MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 65af1ef671dafde80bef708f3001a4d94eeb54fb9193d409002d4bae52fbd99c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Smoke Loader
Vendor detections: 9
| SHA256 hash: | 65af1ef671dafde80bef708f3001a4d94eeb54fb9193d409002d4bae52fbd99c |
|---|---|
| SHA3-384 hash: | 494e78770386a4659acda1748552bcbe14e4ce3ab43bf8731c2ad4bb130f8a2c94c19aec1ee9f43d0d14949faf390cf2 |
| SHA1 hash: | c806dcd9c2882cb340c977a67a4ce85ec567c084 |
| MD5 hash: | 04290323e3dae758ad39580ec1e4e402 |
| humanhash: | nineteen-grey-stream-ceiling |
| File name: | 0umvx.exe |
| Download: | download sample |
| Signature | Smoke Loader |
| File size: | 165'888 bytes |
| First seen: | 2021-03-16 03:02:50 UTC |
| Last seen: | 2021-03-16 04:51:51 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 0db5122541c535013699ed54854d9680 (1 x Smoke Loader, 1 x Gozi, 1 x RaccoonStealer) |
| ssdeep | 3072:cAEdyqWRYzX4vn+aFOWTdWGxisHWK5Xzqp:p4+RYzIZOCRxisH5zW |
| Threatray | 1'068 similar samples on MalwareBazaar |
| TLSH | B4F38C1076E0C473E056157188A6C2B50A3AFCB64F2566C77BD47BBE5E312E28A3634F |
| Reporter |  nao_sec |
| Tags: | Dofoil RigEK Smoke Loader SmokeLoader |
Intelligence
File Origin
# of uploads :
2
# of downloads :
575
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://ankltrafficexit.xyz/trafficexit
Verdict:
Malicious activity
Analysis date:
2021-03-16 00:34:11 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending an HTTP POST request
Sending a UDP request
Creating a file in the %temp% directory
Connection attempt to an infection source
Deleting of the original file
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Result
Threat name:
SmokeLoader
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
Benign windows process drops PE files
Binary contains a suspicious time stamp
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Renames NTDLL to bypass HIPS
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Threat name:
Win32.Backdoor.Mokes
Status:
Malicious
First seen:
2021-03-16 03:03:04 UTC
AV detection:
18 of 47 (38.30%)
Threat level:
5/5
Verdict:
malicious
Similar samples:
+ 1'058 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Score:
10/10
Tags:
family:smokeloader backdoor trojan
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Deletes itself
Loads dropped DLL
SmokeLoader
Malware Config
C2 Extraction:
http://etasuklavish.today/
http://mragyzmachnobesdi.today/
http://kimchinikuzims.today/
http://slacvostinrius.today/
http://straponuliusyn.today/
http://grammmdinss.today/
http://viprasputinsd.chimkent.su/
http://lupadypa.dagestan.su/
http://stoknolimchin.exnet.su/
http://musaroprovadnikov.live/
http://teemforyourexprensiti.life/
http://stolkgolmishutich.termez.su/
http://roompampamgandish.wtf/
http://mragyzmachnobesdi.today/
http://kimchinikuzims.today/
http://slacvostinrius.today/
http://straponuliusyn.today/
http://grammmdinss.today/
http://viprasputinsd.chimkent.su/
http://lupadypa.dagestan.su/
http://stoknolimchin.exnet.su/
http://musaroprovadnikov.live/
http://teemforyourexprensiti.life/
http://stolkgolmishutich.termez.su/
http://roompampamgandish.wtf/
Unpacked files
SH256 hash:
87a3c4342a6402d61c4ce13d684a34962b4d2a5b71d698fb0b653265279a14b5
MD5 hash:
ff5ddabdd6a1ba4730b4864ecab29230
SHA1 hash:
66477e07c00471c89414b2906bb95f28a8db613a
SH256 hash:
65af1ef671dafde80bef708f3001a4d94eeb54fb9193d409002d4bae52fbd99c
MD5 hash:
04290323e3dae758ad39580ec1e4e402
SHA1 hash:
c806dcd9c2882cb340c977a67a4ce85ec567c084
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Delivery method
Distributed via drive-by
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.