MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e4e8a3c08c71e24a113731d9b3c6221c79a0d82e9ab0b510e4240257b4d0eee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	9e4e8a3c08c71e24a113731d9b3c6221c79a0d82e9ab0b510e4240257b4d0eee
SHA3-384 hash:	7a2f625c264a78968ee7f4b32233b531c9d52481432fbb7e1dc4d8783450f983619db1c2ecb734678a4d9e5abab6388e
SHA1 hash:	fc403c8d7df48b313bdd96fc6d1f93c98b905e38
MD5 hash:	c19ac7b048a92ef8e9355ce4425da10e
humanhash:	moon-east-skylark-zulu
File name:	c19ac7b048a92ef8e9355ce4425da10e.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	237'056 bytes
First seen:	2023-07-08 08:20:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e65c47fc4d58d13cecab4f956a741e17 (2 x RedLineStealer, 2 x Smoke Loader, 1 x TeamBot)
ssdeep	3072:XpmfY5uwEh0SPwCgX+EEEEEEEcCz/T1dU9Pl1smVzKMEV5VelpSkQd:5j/EeS41KC/89Pl1nzmV5sp
Threatray	4'704 similar samples on MalwareBazaar
TLSH	T1C2348E0272E06C71D466BA318D2EC6E46B2EF951CF9867DB33586A3F0D701E1A673712
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0010100310302004 (1 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

273

Origin country :

Vendor Threat Intelligence

Malware family:

smoke

ID:

File name:

28061b2c108210de2371acc68083ea74.exe

Verdict:

Malicious activity

Analysis date:

2023-07-08 04:50:39 UTC

Tags:

loader smoke trojan opendir amadey stealer vidar rat redline ransomware stop arkei miner

Link:

https://app.any.run/tasks/0f607087-4501-4ace-9038-373262adb086

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

SmokeLoader

Link:

https://www.capesandbox.com/analysis/411445/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader45.60479.3092.4170.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Launching a process

Setting browser functions hooks

Query of malicious DNS domain

Unauthorized injection to a system process

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Unauthorized injection to a browser process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed smokeloader

Link:

https://www.filescan.io/uploads/64a91c709bd9f933fbb8ebd5/reports/86ef160e-b66f-4aed-8293-9ada81082a1c/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/9e4e8a3c08c71e24a113731d9b3c6221c79a0d82e9ab0b510e4240257b4d0eee

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/3a5f1d4f-5f83-4ae8-9282-6a999d2dfcfb

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9e4e8a3c08c71e24a113731d9b3c6221c79a0d82e9ab0b510e4240257b4d0eee/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2023-07-08 00:52:36 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tzhiupaiy4pcjiitomozwpdcehdzudmc5gvqwuioijack62nb3xa._file

Verdict:

malicious

Smoke Loader

3598d3cd6e1913196d9b2f024585a560d6854a5dc19cd55d4796a1e9dcd5448c

Smoke Loader

51d2456ed49b7b235750aab87f9bd7d6528e842a284b9b2cec81a58bf8cc37f8

Smoke Loader

6fae76c5a5b11cf96e9f4577b8e3355807696e9462226f4826da83c0107be114

Smoke Loader

acd063c502b1957bdb4e19c2f677128ff3ba956940a702aa1760e1d2362ff0eb

Smoke Loader

bcabf922d0a9e5c729c6968b214202f2fa7c369198c09c9cb3bff57150a99aeb

Smoke Loader

d303fb942cc4488701051ecbe9b3d52b98700764b4b35076a6be012487ffb95d

Smoke Loader

e3f7ed5592973622f15cd7bde4d5f5444414f453e96674f3ec083fadcd8791d1

Smoke Loader

+ 4'694 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader botnet:summ backdoor trojan

Link:

https://tria.ge/reports/230708-j81pkaea8z/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

SmokeLoader

Malware Config

C2 Extraction:

http://stalagmijesarl.com/
http://ukdantist-sarl.com/
http://cpcorprotationltd.com/

Unpacked files

SH256 hash:

48b6a4785f1dc9f33c51c2e588c7f9edf76e551cff8759ac5622cf995330ff14

MD5 hash:

d9cde58139fef6bf75141230f9662d97

SHA1 hash:

68ac6ee1b78dfa15bfe49229640a0929438029af

Detections:

SmokeLoaderStage2

win_smokeloader_a2

Link:

https://www.unpac.me/results/84e518c2-9c09-43a7-8028-6ab1935f9106/

Parent samples :

dfa65f33e16205d8c072ba1fb3d0f419f0af2e25f1c251d2b1ef83dd822dc476
aa4938085915798a5b6a03db3a04f6b2927d108db0bfac32ca66462f6a406c36
e4ff3d138daf42cc71613a0b2b9131e672ab42e3fc8f12779efa2f882985c40c
240e33c28d618ba23fc7489c03dcc40e3e3d2c84ef959db800321d1946d3dbcf
65640ae45f81e5a0367d374193b9a7958e7e2cba9b4f7e448cd2545a70c2880e
b78d66de4f94fd68a2fa5181f8b2a865d43f44fba0efbff7dd3a8215ce153891
b2c3517bb90933390df4eb01c6ba36f2a519a69b5bcee703f4889b8336cb7027
5ecd711693f12b243e84e97975eaf2f981016a7cf004841dceb7b9d720bc1f6d
a6e56a741e9aa67f861b574964a4999eb77ca586abf079c1891ca09c7900c713
2f526d3756e8f59616b5f69c9527d4751594ea82464c971eaadfc04216d0b27a
14a81d39c1a2260f7dde336245ab276a3416319e8bea2740107f8da6b5baecc2
57058dda63d287fb506d12c043fe1eb07abcaacb703fb2f8120edefb815bd1a8
9e4e8a3c08c71e24a113731d9b3c6221c79a0d82e9ab0b510e4240257b4d0eee
954a8d78e97e2bb65568d4c5d692a2a9975a330eaa7fae20e4620d18ccbb5881
bfe83b5436233b54ba7808d535042708313d5ec62aece600d943798f5c62efda
fc5c1ed9df3db079ed9b1714c11b5fd8edd6f69498fe6150303ae160884d3c04
e59ad322f3178a7905a9a3c623e7b5d8132080ddc9d2d3797d64939a23611a00
e93e6d9ed58c2476607f4352c2fb03b5247276f5be99840b0db4d546457f20e5
c862c9ce5cc849f7e292a61984c11b3a61a137f71ce19b3e72b653932602a0fc
8c3f095428d5283ec57391611e24689e88aa93e0a6868d6994d2e26761740ce3
455cd1baccbf9b3abc59454a6d80ee72c2db5cb6ffb73a5102b5a1e6eb78599e
45395f6fad7289cb0f9599ed1f578140d5280f1769957c4bba4fb5f6798a41bf
d347eea452c0cd8f233db473bc2889ef05049a6bffef49184120c9d302fa74e6
cb5834ff88fd8e818ddd26ae5e6a080be8b5e17ee4238df66080175a5cf802eb
2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5
eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771
26ee5ecb55714d302e8adcc345fc373abf5eb3189c854922cfca7c3c5c7018fe
ef04fe325737cad04ca603cf3a72a71b86bc51786b696972e243cbd0612538b1
e58ebdf4702cc16c7b5626d7e5a169fda32ecb3df251c9f087c8ad7ad6897672
799c6f0780b063a98ca67e217ac920733e5ed59742300658a747457ef30a3ed8
a5cb5558a1fb53b177fd0a683da3e93c4c0149588c7b06b5b8f5570896bd79bc
5b6d6c1bf6cfc3f0c4b792a2416d52588c22701fc9484c7c0a40bfb75ced4c4e
fc70465d07b9f3eb64e7f5ada2c047cd54b1a10b2790264456c0f76a798b50fc
fd831bc88d1c08c8b8a2e3756569b8fc3c143d516f4a72ec6fbf3c456c6209bb
2cc7483f686c00278ce3dcda694baca322bfbe70e8cf4ec5dd8ec0f31a955625
c17336d7c543eef6427833e8a3f419dd02c7cd2fd7665725732c35e61a354f2c
2c43ca2ea57631cdd00d46b6d292ca82922c239c1ad400a4714134fed8f2a50e
4f2680a213e3345c83f3f0adc9bcf75af76e50eed035b2c54f54b071e115f694
b2f12a3ef735f92b67cf807fb8be7df8400c065318ad3b0f8cd144738db7b96b

SH256 hash:

9e4e8a3c08c71e24a113731d9b3c6221c79a0d82e9ab0b510e4240257b4d0eee

MD5 hash:

c19ac7b048a92ef8e9355ce4425da10e

SHA1 hash:

fc403c8d7df48b313bdd96fc6d1f93c98b905e38

Link:

https://www.unpac.me/results/84e518c2-9c09-43a7-8028-6ab1935f9106/

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9e4e8a3c08c7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9e4e8a3c08c71e24a113731d9b3c6221c79a0d82e9ab0b510e4240257b4d0eee

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/411445/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample