MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90e12268c6886da75cf395936df7635c52dfcd3bcf074396dd9c97fa55c9eb5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90e12268c6886da75cf395936df7635c52dfcd3bcf074396dd9c97fa55c9eb5b
SHA3-384 hash: 2b27658007f6a17099618e2922b377a7cd4dec9ed20777eda1b5c369d7c770d3e9a66dce7249df0edbc862038d1fcb2b
SHA1 hash: 7bd30d865386c349f3c29c9d85fda0a7ad76111d
MD5 hash: 31e6d2018b345fe69bbc2cf8f69215b3
humanhash: salami-aspen-iowa-ack
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:212'480 bytes
First seen:2023-06-11 15:08:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1b96bbe7f35030dff720bfd4a2e62f20 (3 x GCleaner, 2 x Smoke Loader, 1 x RedLineStealer)
ssdeep 3072:VYTKEKvZSP65OLdxg8PGmAqjGyhetUsyOhyZaRtIRdo5tDaX:a2BQP65odxVPEzn6Zan8o5t
Threatray 4'256 similar samples on MalwareBazaar
TLSH T11324BF1176E1D032E6B745345934D2E36A3BF8B3AA75844B72443B6F3D322836A66F13
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0030c09030181800 (2 x Smoke Loader, 1 x Tofsee, 1 x CoinMiner)
Reporter andretavare5
Tags:exe Smoke Loader


Avatar
andretavare5
Sample downloaded from https://smartindianagriculture.com/tmp/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
328
Origin country :
US US
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-06-11 15:10:56 UTC
Tags:
loader smoke trojan
Link:
https://app.any.run/tasks/f70ba5c0-0d76-407a-8c5c-1a2fdf9388f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/397793/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Query of malicious DNS domain
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/90274/overview
Behaviour
MalwareBazaar
CPUID_Instruction
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6485e38fc6414862d2066289/reports/ff9cbef8-d65d-47c0-8a85-da9ec5d5780b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/90e12268c6886da75cf395936df7635c52dfcd3bcf074396dd9c97fa55c9eb5b
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/149a6e4d-e89b-44d3-b1c9-d93dae1826c0
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1252587
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to infect the boot sector
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 885603 Sample: file.exe Startdate: 11/06/2023 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic 2->42 44 Multi AV Scanner detection for domain / URL 2->44 46 Found malware configuration 2->46 48 7 other signatures 2->48 7 file.exe 2->7         started        10 uagwshc 2->10         started        12 D520.exe 2->12         started        process3 signatures4 58 Detected unpacking (changes PE section rights) 7->58 60 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 7->60 62 Maps a DLL or memory area into another process 7->62 64 Creates a thread in another existing process (thread injection) 7->64 14 explorer.exe 1 5 7->14 injected 66 Multi AV Scanner detection for dropped file 10->66 68 Machine Learning detection for dropped file 10->68 70 Checks if the current machine is a virtual machine (disk enumeration) 10->70 process5 dnsIp6 28 187.224.116.41, 49706, 49708, 49710 UninetSAdeCVMX Mexico 14->28 30 189.245.66.56, 49703, 80 UninetSAdeCVMX Mexico 14->30 32 4 other IPs or domains 14->32 22 C:\Users\user\AppData\Roaming\uagwshc, PE32 14->22 dropped 24 C:\Users\user\AppData\Local\Temp\D520.exe, PE32 14->24 dropped 26 C:\Users\user\...\uagwshc:Zone.Identifier, ASCII 14->26 dropped 34 System process connects to network (likely due to code injection or exploit) 14->34 36 Benign windows process drops PE files 14->36 38 Deletes itself after installation 14->38 40 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->40 19 D520.exe 14->19         started        file7 signatures8 process9 signatures10 50 Detected unpacking (changes PE section rights) 19->50 52 Detected unpacking (overwrites its own PE header) 19->52 54 Machine Learning detection for dropped file 19->54 56 Contains functionality to infect the boot sector 19->56
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90e12268c6886da75cf395936df7635c52dfcd3bcf074396dd9c97fa55c9eb5b/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-06-11 15:09:05 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sdqse2ggrbw2oxhtswjw353dlrjn7tj3z4duhfw5tsl7uvoj5nnq._file
Verdict:
malicious
Similar samples:
0ab54468721453d7237df27d4dd6383366edb5cc3bfab9a20d48a2416ca2aed8
Smoke Loader
1171766b3c8e74122333aedfcf8ff32bcd2e059043af434dc57a70b6015b3e63
Smoke Loader
4553d57cf419bf15f2e867b3269580925c9b0e56c8d2f487007b3a0e80fb4da6
Smoke Loader
59a9abae3f724f1ff212766b64ab691d34cd0624337204caa65406a1378329a3
Smoke Loader
5b26522436f02ab63249cda95ffb462e3050087390e125f7ff09ca2eff57ce10
Smoke Loader
5cb4329e2e5e2d43468d75e2892527faeeb4642c9bdcff9661992324502366de
Smoke Loader
7f02d0bb42962b382ef7d6f5c3d647fa199311a586b5f0fd6c5e266759211967
Smoke Loader
84c63d7b5b76b8069dec9760aa1bb530b062889cfce4f2fa82e5288cb82b25fa
Smoke Loader
a5e2e1d4ae2ea2f1de7b448222962195698a6e82a0f890d5e2898f5b28d7b6f0
Smoke Loader
e3c15f1c7b655b44882792cbb98fd962f47137dea2621128be6595a1237a2672
Smoke Loader
+ 4'246 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:pub5 backdoor trojan
Link:
https://tria.ge/reports/230611-sjfgrshd22/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Uses Task Scheduler COM API
Executes dropped EXE
SmokeLoader
Malware Config
C2 Extraction:
http://aapu.at/tmp/
http://poudineh.com/tmp/
http://firsttrusteedrx.ru/tmp/
http://kingpirate.ru/tmp/
Unpacked files
SH256 hash:
7b0e25c99ef33caed24b3102cee5b9c345c9f138246e5daa2f00d561670fb34e
MD5 hash:
98f0c51fae13a11fa6851bd32dd450d9
SHA1 hash:
7f4f555598a5fa24fb79da8696ebe218f92b6561
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/7ad822df-234e-43cf-bfcf-f4645bc8fdf5/
Parent samples :
0f894e06e5216382a7e3dbe449de7900fdd0b489d7e836eb007cfe59c0f41ae0
a9d1c36b151cbd42b112cfb10ec35fa05174f40a89876d2e66f1e9abf011af61
90e12268c6886da75cf395936df7635c52dfcd3bcf074396dd9c97fa55c9eb5b
0b7609e449e5872e1223c2ae6f26253640b0cb7981e7721e5b3a25a28a1fe579
e82edb85f46bde98da82a2c3df1178e85774cd0415e9e998325a59b8a28b8ba6
64c99e86f8722c5b825250b3302a2eafc652a09108a3213e124f173f10be2eeb
13a43acaf411468a1ddfa5f221464f0ead5221a8694bb1027273206ecfa2e336
6aa14b8612361f8cd34a86edcf341aaee819fb9a0cc18d51165e52afdcbe5e60
68af9af3506c7a35ef60026b6662cbc1fda0b36007a6eb48a974e4d7574db21f
81d2aa64b3f784fc0dab7694d106bedbd193786ab47dd064c0c5a8714d3fcaff
abd8284914e8bc1309c13903e7b41b1af552c80598982c9e8fbe35e88eda9315
SH256 hash:
90e12268c6886da75cf395936df7635c52dfcd3bcf074396dd9c97fa55c9eb5b
MD5 hash:
31e6d2018b345fe69bbc2cf8f69215b3
SHA1 hash:
7bd30d865386c349f3c29c9d85fda0a7ad76111d
Link:
https://www.unpac.me/results/7ad822df-234e-43cf-bfcf-f4645bc8fdf5/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/90e12268c688/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90e12268c6886da75cf395936df7635c52dfcd3bcf074396dd9c97fa55c9eb5b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/397793/

Comments