MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0d075910c22ec856cbd281162299ce055630e5873f29450c11b748265331388. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0d075910c22ec856cbd281162299ce055630e5873f29450c11b748265331388
SHA3-384 hash: 217fb631b04ffc9fda6b6428c736fa81ed3b207df21c2e5856142915166e3e5ea57da3b070b9735ce4d98c4bf71614b3
SHA1 hash: acdc8f9357246b4984692fe01a65af6a435d560a
MD5 hash: 1f544e4ef30da7da0b70b6a71edf2bdc
humanhash: stairway-three-charlie-triple
File name:1f544e4ef30da7da0b70b6a71edf2bdc.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:179'712 bytes
First seen:2021-03-31 18:32:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2729c7fa189d9a609b8dddcf570936d1 (2 x RedLineStealer, 1 x ArkeiStealer, 1 x Smoke Loader)
ssdeep 3072:25htNgFLupIXEZo2FhLDQeIVvRttZSweFsh/v3Kl5a:Et+IpIwXLXIVkAvA
Threatray 578 similar samples on MalwareBazaar
TLSH E4049D00B6D1C073D1564A754821D3A55A36FCB29F349AC77BD42F7A6E393E18A3A383
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1f544e4ef30da7da0b70b6a71edf2bdc.exe
Verdict:
Malicious activity
Analysis date:
2021-04-01 05:06:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/88f99137-ac78-4d65-8b88-cc97628c394f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/129795/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Deleting of the original file
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a0d075910c22ec856cbd281162299ce055630e5873f29450c11b748265331388/
Threat name:
Win32.Trojan.BotX
Create hunting rule
Status:
Malicious
First seen:
2021-03-31 18:33:14 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
15a0720242e0e13d577776fefa74c511a2e055e2d8b1c8a26778ea2879d5b66f
Smoke Loader
1ec171eceaa41c096ef1b91eee79d32b4d3e509ae4670ec272f1f20ec799f7c3
Smoke Loader
76f6f155b3125edb0141feb31649d48634e23da1a4418e6d89e7c7de6564945b
Smoke Loader
889ad8c88f28742d66302c203d1b561fe3040890b4de2ad83f704eb48fe5e94b
Smoke Loader
addfb046313926c0cfb9e4293f76c408d8e6798e129f1a1043835088c54aa69b
Smoke Loader
b4238f117ebca7b67da9d385d596f64b98c6963c4c4a21b5558232a8afda8771
Smoke Loader
d27e90665d0a697e1fea9dfc3641c9785bfbf8fbd7ef885d82788943417d1ccd
Smoke Loader
deceb572b4fd9c2e2c964ea1a574082a7bb6cc3952ad0c2eaeabe64f20d706fe
Smoke Loader
ea0b1b22d3dc7a4de123c44678015d6daf72e4cfa283889f393fa0724ce2ae2c
Smoke Loader
ed4c8f72e049a22a51ff3d1b871fb42c1e333d4831710b7180e040d5a27a8b24
Smoke Loader
+ 568 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader family:vidar backdoor discovery evasion persistence stealer trojan vmprotect
Link:
https://tria.ge/reports/210331-es2wcfs1xs/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Modifies file permissions
Executes dropped EXE
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
SmokeLoader
Vidar
Malware Config
C2 Extraction:
http://xsss99.icu/upload/
http://bingooodsg.icu/upload/
http://junntd.xyz/upload/
http://ginessa11.xyz/upload/
http://overplayninsx.xyz/upload/
http://bananinze.com/upload/
http://daunimlas.com/upload/
Unpacked files
SH256 hash:
9182f5904e7eba21a624a9773b407b91b3ce62fe468eb2f08900097a2c11c736
MD5 hash:
83214661ec613049f6ac027885953f70
SHA1 hash:
48771dca71cded7df146802801f4c09b8fd0fd3b
Link:
https://www.unpac.me/results/d8b31b95-4244-46dc-914c-7f05bd53083c/
SH256 hash:
a0d075910c22ec856cbd281162299ce055630e5873f29450c11b748265331388
MD5 hash:
1f544e4ef30da7da0b70b6a71edf2bdc
SHA1 hash:
acdc8f9357246b4984692fe01a65af6a435d560a
Link:
https://www.unpac.me/results/d8b31b95-4244-46dc-914c-7f05bd53083c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a0d075910c22ec856cbd281162299ce055630e5873f29450c11b748265331388

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_smokeloader_a2
Create hunting rule
Author:pnx

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe a0d075910c22ec856cbd281162299ce055630e5873f29450c11b748265331388

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/129795/
  
URLhaus
https://urlhaus.abuse.ch/url/1100003/
  
Delivery method
Distributed via web download

Comments