MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 860ce43cef0bbd5b0447f02c55a6c0827aa09e3b7d537b1167bd67047980ab93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	860ce43cef0bbd5b0447f02c55a6c0827aa09e3b7d537b1167bd67047980ab93
SHA3-384 hash:	5b9f397ff61e7e4fa2c62e33c9afb23164d61224c70bf9bf28c7981de1ab3a69e20a1be4c430b9bd6b7821f81c7c942e
SHA1 hash:	e903beefd96b3016a9604b4a00ef8e1a46fbd05b
MD5 hash:	9f7b6fcbe9944804356cbbeb1582cc0c
humanhash:	friend-cup-eight-leopard
File name:	9f7b6fcbe9944804356cbbeb1582cc0c.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	286'720 bytes
First seen:	2020-11-11 11:49:56 UTC
Last seen:	2020-11-11 13:52:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c25051ab6f9bde4873ea577d64187971 (8 x Smoke Loader)
ssdeep	3072:8CSMh0xKNfStbpg95CJtEN1msCZ86RokyFhN2/UJ7PTiCN04uO:8BseKNQb2Sz2/gokyFh7iw0c
Threatray	102 similar samples on MalwareBazaar
TLSH	3D54BF2276A0C0F6C4AE1D304875D7A0DAFAB836177449CB37A4276A1F313D16A7E35B
Reporter	abuse_ch
Tags:	exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

117

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Variant.Babar.23131.976.22705.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %temp% directory

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Deleting of the original file

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/530155

Signature

Benign windows process drops PE files

Binary contains a suspicious time stamp

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Renames NTDLL to bypass HIPS

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/860ce43cef0bbd5b0447f02c55a6c0827aa09e3b7d537b1167bd67047980ab93/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2020-11-11 11:55:39 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qygoiphpbo6vwbch6awfljwaqj5kbhr3pvjxwelhxvtqi6mavojq._file

Verdict:

suspicious

Smoke Loader

237097d56dbe6e685d11f86815a8fa3a5e51b1f48e80a9f7e51d1cfabe0ae4aa

Smoke Loader

2c10f6776795d59fe038ed6b7ff9e2d1a710a027a35845e34e4cd5fef17892f8

Smoke Loader

5acec93c640ee499d02f78f646af7cf65605a56fc20add62c4dabdb402943114

Smoke Loader

7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91

Smoke Loader

95a4cf409c7e7813bfa744598bee2e0e572b2d05ec31622867237ea6dab8a813

Smoke Loader

d95b7c505dbb3905f88c71bb1efedfe716a0d65862a622eb932f3d774a07a740

Smoke Loader

e237d6e3b44c0bcacf4eff59f58c8028a48c0675f283adc96490ae6daf645bd7

Smoke Loader

f43fa7b7115450b5a3b8b97c6f578afe6c55692a06d1f872415d547c570da288

Smoke Loader

f85b4fcd61a36635fe0e40af704b607ab33afdc97131c14fd958f6ae101ad1da

Smoke Loader

+ 92 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor trojan

Link:

https://tria.ge/reports/201111-m3mne8s8xs/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Deletes itself

Loads dropped DLL

SmokeLoader

Malware Config

C2 Extraction:

http://smk10ddde.com/

Unpacked files

SH256 hash:

860ce43cef0bbd5b0447f02c55a6c0827aa09e3b7d537b1167bd67047980ab93

MD5 hash:

9f7b6fcbe9944804356cbbeb1582cc0c

SHA1 hash:

e903beefd96b3016a9604b4a00ef8e1a46fbd05b

Link:

https://www.unpac.me/results/2d0864e1-07fb-4f23-8f18-2a6af31a295c/

SH256 hash:

640326eaa9b6d1eebecf4925208ea87f31574b530e81b25575a5ab28f23ba90d

MD5 hash:

701f9a4e569369f69ec1c8d2114f5c09

SHA1 hash:

1964037544e248c943177d19b105e3e5594ca53f

Link:

https://www.unpac.me/results/2d0864e1-07fb-4f23-8f18-2a6af31a295c/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

exe 860ce43cef0bbd5b0447f02c55a6c0827aa09e3b7d537b1167bd67047980ab93

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/804371/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/802950/

URLhaus

https://urlhaus.abuse.ch/url/786755/

URLhaus

https://urlhaus.abuse.ch/url/804380/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample