MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b98b7da597d657786603a67e464e61dd3efc300b61689389cdbb26a92adc760. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b98b7da597d657786603a67e464e61dd3efc300b61689389cdbb26a92adc760
SHA3-384 hash: 0d310e688adee33178363f29df4b7a6492dc47d349fe41854c02d61ea3c981816b48d2bfdfc860fd3e1cf6699e37ccd3
SHA1 hash: 78b428413cc151d2939935215df483afa698ead8
MD5 hash: 9f1213a3a1c4ec123564893081bc3d14
humanhash: neptune-saturn-video-april
File name:9f1213a3a1c4ec123564893081bc3d14.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:277'504 bytes
First seen:2022-02-08 01:42:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 059e939bc149cd78a08e6bfa706a4e4a (2 x RedLineStealer, 1 x ArkeiStealer, 1 x Loki)
ssdeep 6144:SyZ6XNz5aJypgUIW0TyTvtwzfGhhv7fy7VUVV5DCuYQDG3p:SNz5felWgyTvOGhhvm7VXQC3
Threatray 16'283 similar samples on MalwareBazaar
TLSH T133448D00BB90C035F1F756F8497AD3ACA92E7AB15B24A4CF63D51AEA16356E1EC31307
File icon (PE):PE icon
dhash icon b6dacabecee6baa6 (72 x Stop, 68 x RedLineStealer, 55 x Smoke Loader)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
362
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/237370/
Detection(s):
Win.Packed.Filerepmalware-9938531-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Launching a process
Creating a file
Running batch commands
Creating a process from a recently created file
Creating a process with a hidden window
Query of malicious DNS domain
Forced shutdown of a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6303/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult greyware mokes packed smokeloader
Link:
https://www.filescan.io/uploads/6201caaa4077c8b9a01e91b9/reports/df186a8f-8473-4450-a425-72e965789a38/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bf95d008-0282-427c-b238-973ccd9c2bb9
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/935759
Signature
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 568236 Sample: z6pcaecTMM.exe Startdate: 08/02/2022 Architecture: WINDOWS Score: 100 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 4 other signatures 2->36 7 z6pcaecTMM.exe 2->7         started        10 cieffih 2->10         started        process3 signatures4 46 Contains functionality to inject code into remote processes 7->46 48 Injects a PE file into a foreign processes 7->48 12 z6pcaecTMM.exe 7->12         started        50 Multi AV Scanner detection for dropped file 10->50 52 Machine Learning detection for dropped file 10->52 15 cieffih 10->15         started        process5 signatures6 54 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->54 56 Maps a DLL or memory area into another process 12->56 58 Checks if the current machine is a virtual machine (disk enumeration) 12->58 17 explorer.exe 2 12->17 injected 60 Creates a thread in another existing process (thread injection) 15->60 process7 dnsIp8 26 file-coin-host-12.com 194.87.94.25, 49749, 80 MTW-ASRU Russian Federation 17->26 28 host-data-coin-11.com 17->28 22 C:\Users\user\AppData\Roaming\cieffih, PE32 17->22 dropped 24 C:\Users\user\...\cieffih:Zone.Identifier, ASCII 17->24 dropped 38 System process connects to network (likely due to code injection or exploit) 17->38 40 Benign windows process drops PE files 17->40 42 Deletes itself after installation 17->42 44 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->44 file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b98b7da597d657786603a67e464e61dd3efc300b61689389cdbb26a92adc760/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-02-07 08:03:54 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
31 of 43 (72.09%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lomlpwszpvsxpbtahjt6izhgdxj67qyawylisoe43ozgvevny5qa._file
Verdict:
malicious
Similar samples:
4fb9f08b1053d49ff58f30aa0016beefcd85041435ba9bb4b0402d99feb6df5e
Smoke Loader
556274658598eef16051157d298e3a1062d46ebee23bf491268a68c3a8996be5
Smoke Loader
56288aa7af61d7110f116681c6785f3ac6ffc269bd7a6a5051040b803c4dbea4
Smoke Loader
5c5d9711ea8ddb520646c0ac33e540c3860b795914749ee377040d8626ecc93b
Smoke Loader
6a3d626d0ab359b8e7a3d3ea8551f3e948c26f74465c65e1f02f6aa76163fa2b
Smoke Loader
8bb345912903d2f964cf381e57b5aa02e86a9236f0c365b41920069f80fa8bac
Smoke Loader
8fcfdca4fec3425766fc7a684dbfbb471766633a288d5d449ebe4c0e0bc0431f
Smoke Loader
b4564966c74ea17badd252d6c1b3a052f869e69d0c7cbbcb776af245135e9917
Smoke Loader
b86da55b00429d3a757c64bc0489af5d2641bfa7aab9910eddec173af09c55b4
Smoke Loader
cd91470ac009105cbf0026c1b942b5e554024b2af93035ea80b71cc00c23022a
Smoke Loader
+ 16'273 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/220208-b49gxabgg2/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Deletes itself
Executes dropped EXE
SmokeLoader
Malware Config
C2 Extraction:
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Unpacked files
SH256 hash:
788f723ebfe0110232b52ee15345acc5f74a53ea45e5f422dc5ce2eb5833fadc
MD5 hash:
198ff357daf4345c9fc869616b139381
SHA1 hash:
24c9899b296cf004e400b77e72b89f42bb726f37
Link:
https://www.unpac.me/results/1ae6672f-481a-4132-b4c7-1a8c3a6c3481/
Parent samples :
3c6f5e38acd57a6372e44dc341bf46060fef8c8b0e1dd3ffa38b21ddaddc3773
6861cdee1ee282ee8c69e31503d95291409907d8b27538f8082adb00205ad105
ccf4e081582226315f3a2bc171b604e3911d0225cc85e18188872ea9832a5388
be1c79275d836696a00b258d15a8b337a8c9beb8198a5bd3d5aaf64d660c8005
53bcd8239258dcbb10f9d3b6d057103c18fe3dd614c5809053426b01b741500d
SH256 hash:
5b98b7da597d657786603a67e464e61dd3efc300b61689389cdbb26a92adc760
MD5 hash:
9f1213a3a1c4ec123564893081bc3d14
SHA1 hash:
78b428413cc151d2939935215df483afa698ead8
Link:
https://www.unpac.me/results/1ae6672f-481a-4132-b4c7-1a8c3a6c3481/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 5b98b7da597d657786603a67e464e61dd3efc300b61689389cdbb26a92adc760

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/237370/
  
URLhaus
https://urlhaus.abuse.ch/url/2020720/
  
Delivery method
Distributed via web download

Comments