MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a641c3189ae0259507e027e65de7e214d2a5a9b394c3489700d6847c7297a18e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	a641c3189ae0259507e027e65de7e214d2a5a9b394c3489700d6847c7297a18e
SHA3-384 hash:	f2fc899e1ca24022a1e8d9ac6214224756a32f6387ed58fa67e1249a0be63816212383be60026e36ff2ee92109fb8450
SHA1 hash:	16f499816b778c7b7a6a28c3b60e7e44dc414c7e
MD5 hash:	0bc66b21901b127a1ebc4097e9ed4790
humanhash:	winner-jig-uncle-two
File name:	0bc66b21901b127a1ebc4097e9ed4790.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	342'016 bytes
First seen:	2022-01-27 07:48:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	aa2b22e8e3b96fd546a63d71626f45a6 (5 x RedLineStealer, 2 x Smoke Loader, 2 x RaccoonStealer)
ssdeep	6144:v4IwvrvXG4Mb+JAB7xNkM4lxTVU0M5LNdew6GjLt+ptuXWlZvT:vXo+++pTB4lxTVU0MzdehGjR+p8ml
TLSH	T185747D00B7A1D035F5B722F44AB993BCA93E7AA1572461CB63D16AEE57346E0DC3130B
File icon (PE):
dhash icon	2dac137031939bb1 (3 x Smoke Loader)
Reporter	abuse_ch
Tags:	Dofoil exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

373

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

0bc66b21901b127a1ebc4097e9ed4790.exe

Verdict:

Suspicious activity

Analysis date:

2022-01-27 10:15:16 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6a44969d-3f40-4f60-b76a-242efe4f4e1a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/224127/

Detection(s):

Win.Dropper.Mikey-9917324-0

Win.Packed.Tofsee-9937387-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

DNS request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %temp% directory

Creating a process from a recently created file

Searching for the window

Creating a file

Launching a process

Launching the default Windows debugger (dwwin.exe)

Query of malicious DNS domain

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Sending an HTTP GET request to an infection source

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5296/overview

Behaviour

MalwareBazaar

CPUID_Instruction

MeasuringTime

SystemUptime

EvasionGetTickCount

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61f24e7759d130b02a570487/reports/04bb8ca3-7573-4285-b894-0a72769e8b45/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1ebcee4c-5fdd-4ddb-b74d-7c299bb454b0

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/928875

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a641c3189ae0259507e027e65de7e214d2a5a9b394c3489700d6847c7297a18e/

Threat name:

Win32.Trojan.Raccoon

Status:

Malicious

First seen:

2022-01-26 19:22:21 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uza4gge24aszkb7ae7tf3z7cctjklkntstburfya22chy4uxugha._file

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor trojan

Link:

https://tria.ge/reports/220127-jnpfsshefl/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Loads dropped DLL

Executes dropped EXE

SmokeLoader

Malware Config

C2 Extraction:

http://host-data-coin-11.com/
http://file-coin-host-12.com/

Unpacked files

SH256 hash:

788f723ebfe0110232b52ee15345acc5f74a53ea45e5f422dc5ce2eb5833fadc

MD5 hash:

198ff357daf4345c9fc869616b139381

SHA1 hash:

24c9899b296cf004e400b77e72b89f42bb726f37

Link:

https://www.unpac.me/results/d7501b72-9f7f-4769-9814-8266e86638ce/

Parent samples :

3c6f5e38acd57a6372e44dc341bf46060fef8c8b0e1dd3ffa38b21ddaddc3773
6861cdee1ee282ee8c69e31503d95291409907d8b27538f8082adb00205ad105
ccf4e081582226315f3a2bc171b604e3911d0225cc85e18188872ea9832a5388
be1c79275d836696a00b258d15a8b337a8c9beb8198a5bd3d5aaf64d660c8005
53bcd8239258dcbb10f9d3b6d057103c18fe3dd614c5809053426b01b741500d

SH256 hash:

a641c3189ae0259507e027e65de7e214d2a5a9b394c3489700d6847c7297a18e

MD5 hash:

0bc66b21901b127a1ebc4097e9ed4790

SHA1 hash:

16f499816b778c7b7a6a28c3b60e7e44dc414c7e

Link:

https://www.unpac.me/results/d7501b72-9f7f-4769-9814-8266e86638ce/

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/a641c3189ae0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a641c3189ae0259507e027e65de7e214d2a5a9b394c3489700d6847c7297a18e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

exe a641c3189ae0259507e027e65de7e214d2a5a9b394c3489700d6847c7297a18e

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1970142/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1995770/

Cape

https://www.capesandbox.com/analysis/224127/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample