MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5cf8668fc9624b386bbdad3a3dba28c029945048a7d15a0b0ee41dfe9e0a2df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 16

Intelligence 16 IOCs 6 YARA File information Comments

SHA256 hash:	a5cf8668fc9624b386bbdad3a3dba28c029945048a7d15a0b0ee41dfe9e0a2df
SHA3-384 hash:	c923d807929c383af8d3f228f37d7b768bab32f52f6b3aed6292220376d97d548756a866abd7ca1e576b717903dd6cb8
SHA1 hash:	a29812244684e248d7fe4f9e65e180bb4cd3098a
MD5 hash:	89611c7a85fb5ccd4dd7edc076bc4ee8
humanhash:	lima-illinois-neptune-purple
File name:	89611c7a85fb5ccd4dd7edc076bc4ee8.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	436'224 bytes
First seen:	2021-12-04 22:46:39 UTC
Last seen:	2021-12-05 01:18:52 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	503fd9eea05c6f717892aae512299b17 (1 x Smoke Loader)
ssdeep	12288:1imaXG6cgudGbpR8W6szcwG67S+9Gf1NyKZ4:Mm7C8W3zLG6G+4f9Z
TLSH	T13194D013B781C9B3D472163134F6D765563AF9340B518E8BF7804B2A5D312E2AE32EDA
File icon (PE):
dhash icon	b89c66662636decc (9 x AgentTesla, 1 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe Smoke Loader

abuse_ch

Smoke Loader C2:
http://194.180.174.40/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://194.180.174.40/	https://threatfox.abuse.ch/ioc/259462/
87.251.73.109:37261	https://threatfox.abuse.ch/ioc/259581/
23.94.183.146:43680	https://threatfox.abuse.ch/ioc/259585/
62.182.157.172:33718	https://threatfox.abuse.ch/ioc/259591/
185.112.83.21:21142	https://threatfox.abuse.ch/ioc/259592/
192.3.157.96:3306	https://threatfox.abuse.ch/ioc/259593/

Intelligence

File Origin

# of uploads :

# of downloads :

270

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

setup.zip

Verdict:

Malicious activity

Analysis date:

2021-12-03 12:35:06 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/444de1b0-291d-4bd1-a21d-0ef6064e95d9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DLInjector06

Link:

https://www.capesandbox.com/analysis/211375/

Detection(s):

SecuriteInfo.com.Variant.Strictor.266632.13374.23929.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/849/overview

Behaviour

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware mokes packed strictor

Link:

https://www.filescan.io/uploads/61abefe7fa72c81b5b0bb9fd/reports/82c50267-3234-438e-8380-b336102ee44f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Vidar

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f87ad83a-df05-4bdb-929d-af638b9302e7

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/901528

Signature

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Behaviour

Behavior Graph:

Download SVG

Detection:

vidar

Link:

https://mwdb.cert.pl/sample/a5cf8668fc9624b386bbdad3a3dba28c029945048a7d15a0b0ee41dfe9e0a2df/

Threat name:

Win32.Backdoor.Zapchast

Status:

Malicious

First seen:

2021-12-03 04:16:18 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 45 (44.44%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=uxhym2h4syslhbv33lj2hw5crqbjsrierj6rlifq5za572paulpq._file

Verdict:

malicious

Result

Malware family:

socelars

Score:

10/10

Tags:

family:raccoon family:redline family:smokeloader family:socelars backdoor evasion infostealer spyware stealer trojan

Link:

https://tria.ge/reports/211204-2qjbnsedg5/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Defender Real-time Protection settings

Raccoon

RedLine

RedLine Payload

SmokeLoader

Socelars

Socelars Payload

Malware Config

C2 Extraction:

http://www.wgqpw.com/
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/

Unpacked files

SH256 hash:

a5cf8668fc9624b386bbdad3a3dba28c029945048a7d15a0b0ee41dfe9e0a2df

MD5 hash:

89611c7a85fb5ccd4dd7edc076bc4ee8

SHA1 hash:

a29812244684e248d7fe4f9e65e180bb4cd3098a

Link:

https://www.unpac.me/results/9f67b4f8-b522-4f6f-9e0b-a29a57eb7d9d/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/a5cf8668fc96/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a5cf8668fc9624b386bbdad3a3dba28c029945048a7d15a0b0ee41dfe9e0a2df

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/211375/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample