MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b18a223ce8f1f42880a54809880cd5c3a6890955d2469b10ea771dab333871e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b18a223ce8f1f42880a54809880cd5c3a6890955d2469b10ea771dab333871e
SHA3-384 hash: 9f436e32db3045e0ded38b9445a3b5569af1675d3e7fc53a5cb4a84a2db4f92b7f0875398f8abd089943d97523ea56d4
SHA1 hash: c813eb5ccdd873621bd900490d0f6bc0e8485ed3
MD5 hash: 8dbea7473c7986c5ac058b656a850195
humanhash: video-three-winner-bulldog
File name:8dbea7473c7986c5ac058b656a850195.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:76'288 bytes
First seen:2022-03-11 19:32:08 UTC
Last seen:2022-03-11 21:46:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 384:RUb7I+sfX9daWtn2MY1o3+HOS0q9Q15bYRvlDqVUPqCh45b0ZSV4nhCxYPLg8BCR:u/RsfXGy2zyOr9RUagp0oKMEBW
Threatray 4'620 similar samples on MalwareBazaar
TLSH T12F73AAF09FF8B8A0E1142073B9A5B13C37D79D4DDC519536E65BF24A3462AC260E6E0B
File icon (PE):PE icon
dhash icon 00414f4f4f4f4700 (14 x CoinMiner, 12 x RedLineStealer, 12 x NodeLoader)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/249685/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.48569814.27709.22863.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated overlay packed packed
Link:
https://www.filescan.io/uploads/622ba3f20cd58dbd928069fd/reports/ed07a756-ef0e-4982-b1a9-fa97a1d1acba/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/292375e9-d4db-40ff-b076-6c486c98ba2b
Result
Threat name:
SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/955213
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to detect sleep reduction / modifications
Detected unpacking (creates a PE file in dynamic memory)
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Yara detected MSILDownloaderGeneric
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 587700 Sample: Lkkpl3RVmQ.exe Startdate: 11/03/2022 Architecture: WINDOWS Score: 100 43 188.114.97.7, 443, 49801 CLOUDFLARENETUS European Union 2->43 45 tiny.one 2->45 47 cdn.discordapp.com 2->47 63 Multi AV Scanner detection for domain / URL 2->63 65 Antivirus detection for URL or domain 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 10 other signatures 2->69 9 Lkkpl3RVmQ.exe 16 8 2->9         started        signatures3 process4 dnsIp5 59 cdn.discordapp.com 162.159.135.233, 443, 49777 CLOUDFLARENETUS United States 9->59 61 tiny.one 188.114.96.7, 443, 49776, 49797 CLOUDFLARENETUS European Union 9->61 33 C:\Users\user\AppData\...\Vsrlesay.exe, PE32 9->33 dropped 35 C:\Users\user\AppData\...\Hsdvlkczfkpdr.exe, PE32 9->35 dropped 37 C:\Users\...\Vsrlesay.exe:Zone.Identifier, ASCII 9->37 dropped 39 C:\Users\user\AppData\...\Lkkpl3RVmQ.exe.log, ASCII 9->39 dropped 73 Detected unpacking (creates a PE file in dynamic memory) 9->73 75 Found evasive API chain (may stop execution after checking mutex) 9->75 77 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 9->77 79 4 other signatures 9->79 14 Hsdvlkczfkpdr.exe 9->14         started        17 Lkkpl3RVmQ.exe 79 9->17         started        file6 signatures7 process8 dnsIp9 81 Antivirus detection for dropped file 14->81 83 Multi AV Scanner detection for dropped file 14->83 85 Machine Learning detection for dropped file 14->85 91 3 other signatures 14->91 21 explorer.exe 14->21 injected 41 5.45.84.214, 49795, 49796, 80 SCALAXY-ASNL Russian Federation 17->41 29 C:\Users\user\AppData\Local\Temp\nes1.exe, PE32 17->29 dropped 31 C:\Users\user\AppData\Local\...\nes1[1].exe, PE32 17->31 dropped 87 Tries to harvest and steal browser information (history, passwords, etc) 17->87 89 Tries to steal Crypto Currency Wallets 17->89 file10 signatures11 process12 process13 23 Vsrlesay.exe 14 2 21->23         started        27 Vsrlesay.exe 2 21->27         started        dnsIp14 49 162.159.133.233, 443, 49798, 49802 CLOUDFLARENETUS United States 23->49 51 tiny.one 23->51 53 cdn.discordapp.com 23->53 71 Machine Learning detection for dropped file 23->71 55 tiny.one 27->55 57 cdn.discordapp.com 27->57 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b18a223ce8f1f42880a54809880cd5c3a6890955d2469b10ea771dab333871e/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-03-11 19:33:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
12 of 27 (44.44%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1a2bc82de6e0c26030a3600c836329329dbcf1d4d84e031a90dd7df5355ed612
Smoke Loader
4c6c6d26b853d44fc189e67eaa4f65e440d6ee75ac8a5bde95ccc73b0b611c2a
Smoke Loader
6934497e39a6dd42ceda1d21255b717ee3b1639820406cfa6c62cf3c9182d271
Smoke Loader
700a6ba703505b60689b1e935be88efc68ec5a00cddfa9044f571c9c7285d2c2
Smoke Loader
8cb84526f67ca8bb0454e0cbdd81d265a70fc90edbcf97aec591d9e340dca013
Smoke Loader
b097632bd99f8ed079b4c9a709b00b67048950a1bee7f39434f4d52d2b8f9131
Smoke Loader
b0bf885d8534981dd430ff106215c5910917262fbc42b339d5f5b58d3f1af819
Smoke Loader
b78d1a08d070c59c01a026f22639c157f41074a14f572e32298cf8a4b9cb3505
Smoke Loader
c35f5536d8732a6b5a06362d550ddfee4e79a778e63317a09179e4e5704b37ab
Smoke Loader
e59fbf01fe2ade6245736ab14a9ab1b29cf8f543b17da61ab3b0184724831614
Smoke Loader
+ 4'610 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:smokeloader botnet:default backdoor persistence stealer trojan
Link:
https://tria.ge/reports/220311-x9hr2aahh5/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Arkei
SmokeLoader
Malware Config
C2 Extraction:
http://5.45.84.214/eglkAa6HG1.php
http://
http://techtest001.zzz.com.ua/
http://theunderconstruction.site/
http://buildersgate.tech/
Unpacked files
SH256 hash:
6b18a223ce8f1f42880a54809880cd5c3a6890955d2469b10ea771dab333871e
MD5 hash:
8dbea7473c7986c5ac058b656a850195
SHA1 hash:
c813eb5ccdd873621bd900490d0f6bc0e8485ed3
Link:
https://www.unpac.me/results/17c33616-e0ff-44b1-a701-801fe6942d20/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/6b18a223ce8f1f42880a54809880cd5c3a6890955d2469b10ea771dab333871e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 6b18a223ce8f1f42880a54809880cd5c3a6890955d2469b10ea771dab333871e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1828281/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/249685/

Comments