MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84f201911eea13e0a46afa437f7a5942a1d70afab17edcb4fe65680d1599f602. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84f201911eea13e0a46afa437f7a5942a1d70afab17edcb4fe65680d1599f602
SHA3-384 hash: 59478ea8d3902545efe1d47cf18451c314c5abc14e5b933ce64d74976ed74e9cbf7c993ce1566224cf4b97553d874973
SHA1 hash: 45e26f7fe44dc651c6a3e0f9f685891514d05912
MD5 hash: 40ae16d9f72b0d03b3d8bf251e623a85
humanhash: triple-jersey-carolina-massachusetts
File name:40ae16d9f72b0d03b3d8bf251e623a85.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:303'104 bytes
First seen:2023-03-17 19:02:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e76b494f1a9946f83b6b72033f310be (7 x Smoke Loader, 4 x Rhadamanthys, 4 x RedLineStealer)
ssdeep 3072:aUhO7wlL4qWSEFfweFrAV/PAVNY46k2htR4ZoKXPI4yDftPqgDuM:bawlL4zSS4QrAVwVNL2mZ5XGFNu
Threatray 4'437 similar samples on MalwareBazaar
TLSH T181542A4393E17C48E9368B72AE1FC6E8771DF6518F897B6532189A2F04F2172C563E90
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 1406221606040900 (1 x Smoke Loader)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
40ae16d9f72b0d03b3d8bf251e623a85.exe
Verdict:
Malicious activity
Analysis date:
2023-03-17 19:03:24 UTC
Tags:
loader smoke trojan
Link:
https://app.any.run/tasks/22e27c44-bc49-4e03-af06-5096ba159017

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/375212/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending a custom TCP request
Query of malicious DNS domain
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/73664/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
gandcrab gozi greyware lockbit mokes packed
Link:
https://www.filescan.io/uploads/6414b96728f6cfd59136ae84/reports/e6ee25d1-741d-4e09-b88b-fd8137b167f5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/84f201911eea13e0a46afa437f7a5942a1d70afab17edcb4fe65680d1599f602
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b728398-9a1a-48ce-81bf-41ecdcf4d1a6
Result
Threat name:
Aurora, DanaBot, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1196222
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara Aurora Stealer
Yara detected Costura Assembly Loader
Yara detected DanaBot stealer dll
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 829121 Sample: gT5Uqq6LQP.exe Startdate: 17/03/2023 Architecture: WINDOWS Score: 100 84 vispik.at 2->84 114 Snort IDS alert for network traffic 2->114 116 Multi AV Scanner detection for domain / URL 2->116 118 Malicious sample detected (through community Yara rule) 2->118 120 11 other signatures 2->120 11 gT5Uqq6LQP.exe 2->11         started        14 afstgsd 2->14         started        16 267C.exe 2->16         started        signatures3 process4 signatures5 142 Detected unpacking (changes PE section rights) 11->142 144 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 11->144 146 Maps a DLL or memory area into another process 11->146 148 Creates a thread in another existing process (thread injection) 11->148 18 explorer.exe 4 16 11->18 injected 150 Multi AV Scanner detection for dropped file 14->150 152 Machine Learning detection for dropped file 14->152 154 Checks if the current machine is a virtual machine (disk enumeration) 14->154 process6 dnsIp7 86 95.158.162.200, 49705, 49706, 49712 VIDEOSATBG Bulgaria 18->86 88 vispik.at 186.182.55.44, 49700, 49707, 49709 TechtelLMDSComunicacionesInteractivasSAAR Argentina 18->88 90 7 other IPs or domains 18->90 70 C:\Users\user\AppData\Roaming\afstgsd, PE32 18->70 dropped 72 C:\Users\user\AppData\Local\Temp505.exe, PE32 18->72 dropped 74 C:\Users\user\AppData\Local\Temp\B2E8.exe, PE32 18->74 dropped 76 3 other malicious files 18->76 dropped 122 System process connects to network (likely due to code injection or exploit) 18->122 124 Benign windows process drops PE files 18->124 126 Deletes itself after installation 18->126 128 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->128 23 B2E8.exe 6 18->23         started        27 74B9.exe 3 18->27         started        29 267C.exe 18->29         started        31 E505.exe 1 18->31         started        file8 signatures9 process10 file11 78 C:\Windows\Temp\321.exe, PE32 23->78 dropped 80 C:\Windows\Temp\123.exe, PE32 23->80 dropped 130 Machine Learning detection for dropped file 23->130 33 123.exe 23->33         started        36 321.exe 23->36         started        132 Antivirus detection for dropped file 27->132 134 Multi AV Scanner detection for dropped file 27->134 136 Injects a PE file into a foreign processes 27->136 39 74B9.exe 27->39         started        138 Detected unpacking (changes PE section rights) 29->138 140 Detected unpacking (overwrites its own PE header) 29->140 82 C:\Users\user\AppData\...\Wtoahoepfise.dll, PE32 31->82 dropped 41 rundll32.exe 1 31->41         started        signatures12 process13 dnsIp14 104 Machine Learning detection for dropped file 33->104 106 Writes to foreign memory regions 33->106 108 Allocates memory in foreign processes 33->108 110 Injects a PE file into a foreign processes 33->110 43 RegSvcs.exe 33->43         started        47 WerFault.exe 33->47         started        92 127.0.0.1 unknown unknown 36->92 112 Tries to harvest and steal browser information (history, passwords, etc) 36->112 49 chrome.exe 36->49         started        94 138.201.198.8, 49755, 8081 HETZNER-ASDE Germany 39->94 51 cmd.exe 39->51         started        53 cmd.exe 39->53         started        55 WMIC.exe 39->55         started        signatures15 process16 dnsIp17 102 51.89.204.181, 22299, 49754 OVHFR France 43->102 156 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->156 158 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 43->158 160 Tries to harvest and steal browser information (history, passwords, etc) 43->160 162 Tries to steal Crypto Currency Wallets 43->162 57 chrome.exe 49->57         started        60 conhost.exe 51->60         started        62 WMIC.exe 51->62         started        64 conhost.exe 53->64         started        66 WMIC.exe 53->66         started        68 conhost.exe 55->68         started        signatures18 process19 dnsIp20 96 plus.l.google.com 142.251.209.14, 443, 49753 GOOGLEUS United States 57->96 98 www.google.com 142.251.209.36, 443, 49748, 49749 GOOGLEUS United States 57->98 100 apis.google.com 57->100
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84f201911eea13e0a46afa437f7a5942a1d70afab17edcb4fe65680d1599f602/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-03-17 17:29:02 UTC
File Type:
PE (Exe)
Extracted files:
62
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qtzadei65ij6bjdk7jbx66szikq5ocx2wf7nznh6mvua2fmz6yba._file
Verdict:
malicious
Similar samples:
31125dd90470955ca70e23ae2c3fd372db8b991a7c92bfb49d442b67539602c3
Smoke Loader
3358510dd07f7a0f84f6b8ff788bf5fb661c2259ebff3696c964f928a166a58c
Smoke Loader
49d393dd5011f729861bba497ebc7a0fc1312dff59820659e922bf109dd66ac3
Smoke Loader
6fcfc6e9c3504129087f399f02026f0857e51702803c00e15c16a98d94414974
Smoke Loader
74d9950fb4a58f99306f9310d3bb295f865f164e16f2f53b6baec947ee5cfca5
Smoke Loader
8566c357f42e4e6f442564c63c376540b4e4d0ee72d38f83a3de84a83931a6ce
Smoke Loader
86d03866f50e32545514b56e8fc46122c136d24e80954b7f6291b870a1e2a5ac
Smoke Loader
e9abf1a9ce327a916ba7191b471e3039d5e50093fe7346944a83d020e89da470
Smoke Loader
fabf60ba606f708c842b3cd143642c0ec9ac49b67678742b031abfe7e5f08ef8
Smoke Loader
fec7e6d8626bf8373fbefecbdca920aa2b30ce8b94e65a78e16f042bbc9ab3e0
Smoke Loader
+ 4'427 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:pub4 backdoor trojan
Link:
https://tria.ge/reports/230317-xqcrnshf58/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
SmokeLoader
Malware Config
C2 Extraction:
http://vispik.at/tmp/
http://ekcentric.com/tmp/
http://hbeat.ru/tmp/
http://mordo.ru/tmp/
Unpacked files
SH256 hash:
93aa95fb6ff1197842539ad7d33661578c19614b641bc01b1339e9c74e8f6077
MD5 hash:
79e11ad9206a0e4207a1916c41d485e3
SHA1 hash:
7b2e2d5c564fe560f76bf3db8ce91acef6db1b3e
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/78318d7d-0ac4-464d-917b-7aa2486b537f/
Parent samples :
8d817b65185a02fb3050ec898ba6dc15f88e97428402de127d0fe79e6480421d
e9abf1a9ce327a916ba7191b471e3039d5e50093fe7346944a83d020e89da470
3358510dd07f7a0f84f6b8ff788bf5fb661c2259ebff3696c964f928a166a58c
e6ac1fe76c5644ac4f6624ffd984aebf33708da63cd425e58218eac16b9500c3
b3c1c51816ed1e710c16b9979424f6e048de948320e1560664f02b7fd68a1c70
bfa7f935ce2d538f08ef9b71990ff857c855ae47f402010207533a85831b0d69
d0c09c00990cc693789f83e8dfb4d3e7db62a583d246cea22b2c6bb3a2c3e6f0
9b6da424a0f27a420231b67553454bf11d1283164fd176d688ddd43f2a6c4dfc
35c8d963860e8a3b6f74aae074eeae71dbcd50f4ac55e72f4509f15eb45e6f09
6fcfc6e9c3504129087f399f02026f0857e51702803c00e15c16a98d94414974
86d03866f50e32545514b56e8fc46122c136d24e80954b7f6291b870a1e2a5ac
e5147ae13310b2b93da17d2800a21956788671c907f7dd19a3918c0b9fcc051b
a55fb5f4931b56a67accf6b1e95d17bb96a3e12b5a960816c60dfd06bb440d9c
ba22d964e19050f18e2616497d28864c3f3e7e4f6769b6b55020002af356fd52
cd3e1831de588644e2706fa76f1b8bdd13e575cd648b6db24ddc4c9016ab978b
92a5b282a453a1d71a1d800a95018b6248da4a8cdcc58e82c56266be169cc98c
1b47e6ab6638a2d79d7a5f80627f4e96a7169b8083c6d69fb8f32ee6efcc2aa5
8566c357f42e4e6f442564c63c376540b4e4d0ee72d38f83a3de84a83931a6ce
49d393dd5011f729861bba497ebc7a0fc1312dff59820659e922bf109dd66ac3
84f201911eea13e0a46afa437f7a5942a1d70afab17edcb4fe65680d1599f602
SH256 hash:
84f201911eea13e0a46afa437f7a5942a1d70afab17edcb4fe65680d1599f602
MD5 hash:
40ae16d9f72b0d03b3d8bf251e623a85
SHA1 hash:
45e26f7fe44dc651c6a3e0f9f685891514d05912
Link:
https://www.unpac.me/results/78318d7d-0ac4-464d-917b-7aa2486b537f/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/84f201911eea/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/84f201911eea13e0a46afa437f7a5942a1d70afab17edcb4fe65680d1599f602

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 84f201911eea13e0a46afa437f7a5942a1d70afab17edcb4fe65680d1599f602

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2571667/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/375212/

Comments