072eef35e5f12a43b3
Smoke Loader
+ 290 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:pub1 backdoor trojan
Link:
https://tria.ge/reports/231110-hsmx4aef99/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Deletes itself
Executes dropped EXE
Downloads MZ/PE file
SmokeLoader
Malware Config
C2 Extraction:
http://dpav.cc/tmp/
http://lrproduct.ru/tmp/
http://kggcp.com/tmp/
http://talesofpirates.net/tmp/
http://pirateking.online/tmp/
http://piratia.pw/tmp/
http://go-piratia.ru/tmp/
Unpacked files
SH256 hash:
dfce14ca9fa6c76df25ff3d3ff18ba943031d07a5cae3f0bad422e2b5e7eb559
MD5 hash:
37875cacee117b15e05b3f1c808592ac
SHA1 hash:
6a7882ca410e781262af685cf395bd2458c35a3b
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/ede0fc7e-4fde-457f-a5ec-5d9f9cef43aa/
Parent samples :
b3c7f502503d3102ecfa6f2145573ab851947dd3f2bdfd42fefab38947837dcd
07850ea1732b07aae1b520bc4e07f939a29ea8f842993a5849965d71aec14cb1
8ce95aee92cffc56420902fa657bc82a44574450ada63eb864d11e404a59a078
73639e5216b7fb5c0550f69d63bcbb3e568fd912f9288216795eb965b1b2b6fe
5b8c310ded14940d6d98ba9d1aa5ac67b3c31f2fe5c43bd27ae99ee8cab115f1
fc447974118abe161835c31fd3b0305a84b9ba374f47a4295b435a85cc756f57
98368ebea0db4a1ef1ef8ae8b9cdc862c8dc5bb00bfb570f83a50794ce6ad816
90575d53104fa810c6896f874e421e905c3687ff1767574842d10cc143237762
e669dd52d97cc96b42efb1661dfeb898b6277a0484d25b8e86b492acf41c8f7d
1729faf82ded430ab520c6ebd82743abb231222a867329f5b15c2d01b7578016
f8619a870e7c7ef001512d9b2d5caf3b40a4855c5c72ec9a8fe7d4ee44a93b3a
1b8943b2ccea3ee9e464b5865711db721bae33ca0364630dfa6f75eb7f2c8a47
SH256 hash:
5b8c310ded14940d6d98ba9d1aa5ac67b3c31f2fe5c43bd27ae99ee8cab115f1
MD5 hash:
5fc7575d913c3b93259f731afb332b99
SHA1 hash:
43038612eac6fb480d852dd4d59292ac87602bd7
Link:
https://www.unpac.me/results/ede0fc7e-4fde-457f-a5ec-5d9f9cef43aa/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5b8c310ded14/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b8c310ded14940d6d98ba9d1aa5ac67b3c31f2fe5c43bd27ae99ee8cab115f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 5b8c310ded14940d6d98ba9d1aa5ac67b3c31f2fe5c43bd27ae99ee8cab115f1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2712491/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2712462/

Comments