MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6da12ce420e0084c786133bd80a12518e407c6c01410889829a51014e59e022c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6da12ce420e0084c786133bd80a12518e407c6c01410889829a51014e59e022c
SHA3-384 hash: 94463cf5f530759c81c27c323852243995eb5fd575c2301d48d43b60250ec39c1d1c4b81f34c22e1b64f43dcab5d760f
SHA1 hash: 296c83970fa88b1a576f9264b8d75146773c4235
MD5 hash: 7bbfd2cb82e23b92857400facb2bdc09
humanhash: magnesium-minnesota-washington-texas
File name:JonnyBoi_Loader.ps1
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:461 bytes
First seen:2022-09-06 16:27:31 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12:s8AdjL+yT27L87HGrdvhIW+4PHF7vQnD5j+CrBicIM+yn:WvT27LmGrdB+4PHF7vmD4GB5/n
Threatray 3'499 similar samples on MalwareBazaar
TLSH T1A5F0DC138CD15120C218C69FF45EC30B44E2ED08F8DAB0D0F8E08807EC02009A9B9C10
Reporter Anonymous
Tags:ps1 Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Other.Malware-gen.16025.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63177533b00f73916cbfd121/reports/893947b1-dcc1-4b74-9187-3b10089b6690/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
Raccoon Stealer v2, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1065833
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Powershell drops PE file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 698359 Sample: JonnyBoi_Loader.ps1 Startdate: 06/09/2022 Architecture: WINDOWS Score: 100 62 ojinsei.com 2->62 64 t.me 2->64 84 Snort IDS alert for network traffic 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 Antivirus detection for URL or domain 2->88 90 6 other signatures 2->90 10 powershell.exe 14 22 2->10         started        15 uurbwcd 2->15         started        signatures3 process4 dnsIp5 72 85.192.63.184, 49749, 80 LINEGROUP-ASRU Russian Federation 10->72 74 192.168.2.1 unknown unknown 10->74 60 C:\s.exe, PE32 10->60 dropped 98 Powershell drops PE file 10->98 17 s.exe 10->17         started        20 powershell.exe 6 10->20         started        22 conhost.exe 10->22         started        100 Machine Learning detection for dropped file 15->100 file6 signatures7 process8 signatures9 76 Detected unpacking (changes PE section rights) 17->76 78 Machine Learning detection for dropped file 17->78 80 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 17->80 82 3 other signatures 17->82 24 explorer.exe 14 17->24 injected process10 dnsIp11 66 www.vispavolley.net 46.252.151.147, 443, 49798, 49802 ASSUPERNOVAIT Italy 24->66 68 ojinsei.com 178.20.42.96, 49771, 49772, 49773 ASN-FRWInternetServiceProviderIT Russian Federation 24->68 70 qeextension.com 85.187.128.60, 443, 49774, 49777 A2HOSTINGUS United States 24->70 52 C:\Users\user\AppData\Roaming\uurbwcd, PE32 24->52 dropped 54 C:\Users\user\AppData\Local\Temp\CA25.exe, PE32 24->54 dropped 56 C:\Users\user\AppData\Local\Temp\B70A.exe, PE32 24->56 dropped 58 4 other files (3 malicious) 24->58 dropped 92 System process connects to network (likely due to code injection or exploit) 24->92 94 Benign windows process drops PE files 24->94 96 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->96 29 6AFA.exe 1 24->29         started        32 7F8D.exe 1 24->32         started        34 917F.exe 1 24->34         started        36 3 other processes 24->36 file12 signatures13 process14 signatures15 102 Machine Learning detection for dropped file 29->102 104 Contains functionality to inject code into remote processes 29->104 106 Writes to foreign memory regions 29->106 38 AppLaunch.exe 29->38         started        40 conhost.exe 29->40         started        108 Allocates memory in foreign processes 32->108 110 Injects a PE file into a foreign processes 32->110 42 AppLaunch.exe 32->42         started        44 conhost.exe 32->44         started        46 conhost.exe 34->46         started        48 conhost.exe 36->48         started        50 conhost.exe 36->50         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6da12ce420e0084c786133bd80a12518e407c6c01410889829a51014e59e022c/
Threat name:
Script.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-09-06 16:28:08 UTC
File Type:
Text (Batch)
AV detection:
3 of 25 (12.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nwqszzba4aeey6dbgo6ybijfddsaprwacqiirgbjuuibjzm6aiwa._file
Verdict:
malicious
Similar samples:
049ae382c00f3cbd42e9108966c445234ed5bccce0913dae44c313295879a6c2
Smoke Loader
12d0f4e279c8b87d94fba44d8e4a85c553cd96b90256716bd98096ca4c2ba359
Smoke Loader
2c440478968af666a120debc6d82a54a731ba91ac3f9b160eb356c9b52104609
Smoke Loader
38499e2889590574aa401acf16f8aba05e693e3da4aa0ac6e71f5d690446d29e
Smoke Loader
3b5adc36b8fd04b224008a8b2fc3770532115de8973d21a0f8b3226df887c1d4
Smoke Loader
5c152d1a379fe3df07a2d57315856f8e17997ee6490351116599ec78e9c5fadf
Smoke Loader
5c1b807913b1a6b8c14a004a2b1830ccc10c61c3b54b16c32faca280360c805b
Smoke Loader
7a1e4107599b275852d1353c20e84e2cfff2bd25c862d78a13937906a7e3709b
Smoke Loader
b5aedf88db5ca22f172a80f49264d768d19c0481e12ffd1b653ed01a2d6be104
Smoke Loader
d7e23283d1389c625db8fd92a4218e4a717a3a62a2db621df3b378be57f13c6f
Smoke Loader
+ 3'489 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/220906-tym1tsfgf9/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Detects Smokeloader packer
SmokeLoader
Malware Config
Dropper Extraction:
http://85.192.63.184/s.exe
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6da12ce420e0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6da12ce420e0084c786133bd80a12518e407c6c01410889829a51014e59e022c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments