MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fd395a53eff705deee9fd917263e308150d95f9fb50800b1b6a814af05f6265. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6fd395a53eff705deee9fd917263e308150d95f9fb50800b1b6a814af05f6265
SHA3-384 hash: da8f6335bdff31be0814a906c07352bfbe078e011a2808c06a08233de9f33ed8c38c13199cb3171022de223e9f837206
SHA1 hash: af7c1c84ecc6735db6755dcc4634786d1ea3f53d
MD5 hash: 6e06582d9540c729027f86d3f0617bab
humanhash: hydrogen-monkey-glucose-batman
File name:6e06582d9540c729027f86d3f0617bab
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:491'520 bytes
First seen:2022-03-22 18:17:30 UTC
Last seen:2022-03-22 18:56:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a945867d0ff5375b3c988fb37e437bd4 (1 x Smoke Loader)
ssdeep 12288:REFRKCzbCU7biwItO8g7ySNiLd4LDpp5u3:2LK6X7biw5Red4LDpp
Threatray 7'129 similar samples on MalwareBazaar
TLSH T1A4A48E32F2E14837D2632A7C9D1B536C983AFF103D2D58866BE91D4C5F392C1396A297
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment confirmation.doc
Verdict:
Malicious activity
Analysis date:
2022-03-23 09:58:04 UTC
Tags:
trojan exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/0f5601b9-87ce-4eec-8d72-a43d673ed687

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/255028/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Agent.4c.13401.19884.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Launching a process
Reading critical registry keys
Creating a file in the %temp% directory
Launching the default Windows debugger (dwwin.exe)
Query of malicious DNS domain
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Forced shutdown of a browser
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/10450/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe keylogger
Link:
https://www.filescan.io/uploads/623a12f2b94fb38cb4d0b568/reports/ddfec480-d980-4799-a78e-27c6d04f1c06/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d2e0bb3d-349c-4482-b66e-57d483a46eb6
Result
Threat name:
CryptOne SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/962145
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6fd395a53eff705deee9fd917263e308150d95f9fb50800b1b6a814af05f6265/
Threat name:
Win32.Trojan.QBot
Create hunting rule
Status:
Malicious
First seen:
2022-03-22 15:26:40 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n7jzljj675yf33xj7wixey7dbakq3fpz7niiacy3nkauv4c7mjsq._file
Verdict:
malicious
Similar samples:
02bcb080116ab55475edbcd1293246a0e5d8894793ee9e699db805bff2935408
Smoke Loader
1d1fc9d23aa14b4f484fb86c173c94084bc14a9f551747b6e06366649a229af5
Smoke Loader
387619129ba37b0a3574d3bae80df37ef2213e27ea2a9d903365e226f6ad2c64
Smoke Loader
433cf9125a44e304eca2c5cf3bfe2af0b1deafd1c5e8d13d559e1bac9de711b3
Smoke Loader
4f9f2d3789809c1f34877a5cd109aabeccea14c1cfe423ea271cc7cd0178b23a
Smoke Loader
68b90031cf6d8870b5719281dbfd45c97db2b8b0e696ea5f997c8de57b54dd7f
Smoke Loader
edf105b04e5bd8f534cb569945ecaad365d6366e163627d5652520a0368a52c2
Smoke Loader
f7b5a27355eafa5302a38a1e0adadcb619b6d42e7c1707a784297634a180a66f
Smoke Loader
+ 7'119 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor collection trojan
Link:
https://tria.ge/reports/220322-wxlgqageg9/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Accesses Microsoft Outlook profiles
Deletes itself
Executes dropped EXE
SmokeLoader
Malware Config
C2 Extraction:
http://ejeana.co.ug/index.php
https://ejeana.co.ug/index.php
Unpacked files
SH256 hash:
6fd395a53eff705deee9fd917263e308150d95f9fb50800b1b6a814af05f6265
MD5 hash:
6e06582d9540c729027f86d3f0617bab
SHA1 hash:
af7c1c84ecc6735db6755dcc4634786d1ea3f53d
Link:
https://www.unpac.me/results/d0a519c9-c8da-4d2e-a79d-93eaeb704cad/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6fd395a53eff/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.26
Link:
https://yomi.yoroi.company/submissions/6fd395a53eff705deee9fd917263e308150d95f9fb50800b1b6a814af05f6265

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 6fd395a53eff705deee9fd917263e308150d95f9fb50800b1b6a814af05f6265

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2096943/
  
URLhaus
https://urlhaus.abuse.ch/url/2111038/
Cape
Cape
https://www.capesandbox.com/analysis/255028/

Comments


Avatar
zbet commented on 2022-03-22 18:17:32 UTC

url : hxxp://ejeana.co.ug/m1/m01.jpg