MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c995cae1ea620bc32da91ac6d20234493c51bcc4e5fdea5521b70882212a5c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments 1

SHA256 hash:	9c995cae1ea620bc32da91ac6d20234493c51bcc4e5fdea5521b70882212a5c3
SHA3-384 hash:	70e7c2c2cf9f153dc245044a2346fa9901377c4712bebeb388baa8d938e5185946cd62e335918da3c8fb9fe66313b2c6
SHA1 hash:	ea42f650725a911dd3cc85812d41c17e398515af
MD5 hash:	005ee5d7136ba3d8535158c59d4da359
humanhash:	stairway-zulu-venus-uniform
File name:	005ee5d7136ba3d8535158c59d4da359
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	298'496 bytes
First seen:	2023-05-27 08:31:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	697c6731df2df92c82c75859d21c5f77 (4 x Glupteba, 4 x Stop, 2 x Smoke Loader)
ssdeep	3072:HAVEn6hQ/Ddsbek0cS0yoiLL0fGEyfTRKsGGFZOkZw/HvEUm5QO9ky:gVEnxDdsbekDDFikfGz5sOO
Threatray	5'823 similar samples on MalwareBazaar
TLSH	T18C543A1392E0BD94EA264A739E2EC6EC776DF6948F09376622185EDF04F01B2D173391
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	48282480a2848400 (1 x Smoke Loader)
Reporter	zbetcheckin
Tags:	32 exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

253

Origin country :

Vendor Threat Intelligence

Malware family:

smoke

ID:

File name:

005ee5d7136ba3d8535158c59d4da359

Verdict:

Malicious activity

Analysis date:

2023-05-27 08:34:00 UTC

Tags:

loader smoke trojan

Link:

https://app.any.run/tasks/dd928303-a4ae-48c4-9337-44f4e1472a73

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

SmokeLoader

Link:

https://www.capesandbox.com/analysis/392417/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Creating a file in the %temp% directory

Creating a process from a recently created file

Searching for analyzing tools

DNS request

Connecting to a non-recommended domain

Sending a custom TCP request

Sending an HTTP GET request

Launching a process

Creating a process with a hidden window

Unauthorized injection to a recently created process

Query of malicious DNS domain

Forced shutdown of a system process

Unauthorized injection to a recently created process by context flags manipulation

Sending a TCP request to an infection source

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Sending an HTTP GET request to an infection source

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/88169/overview

Behaviour

MalwareBazaar

MeasuringTime

CPUID_Instruction

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6471c005ce72cac205743967/reports/e8ab7e1e-cbf2-4957-a803-cfef24d81298/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/9c995cae1ea620bc32da91ac6d20234493c51bcc4e5fdea5521b70882212a5c3

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/4df3d5a6-e8c9-454b-ab49-d624eb920b11

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1243721

Signature

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9c995cae1ea620bc32da91ac6d20234493c51bcc4e5fdea5521b70882212a5c3/

Threat name:

Win32.Trojan.Smokeloader

Status:

Suspicious

First seen:

2023-05-27 08:32:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tsmvzlq6uyqlymw2sgwg2ibdisj4kg6mjzp55jksdnyiqiqsuxbq._file

Verdict:

malicious

Smoke Loader

2a8c393b39ceaa973f5b3fa6f1a43d93c50d3d9815076e7a831e3e06854900ba

Smoke Loader

635cdfb5397d6cf93a64a03f4cc14b9ddf4969e41fcdf5b40e34655d16adc0e0

Smoke Loader

694f253c98856f3398062575a4ada04df3f50090b3cd66eda8044cd13645ac4b

Smoke Loader

7d2114030808140042fdcd43cbff77a879cb090be1e6a8986d4e79d27d51332e

Smoke Loader

9efe10a206ba1326c1d75b3e41df36c4bfc25d090b0d3d2c74f762587c70a39d

Smoke Loader

c576b3a87ac07ff38f4dcbd14561186361b38cff36fa2f08b99ed4be80d3313a

Smoke Loader

e88173448664121ca9f43d08897218b6afcd00309aff754e5d9e2a9e8e5e4bdc

Smoke Loader

ebbbcddcc71eb168df549650ca4595b33d97f39c16c9b475a9fbdd11eea8fe7f

Smoke Loader

efaab91dcc9f31617e0d512545a3be360eaa320701d1e2d686e430647ffb11b9

Smoke Loader

+ 5'813 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader botnet:pub1 backdoor trojan

Link:

https://tria.ge/reports/230527-ke97ksbf5y/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of SetThreadContext

SmokeLoader

Malware Config

C2 Extraction:

http://host-file-host6.com/
http://host-host-file8.com/

Gathering data

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9c995cae1ea6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9c995cae1ea620bc32da91ac6d20234493c51bcc4e5fdea5521b70882212a5c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.