MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c9c10e2264bd23f780afd74492faebfab9fcdb4af9cf452b7f379e9250280cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c9c10e2264bd23f780afd74492faebfab9fcdb4af9cf452b7f379e9250280cb
SHA3-384 hash: acd9c0d31f385c807238923c00569dda0cdb63edbaed5db17a262d5392f254499c56b6280b17c8c477ceeae4dae3bc91
SHA1 hash: d7e9bccf850d95f5fc6f81e7ee7a26897c8b27cb
MD5 hash: e4e1a4cfe4a50a10546dfbabf1e91b60
humanhash: potato-mirror-table-red
File name:e4e1a4cfe4a50a10546dfbabf1e91b60.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:328'704 bytes
First seen:2021-10-27 12:26:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cd3349acab1a965fa4dc049104411ed3 (2 x Smoke Loader, 1 x AZORult)
ssdeep 6144:X/8DciAW53CwFgyJe7YxfZJLcigvxO7AD:UDsI3CwFgyJe7YxUhvM7A
Threatray 50 similar samples on MalwareBazaar
TLSH T157648D00BAA0C035F5F316FC4ABA9369B53E7AE05B6495CF62D516EA4734AE1EC31307
File icon (PE):PE icon
dhash icon b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/200527/
Detection(s):
Win.Trojan.Generic-9904330-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6179459a9a5a1e91c5d72675/reports/d2ed4572-7a06-45a2-9791-9ab825ba093f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d4c15182-fa47-449e-91f9-8cb124b5e45f
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/877774
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to infect the boot sector
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 510206 Sample: 344bx4XUBN.exe Startdate: 27/10/2021 Architecture: WINDOWS Score: 100 53 Multi AV Scanner detection for domain / URL 2->53 55 Found malware configuration 2->55 57 Antivirus detection for URL or domain 2->57 59 6 other signatures 2->59 7 344bx4XUBN.exe 2->7         started        10 bwsjffh 2->10         started        12 BFA2.exe 2->12         started        process3 signatures4 75 Detected unpacking (changes PE section rights) 7->75 77 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 7->77 79 Maps a DLL or memory area into another process 7->79 81 Creates a thread in another existing process (thread injection) 7->81 14 explorer.exe 6 7->14 injected 83 Multi AV Scanner detection for dropped file 10->83 85 Machine Learning detection for dropped file 10->85 87 Checks if the current machine is a virtual machine (disk enumeration) 10->87 process5 dnsIp6 39 brandyjaggers.com 31.166.170.180, 49743, 49760, 80 MOBILY-ASEtihadEtisalatCompanyMobilySA Saudi Arabia 14->39 41 193.142.59.113, 49747, 49799, 80 HOSTSLICK-GERMANYNL Netherlands 14->41 43 5 other IPs or domains 14->43 27 C:\Users\user\AppData\Roaming\bwsjffh, PE32 14->27 dropped 29 C:\Users\user\AppData\Local\Temp\BFA2.exe, PE32 14->29 dropped 31 C:\Users\user\AppData\Local\Temp\6D02.exe, PE32 14->31 dropped 33 2 other malicious files 14->33 dropped 45 System process connects to network (likely due to code injection or exploit) 14->45 47 Benign windows process drops PE files 14->47 49 Deletes itself after installation 14->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->51 19 6D02.exe 5 14->19         started        23 BFA2.exe 14->23         started        25 4DBD.exe 2 14->25         started        file7 signatures8 process9 dnsIp10 35 193.150.103.37, 29118, 49807 ASGENERALTELRU Russian Federation 19->35 61 Detected unpacking (changes PE section rights) 19->61 63 Detected unpacking (overwrites its own PE header) 19->63 65 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->65 73 2 other signatures 19->73 67 Machine Learning detection for dropped file 23->67 69 Contains functionality to infect the boot sector 23->69 37 185.215.113.29, 36224, 49850 WHOLESALECONNECTIONSNL Portugal 25->37 71 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 25->71 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c9c10e2264bd23f780afd74492faebfab9fcdb4af9cf452b7f379e9250280cb/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-10-27 12:27:06 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
06d07f69cdae6332477465591c3d1a7ea1e694660339e1afe08796f10c999a93
Smoke Loader
2e62d5a69b040da0be1643cc10f486006959684873042ae059143736a2736d2b
Smoke Loader
305ebe159194fb04b8277b88250e2c184637d3130b1afa1d48fa6917c4f965ff
Smoke Loader
6f279d711337e4691a39d38937f64047e8d07215f4216f195517772ff6a4706f
Smoke Loader
b8e05ba065604fb4b63186a56a3da30bccd7c0555b042fff1a1c64ad43391ad0
Smoke Loader
be24b30c4cb19b197fb44ea2883dfc535e9b76124bc3c64be34e2817feb7234e
Smoke Loader
c45f83e94f84a46b3188d8415ce92c872fed63b2fc903a9530bfc82b15651760
Smoke Loader
+ 40 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/211027-pmrgnaega8/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Deletes itself
SmokeLoader
Malware Config
C2 Extraction:
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
Unpacked files
SH256 hash:
f9b4b2e506fe88e1cd921a71c130a7e097bfb2dd1cfcec768b375c70ee6b800c
MD5 hash:
986d781d5e3181045ce6586b2b0af221
SHA1 hash:
8e21f86221892e43c95adfe05f385135fbf6886f
Link:
https://www.unpac.me/results/4f4f50f2-0623-4b98-9c04-d1d324daaaf4/
SH256 hash:
5c9c10e2264bd23f780afd74492faebfab9fcdb4af9cf452b7f379e9250280cb
MD5 hash:
e4e1a4cfe4a50a10546dfbabf1e91b60
SHA1 hash:
d7e9bccf850d95f5fc6f81e7ee7a26897c8b27cb
Link:
https://www.unpac.me/results/4f4f50f2-0623-4b98-9c04-d1d324daaaf4/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5c9c10e2264b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5c9c10e2264bd23f780afd74492faebfab9fcdb4af9cf452b7f379e9250280cb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 5c9c10e2264bd23f780afd74492faebfab9fcdb4af9cf452b7f379e9250280cb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1717813/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/200527/

Comments