MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d07d42192235ca3b5ee879a2d81f28313a427862ae10931306406ae5965092d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d07d42192235ca3b5ee879a2d81f28313a427862ae10931306406ae5965092d
SHA3-384 hash: 9fc8a4f912b10e6a9c54d00c5d943a0f8c2ac4876bb29cf2ccb54f9367edbc0060558d4de60b4a0d666e8d469ea59196
SHA1 hash: e8b5304b0efb50c0b5b507f945bca17207369ec6
MD5 hash: 3daa1a973b309ee9945b6d3fe0f9246c
humanhash: carolina-nine-uncle-two
File name:3daa1a973b309ee9945b6d3fe0f9246c.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:297'984 bytes
First seen:2022-09-13 17:47:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d8b50d6b731cfa6523b17da6ef608584 (2 x Stop, 2 x Smoke Loader, 1 x TeamBot)
ssdeep 6144:MaJGzDo8b+xDXr+9zl/G85V9b+HmJCH0q0n8G:MHz6xDXq1l/G85V9Koq
Threatray 5'968 similar samples on MalwareBazaar
TLSH T186548D00BA90C435F1F716F44ABA926CB93E7EE06B6550CB22D56AEE57346E0EC31317
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 666078b464ce9024 (1 x Smoke Loader)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0ed185f1-e529.exe
Verdict:
No threats detected
Analysis date:
2022-09-12 17:37:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ef574fc7-5321-4088-9ac8-54d6a95211ea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/309786/
Detection(s):
Win.Ransomware.Tofsee-9967922-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6320c2ec258cf225c27677e1/reports/f2730de5-734b-484c-a927-0f45b2e6fedd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ae64cea6-42d3-4586-93c3-1220a4007ac0
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1069849
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 702380 Sample: Qa2XRmZ7nL.exe Startdate: 13/09/2022 Architecture: WINDOWS Score: 100 24 Multi AV Scanner detection for domain / URL 2->24 26 Malicious sample detected (through community Yara rule) 2->26 28 Antivirus detection for URL or domain 2->28 30 5 other signatures 2->30 6 Qa2XRmZ7nL.exe 2->6         started        9 cejjfrg 2->9         started        process3 signatures4 32 Detected unpacking (changes PE section rights) 6->32 34 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 6->34 36 Maps a DLL or memory area into another process 6->36 38 Creates a thread in another existing process (thread injection) 6->38 11 explorer.exe 2 6->11 injected 40 Multi AV Scanner detection for dropped file 9->40 42 Machine Learning detection for dropped file 9->42 44 Checks if the current machine is a virtual machine (disk enumeration) 9->44 process5 dnsIp6 20 psycho-holsitik.de 37.0.14.212, 49744, 7086 WKD-ASIE Netherlands 11->20 22 autohuas-hesse.de 37.0.14.217, 49745, 7086 WKD-ASIE Netherlands 11->22 16 C:\Users\user\AppData\Roaming\cejjfrg, PE32 11->16 dropped 18 C:\Users\user\...\cejjfrg:Zone.Identifier, ASCII 11->18 dropped 46 System process connects to network (likely due to code injection or exploit) 11->46 48 Benign windows process drops PE files 11->48 50 Deletes itself after installation 11->50 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->52 file7 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d07d42192235ca3b5ee879a2d81f28313a427862ae10931306406ae5965092d/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2022-09-12 18:32:01 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tud5iimsenokhnpoq6nc3apsqmj2ij4gflqqsmjqmqdk4wlfbewq._file
Verdict:
malicious
Similar samples:
1dbc3fc77a4cc5fffe4ce63d0490d832344bdedbe5940cb3ee77d67564a66184
Smoke Loader
27a17188984fd6571be42b395e4161551ce07e12c994cfbfa43cdf53164da60e
Smoke Loader
625f23d74c935a0ec5ff9b0fe01d1b7c0581fb81fd92bd9c1e59bdc985358d5e
Smoke Loader
6a2facafe3db2d714aada4694fd93dd0b06f00739e4c7f374d61a2b6d8d80685
Smoke Loader
74b329e9e0c0027a37427256ad36933c097002aeac548367a711775760b9d820
Smoke Loader
754b68d9bec3d2b5fca9b8f7774f4a0c03e54cb7df17b1803fa1bac224b9957b
Smoke Loader
829f67338d9165358ffdab748662e90f6f6962711dee0e670faacd61517d20ff
Smoke Loader
d5b7a3f86c10c1cd99b32cf871c0ddb8d1fd2c3296c0094e263f162079c94b9b
Smoke Loader
e387e0ba5e2fb9355e78d28a92edff5479c15e327f6e4e97a3cf42c27e00e85f
Smoke Loader
e4441e69c1f3edf10db4e52ee54d7851e6f12e551a7e1c316936fc684149a919
Smoke Loader
+ 5'958 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/220913-wdfgcscaan/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Executes dropped EXE
Detects Smokeloader packer
SmokeLoader
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1eb73592-a7fd-43e7-9bef-f65c2fa5caaa
Unpacked files
SH256 hash:
129d4aca1e9349da4b486c59e512087235e87f99778af933b55c0f516431b184
MD5 hash:
46acff90b7a238149c5030c1d82f5dfd
SHA1 hash:
1b43ecf0ea9bd512aac4e4e480665e70aff00e1a
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/0a2c1593-9bd0-41bf-b13b-85c8e50f8bb4/
Parent samples :
9d07d42192235ca3b5ee879a2d81f28313a427862ae10931306406ae5965092d
6dbd206ef6296fe378dc4367b5ec9c07e65a9863a2fefb55716a39c48e144d21
30a793b1398df37b640885e20c1c16d231dd3bff9ee77d95a27e295c88c17e9e
627759c384f499d52d3f5c731deacea95b93dbc22b7e2d21556f3dfd94a75bc2
70814ddb80cccda788820b580b7ce4d9deecf3cd30bb4742ab37df7c838477a9
af2edb431e026575bf1b73f79bb4145af87586a594635075a470636a7e78b1dd
SH256 hash:
9d07d42192235ca3b5ee879a2d81f28313a427862ae10931306406ae5965092d
MD5 hash:
3daa1a973b309ee9945b6d3fe0f9246c
SHA1 hash:
e8b5304b0efb50c0b5b507f945bca17207369ec6
Link:
https://www.unpac.me/results/0a2c1593-9bd0-41bf-b13b-85c8e50f8bb4/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9d07d4219223/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9d07d42192235ca3b5ee879a2d81f28313a427862ae10931306406ae5965092d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/309786/

Comments