MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ba95cf7643edb6a572e660d541d96c8e1c138c76dd6e476c5943fe2d50ef59a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 18


Intelligence 18 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ba95cf7643edb6a572e660d541d96c8e1c138c76dd6e476c5943fe2d50ef59a
SHA3-384 hash: 08de78ed77be9874a2e49498d18cda68bcad281e595d3692cbbf7aedd138865d095df29fd440fd93c8c572d4464313e0
SHA1 hash: eee2448f77944e3d9a070eda2bf44355580ad86c
MD5 hash: 9b31e1fefcb6ddca5be2b800941ed51f
humanhash: illinois-angel-winner-east
File name:9b31e1fefcb6ddca5be2b800941ed51f.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:190'464 bytes
First seen:2023-06-12 11:18:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5affbd003e86f6425e6f5983fd37fec5 (5 x RedLineStealer, 2 x GCleaner, 1 x Smoke Loader)
ssdeep 3072:M00zhyjmLJNGiGghL1d7NHK24SnWP4rYENwQ5Ctc:90zhy+8GhxH77WPf2Mt
Threatray 5'478 similar samples on MalwareBazaar
TLSH T12514CF213AF1C032E6BB45351531F7A06A7BBF332BB2858B3340166F1D726919A66F17
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000001000000000 (1 x Smoke Loader)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
274
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
9b31e1fefcb6ddca5be2b800941ed51f.exe
Verdict:
Malicious activity
Analysis date:
2023-06-12 11:26:43 UTC
Tags:
loader smoke trojan
Link:
https://app.any.run/tasks/56342d1d-494b-4759-9101-d6b337b5f11c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/397912/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Sending a custom TCP request
Creating a process from a recently created file
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/90344/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed xpack
Link:
https://www.filescan.io/uploads/6486ff2808b287b7595b3daa/reports/a69f1565-a413-4fcf-b4f2-970821d95ec6/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/8ba95cf7643edb6a572e660d541d96c8e1c138c76dd6e476c5943fe2d50ef59a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cd0fdf4f-760e-421d-80ed-50eaeb75c727
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1252914
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to infect the boot sector
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 885934 Sample: yGSQQi3U5U.exe Startdate: 12/06/2023 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic 2->42 44 Multi AV Scanner detection for domain / URL 2->44 46 Found malware configuration 2->46 48 8 other signatures 2->48 7 yGSQQi3U5U.exe 2->7         started        10 wvtsfjh 2->10         started        12 D8C5.exe 2->12         started        process3 signatures4 58 Detected unpacking (changes PE section rights) 7->58 60 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 7->60 62 Maps a DLL or memory area into another process 7->62 64 Creates a thread in another existing process (thread injection) 7->64 14 explorer.exe 5 7->14 injected 66 Multi AV Scanner detection for dropped file 10->66 68 Machine Learning detection for dropped file 10->68 70 Checks if the current machine is a virtual machine (disk enumeration) 10->70 process5 dnsIp6 28 shsplatform.co.uk 80.66.203.53, 443, 49699 UKFASTGB United Kingdom 14->28 30 toobussy.com 190.224.203.37, 49697, 49702, 49704 TelecomArgentinaSAAR Argentina 14->30 32 3 other IPs or domains 14->32 22 C:\Users\user\AppData\Roaming\wvtsfjh, PE32 14->22 dropped 24 C:\Users\user\AppData\Local\Temp\D8C5.exe, PE32 14->24 dropped 26 C:\Users\user\...\wvtsfjh:Zone.Identifier, ASCII 14->26 dropped 34 System process connects to network (likely due to code injection or exploit) 14->34 36 Benign windows process drops PE files 14->36 38 Deletes itself after installation 14->38 40 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->40 19 D8C5.exe 14->19         started        file7 signatures8 process9 signatures10 50 Detected unpacking (changes PE section rights) 19->50 52 Detected unpacking (overwrites its own PE header) 19->52 54 Machine Learning detection for dropped file 19->54 56 Contains functionality to infect the boot sector 19->56
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8ba95cf7643edb6a572e660d541d96c8e1c138c76dd6e476c5943fe2d50ef59a/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-06-11 07:43:27 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rouvz53eh3nwuvzomygvihmwzdq4coghnxloi5wfsq76fvio6wna._file
Verdict:
malicious
Similar samples:
0ba63ada2388f13e0e3bdfa0fd9165363e22bf4b74299d3c3e38154858e0702f
Smoke Loader
478bd4b9c09586ef6c80ff69bec832acec92bcc6050b300973bc33537bd8ed76
Smoke Loader
75a01b4c88fec9cd0f81f510360056a86aab4e3776919f7aaaaa7d20a7c6127f
Smoke Loader
86c6f92f4c539af101ee62858e2b0299342a97087f9e938775ccf0aa098fedfc
Smoke Loader
a214f32ddf5faff1a241365cd23186698ffc3c91042b12584e4bcbb324c2a069
Smoke Loader
a4222ea2dec639a850eff45a80cea109bc4469c5c9173e44e1c0e3a1707c8bbb
Smoke Loader
d46fec4abba46efe6663f19c2d9963a612f4ff25023c0dc6fc5bb559f106859d
Smoke Loader
f894c33733e346c9cefada8e6136e53633bd70aac1c6ef081d374dd852426fcc
Smoke Loader
+ 5'468 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:pub1 backdoor trojan
Link:
https://tria.ge/reports/230612-nevcxacc7s/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Executes dropped EXE
SmokeLoader
Malware Config
C2 Extraction:
http://toobussy.com/tmp/
http://wuc11.com/tmp/
http://ladogatur.ru/tmp/
http://kingpirate.ru/tmp/
Unpacked files
SH256 hash:
9e51c7d45f9edc3eb8f59f6a8b0dc4bcc716b5956171e6dde8bb51089b9c9a6a
MD5 hash:
e635ded1f5a9548bad84cc629f13d7de
SHA1 hash:
0603a76be16e973f2bc604f1aab4d396861b014d
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/14d558e2-b6f2-4827-b18c-8ff38c01a03d/
Parent samples :
a51b880c04fcc66cc1c561b3b490b04db675f2775bbf1dfc299572d2401e706d
8ba95cf7643edb6a572e660d541d96c8e1c138c76dd6e476c5943fe2d50ef59a
6e06846b13c0f90b5c2a600b9a95106cb7af27b8fe78dba06916263c780eddb4
13744be5698ffddc96d55415fdeebde4921ed199b4174251d83f1fd5b5a05c66
SH256 hash:
8ba95cf7643edb6a572e660d541d96c8e1c138c76dd6e476c5943fe2d50ef59a
MD5 hash:
9b31e1fefcb6ddca5be2b800941ed51f
SHA1 hash:
eee2448f77944e3d9a070eda2bf44355580ad86c
Link:
https://www.unpac.me/results/14d558e2-b6f2-4827-b18c-8ff38c01a03d/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8ba95cf7643e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8ba95cf7643edb6a572e660d541d96c8e1c138c76dd6e476c5943fe2d50ef59a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 8ba95cf7643edb6a572e660d541d96c8e1c138c76dd6e476c5943fe2d50ef59a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2649758/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/397912/

Comments