MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70814ddb80cccda788820b580b7ce4d9deecf3cd30bb4742ab37df7c838477a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	70814ddb80cccda788820b580b7ce4d9deecf3cd30bb4742ab37df7c838477a9
SHA3-384 hash:	d2737a541a6aadd208ac28ca83b98f826dd9622e0a455c5d006c4bac08a9bcd0759efcec5df24e0142f5c4fd5a2275da
SHA1 hash:	ae2a566e256e90c7a3b1d77c1e490ffbaea07fa3
MD5 hash:	b185d8c01677e0cd6f4e8a9ee3b4bada
humanhash:	failed-beer-mango-undress
File name:	70814ddb80cccda788820b580b7ce4d9deecf3cd30bb4742ab37df7c838477a9
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	199'168 bytes
First seen:	2022-11-16 07:30:06 UTC
Last seen:	2022-11-16 09:53:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9b96582b550809a59a2cfe6ee51635e4 (5 x RedLineStealer, 4 x Tofsee, 4 x Amadey)
ssdeep	3072:NAFASc05pPZHQPotL52R/GBsSQ4oqaTSZ90reBTsIGIERz:s352RDyvn0res
Threatray	13'205 similar samples on MalwareBazaar
TLSH	T19F14BF137A90D033C01259349935C2F1263ABC3EEA66974776947F6FBE313C1662670B
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	a4e0d2d2690c4408 (1 x Smoke Loader)
Reporter	Anonymous
Tags:	exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

160

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

70814ddb80cccda788820b580b7ce4d9deecf3cd30bb4742ab37df7c838477a9

Verdict:

No threats detected

Analysis date:

2022-11-16 07:32:12 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/039f8c0b-edee-4d57-8cd8-5b527305092e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

SmokeLoader

Link:

https://www.capesandbox.com/analysis/334672/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.46900.15321.7492.UNOFFICIAL

Win.Packed.Mokes-9977978-0

Win.Packed.Mokes-9977980-0

Win.Packed.Botx-9978001-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Searching for synchronization primitives

Sending a custom TCP request

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Reading critical registry keys

Unauthorized injection to a system process

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm greyware lockbit packed

Link:

https://www.filescan.io/uploads/637491b607c3f5e84a016328/reports/2552e2cf-43ed-43cd-bb47-cc2095241bf1/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

SystemBC RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/68d4e955-e0c0-499a-b90a-56db9708cb72

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1114584

Signature

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/70814ddb80cccda788820b580b7ce4d9deecf3cd30bb4742ab37df7c838477a9/

Threat name:

Win32.Trojan.Raccoon

Status:

Malicious

First seen:

2022-11-15 15:26:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 39 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ocau3w4aztg2pcecbnmaw7he3hpoz46ngc5uoqvlg7pxza4eo6uq._file

Verdict:

malicious

Smoke Loader

29de7841cd7a5f277bcd1f9c37ceb677ca19940d670797d9322733b8e5229a7f

Smoke Loader

2ad9af4d99a267b9999bf64ae074415083055d48381a60556d38265c2a167c49

Smoke Loader

5e39cd9c14205846fc273607c30644a91eb615249fd472993148451e10ab0034

Smoke Loader

627759c384f499d52d3f5c731deacea95b93dbc22b7e2d21556f3dfd94a75bc2

Smoke Loader

9c30d3230a6914df0719085e74aa98149dac5fd2623bc9e638b9005be7d0df9f

Smoke Loader

b0a031ba919a6a1a969f758d4aef4016ffca7ca92bfaba0ff59193f79c084d09

Smoke Loader

dd9c57c98866c151b49efd9a45e7c96dd72c5acd2657bad8f25712ad5acb768a

Smoke Loader

f49996a4e59621d46bd53f9fb7166d5abfc964bd1da7a4d2944c68af6eda71ae

Smoke Loader

f54493415d69c4787f330c94c94243c544cdde8fbb5145cc2c02a19ce7095931

Smoke Loader

+ 13'195 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor trojan

Link:

https://tria.ge/reports/221116-jcc9dsde7t/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Detects Smokeloader packer

SmokeLoader

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/bb186183-5613-45b4-87d1-441bcdc8a76c

Unpacked files

SH256 hash:

129d4aca1e9349da4b486c59e512087235e87f99778af933b55c0f516431b184

MD5 hash:

46acff90b7a238149c5030c1d82f5dfd

SHA1 hash:

1b43ecf0ea9bd512aac4e4e480665e70aff00e1a

Detections:

win_smokeloader_a2

SmokeLoaderStage2

Link:

https://www.unpac.me/results/568b9ebd-a5f6-4e63-a5ee-3919d203bd5e/

Parent samples :

9d07d42192235ca3b5ee879a2d81f28313a427862ae10931306406ae5965092d
6dbd206ef6296fe378dc4367b5ec9c07e65a9863a2fefb55716a39c48e144d21
30a793b1398df37b640885e20c1c16d231dd3bff9ee77d95a27e295c88c17e9e
627759c384f499d52d3f5c731deacea95b93dbc22b7e2d21556f3dfd94a75bc2
70814ddb80cccda788820b580b7ce4d9deecf3cd30bb4742ab37df7c838477a9
af2edb431e026575bf1b73f79bb4145af87586a594635075a470636a7e78b1dd

SH256 hash:

70814ddb80cccda788820b580b7ce4d9deecf3cd30bb4742ab37df7c838477a9

MD5 hash:

b185d8c01677e0cd6f4e8a9ee3b4bada

SHA1 hash:

ae2a566e256e90c7a3b1d77c1e490ffbaea07fa3

Link:

https://www.unpac.me/results/568b9ebd-a5f6-4e63-a5ee-3919d203bd5e/

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/70814ddb80cc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/70814ddb80cccda788820b580b7ce4d9deecf3cd30bb4742ab37df7c838477a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/334672/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample