MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 a880225c884054d3b9f9feb7fe62decfb6de2f2b0f57f0e1b301fbe2f1b82720. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Smoke Loader
Vendor detections: 12
| SHA256 hash: | a880225c884054d3b9f9feb7fe62decfb6de2f2b0f57f0e1b301fbe2f1b82720 |
|---|---|
| SHA3-384 hash: | ca1d10619aaa8b00630bb0dfb793a9806b44d901bfef5878817f66eb76b648b63275075155c590a690147fe9a73ac999 |
| SHA1 hash: | ec80d8ef6fa8ecee80abc0c9c2bc2ea28db4a18d |
| MD5 hash: | 9e853faf77b84e30e058cbdc397e5883 |
| humanhash: | bluebird-mars-charlie-uncle |
| File name: | 9e853faf77b84e30e058cbdc397e5883.exe |
| Download: | download sample |
| Signature | Smoke Loader |
| File size: | 166'912 bytes |
| First seen: | 2022-11-21 09:58:15 UTC |
| Last seen: | 2022-11-21 11:40:55 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | e5376df72433167763670bb2214e64b1 (10 x Smoke Loader, 9 x Amadey, 4 x RedLineStealer) |
| ssdeep | 3072:NiSMqZ6Q7r8tWvsLp54Oyyrur22WSiVsJFZ:N3Z6yFvsA/nrZWSusJ |
| Threatray | 14'090 similar samples on MalwareBazaar |
| TLSH | T102F3CF9036D0D033C26746701D68D2E0AB7FBA326AB5DA4BBB581B6D5F712C16A36307 |
| TrID | 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1) |
| File icon (PE): |  |
| dhash icon | 2dac1370319b9b91 (22 x Smoke Loader, 20 x RedLineStealer, 18 x Amadey) |
| Reporter |  abuse_ch |
| Tags: | Dofoil exe Smoke Loader |
Intelligence
File Origin
# of uploads :
2
# of downloads :
319
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9e853faf77b84e30e058cbdc397e5883.exe
Verdict:
No threats detected
Analysis date:
2022-11-21 09:59:15 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP GET request
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
5/10
Confidence:
100%
Tags:
greyware packed
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Result
Threat name:
SmokeLoader
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.SmokeLoader
Status:
Malicious
First seen:
2022-11-21 09:00:23 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
26 of 40 (65.00%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Similar samples:
+ 14'080 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Score:
10/10
Tags:
family:smokeloader backdoor trojan
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Detects Smokeloader packer
SmokeLoader
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
42ed091ad092eeb965d550b012d06c63b307cc2d0bb81de201c8d7fe9d9de18b
MD5 hash:
1139c37c1173625bbff31fdad921afc2
SHA1 hash:
571d496707c651596802b4088d263d8ebf18e32f
Detections:
win_smokeloader_a2
SmokeLoaderStage2
Parent samples :
de219eb4ea8aa0886fc938555a58a49644c95f55c1c2d733f7cf41eea3f8d7e6
9d39d86261ee64c75ed533732cb64a9d129e14dd342297d1da06fd1f06daec3d
006b63b512fb67fffb615dad5dbe3b0469fd8f4c761ac3278ad812519617cb29
a356113a7b50dfbd210f14b92de45852bb0b64c50854b05765676f727d8b019d
a09c9147b0f01e380478064ed50d2b23c18e1b9225a927775b74e778fab84849
d0320b423b161cff11093ebaa7c71a2db445650e5574dd5225a86dabc22d64aa
8bb0c3620d088547fecab128c97aa368caeebb99a6e6055ef6b67970cf59110f
19633da847079d57f96c20babc5462365c83a6f33db7a4399ea532b301ee2f67
ca668a761ac88d54e2e7eeb8af03cbb5c0808425340bc4336ab718137b5151aa
01ef4643d1e6b32b776171f9ec4cd10b106df2d9a3afd82b174853f5527f4266
8ec931cddc18db83ebd308660dece0e1f5b6fe022786c700496a73a73e9f1507
fd9aca79c7ba21a137e66beb4539d0dde7281c9f7c84e40124f7016ad6a8849c
976930959dc9764f82dd1b35c70cf7e6076cda1fcb297c2db80ff17299ea68a1
f45f48913f9fd5eff7b17cfff139432c6f7dc60d6b6351729afd99d3cc721b5c
04f810e79dd12c5855677fe690a7e833fbc994e134be01d8b5ffd0dc4cb51ef2
45389710aba1905940e6ae1da52918cfa63e0bbcefe1777f78c3a54d157ae5a7
88bd07451349874b3524ec34033788494efa01900352907d2781e628ac531555
417922cc2572bfcde644ecf343f88d6f956739fbc35107b558e071d55212c44b
e1704b30406fd1e4d9cc62e54be13c8db04431eecb14878457362052ff7282b4
204bb98ea8001c3f289487277c2be40550c9e3dd34aee2cd1e14749c3b448009
5edb3f3a74e0a6b2efe95c0fc9020f2867d50def5f802fae74257fe72319b829
1aaa8931c30791dbb33bab5ec8a7f1a024af22a8894f17e5a7c3b2bc8052cd96
11f89bbb235836fe8facae922f9a015d14b1bfabc0bf777945931156746d682f
8737087d69c209f1ce311e1847ba602a7980c81418d1542ad070bdf1aa1abcda
960b2c72257225e1cf330385d011a129034cf3fc1f28a5430c8867ca3b80d094
89f9de3672e66eac3a42d25b46689348cdb90011df6fc2e9f26d11e8ffb6d351
abe64a60092274711b67a6ea7ea959d510eeb2445bbde939d4255bc00e397f5f
74892beb9fb8ad8d11ae4d32c5521a1a47671791c23ddc2b46759c20f9d6cf44
99cf3191af8b62af5fdaf338ce2dfb3d5301a63eea5422827d7ca015f460d206
7b6ce6ac6b6325c2ae7dece98ef58052523396df5ee820ed068a505bad1a13fb
44e018207fa09c3277f1e518e45d3e15caf0afe465d23f043eb01db033ae19d6
9578350919b6af89f77946aa6fd93a2698fe274049d70795979249ff25a0314d
a5a460d72bcca060231620caba5a79435cd54785f3c2524514285e500ace9f76
ab95f59b448bb4b58d91e0ab4059cd213fabb1c5562fe1be0dcb6e770fbf872e
7605440d89b714b4ba5edf780f2e88a871406d830327116336ded94805048fe7
62f1f9b6121dc813fc264b9baa8bad911676c1a9ec0f2db42c240f51732e15e3
caa6f6c41edcd636a7a559fd94007867d046082356028eac14374196fd5e2211
1000f75b4403f4a2db8391224ae0e7ee32a58fd711c2f1ca64761d23d9b133bf
9ed0ba34fb61d1ee7055e867552a23376c89e04a572232a7e2cd61323c7c621c
3a7f54fb30b857100c3a8807c789cfa9558289bb65be4fe8f56b12417d1aa273
126cca8c22ff94234f64c21a59ddafce3cca24d16dd9a27b1090db0de03c3d10
ab305012a0b6c6eb40e40299510e791c5fe277ce56715002c15c6e621bd70988
171dd6b8ab5549bb58ffe870da5880e8ccf09dadfd281838a93628bef4fef5c4
bae26db4c44f2174a51daea6bd915b132c61b9569776c64b0e10a52cd89bad3e
ebc9065ebc91a10ead4b0d21929b425e434bd34a0d98299019e26dd016a57ca3
a314e1d13bcf2d2a0630bc7a0319e0de0cdc54b8aa69413a723ed7415aaf9323
3718cfb95115493950d9c9a3fc26fcd679c47ebfa38b777241c5ed58a2b84376
cc7d602f3cd56008515505e54c2a175830cab7ea127138701a8777d03d792440
cfcdd8b96d11b24842c49b74c6dbef3caeff9161ef63e0e53034b4f461b5b668
a880225c884054d3b9f9feb7fe62decfb6de2f2b0f57f0e1b301fbe2f1b82720
d9ddde7f8a79532a71e034aca0090624ae8c4859afcfbfc76d51ce0e9a33f126
3a4095e8b59102d184c3045847310b3c3ac94b1ebc3f2dab1d16158b0a67ee75
e4a3d5c424ff9572df88d66961157b285196df4a2bc12a1a091d93d4f5d1bf48
d7d11966dc2dc593f139d0e6a3126a84067b861127418deb08ddbb5aa9ae59c7
fa52a237a08ec0d6dce4c0458b0288d9698f5a23b57d66949e6374af9823cf19
3957dc37cd4d875f102e28f5a5af6b5abd41bbf4bd614ac3ea23fc5b02b3645b
9d39d86261ee64c75ed533732cb64a9d129e14dd342297d1da06fd1f06daec3d
006b63b512fb67fffb615dad5dbe3b0469fd8f4c761ac3278ad812519617cb29
a356113a7b50dfbd210f14b92de45852bb0b64c50854b05765676f727d8b019d
a09c9147b0f01e380478064ed50d2b23c18e1b9225a927775b74e778fab84849
d0320b423b161cff11093ebaa7c71a2db445650e5574dd5225a86dabc22d64aa
8bb0c3620d088547fecab128c97aa368caeebb99a6e6055ef6b67970cf59110f
19633da847079d57f96c20babc5462365c83a6f33db7a4399ea532b301ee2f67
ca668a761ac88d54e2e7eeb8af03cbb5c0808425340bc4336ab718137b5151aa
01ef4643d1e6b32b776171f9ec4cd10b106df2d9a3afd82b174853f5527f4266
8ec931cddc18db83ebd308660dece0e1f5b6fe022786c700496a73a73e9f1507
fd9aca79c7ba21a137e66beb4539d0dde7281c9f7c84e40124f7016ad6a8849c
976930959dc9764f82dd1b35c70cf7e6076cda1fcb297c2db80ff17299ea68a1
f45f48913f9fd5eff7b17cfff139432c6f7dc60d6b6351729afd99d3cc721b5c
04f810e79dd12c5855677fe690a7e833fbc994e134be01d8b5ffd0dc4cb51ef2
45389710aba1905940e6ae1da52918cfa63e0bbcefe1777f78c3a54d157ae5a7
88bd07451349874b3524ec34033788494efa01900352907d2781e628ac531555
417922cc2572bfcde644ecf343f88d6f956739fbc35107b558e071d55212c44b
e1704b30406fd1e4d9cc62e54be13c8db04431eecb14878457362052ff7282b4
204bb98ea8001c3f289487277c2be40550c9e3dd34aee2cd1e14749c3b448009
5edb3f3a74e0a6b2efe95c0fc9020f2867d50def5f802fae74257fe72319b829
1aaa8931c30791dbb33bab5ec8a7f1a024af22a8894f17e5a7c3b2bc8052cd96
11f89bbb235836fe8facae922f9a015d14b1bfabc0bf777945931156746d682f
8737087d69c209f1ce311e1847ba602a7980c81418d1542ad070bdf1aa1abcda
960b2c72257225e1cf330385d011a129034cf3fc1f28a5430c8867ca3b80d094
89f9de3672e66eac3a42d25b46689348cdb90011df6fc2e9f26d11e8ffb6d351
abe64a60092274711b67a6ea7ea959d510eeb2445bbde939d4255bc00e397f5f
74892beb9fb8ad8d11ae4d32c5521a1a47671791c23ddc2b46759c20f9d6cf44
99cf3191af8b62af5fdaf338ce2dfb3d5301a63eea5422827d7ca015f460d206
7b6ce6ac6b6325c2ae7dece98ef58052523396df5ee820ed068a505bad1a13fb
44e018207fa09c3277f1e518e45d3e15caf0afe465d23f043eb01db033ae19d6
9578350919b6af89f77946aa6fd93a2698fe274049d70795979249ff25a0314d
a5a460d72bcca060231620caba5a79435cd54785f3c2524514285e500ace9f76
ab95f59b448bb4b58d91e0ab4059cd213fabb1c5562fe1be0dcb6e770fbf872e
7605440d89b714b4ba5edf780f2e88a871406d830327116336ded94805048fe7
62f1f9b6121dc813fc264b9baa8bad911676c1a9ec0f2db42c240f51732e15e3
caa6f6c41edcd636a7a559fd94007867d046082356028eac14374196fd5e2211
1000f75b4403f4a2db8391224ae0e7ee32a58fd711c2f1ca64761d23d9b133bf
9ed0ba34fb61d1ee7055e867552a23376c89e04a572232a7e2cd61323c7c621c
3a7f54fb30b857100c3a8807c789cfa9558289bb65be4fe8f56b12417d1aa273
126cca8c22ff94234f64c21a59ddafce3cca24d16dd9a27b1090db0de03c3d10
ab305012a0b6c6eb40e40299510e791c5fe277ce56715002c15c6e621bd70988
171dd6b8ab5549bb58ffe870da5880e8ccf09dadfd281838a93628bef4fef5c4
bae26db4c44f2174a51daea6bd915b132c61b9569776c64b0e10a52cd89bad3e
ebc9065ebc91a10ead4b0d21929b425e434bd34a0d98299019e26dd016a57ca3
a314e1d13bcf2d2a0630bc7a0319e0de0cdc54b8aa69413a723ed7415aaf9323
3718cfb95115493950d9c9a3fc26fcd679c47ebfa38b777241c5ed58a2b84376
cc7d602f3cd56008515505e54c2a175830cab7ea127138701a8777d03d792440
cfcdd8b96d11b24842c49b74c6dbef3caeff9161ef63e0e53034b4f461b5b668
a880225c884054d3b9f9feb7fe62decfb6de2f2b0f57f0e1b301fbe2f1b82720
d9ddde7f8a79532a71e034aca0090624ae8c4859afcfbfc76d51ce0e9a33f126
3a4095e8b59102d184c3045847310b3c3ac94b1ebc3f2dab1d16158b0a67ee75
e4a3d5c424ff9572df88d66961157b285196df4a2bc12a1a091d93d4f5d1bf48
d7d11966dc2dc593f139d0e6a3126a84067b861127418deb08ddbb5aa9ae59c7
fa52a237a08ec0d6dce4c0458b0288d9698f5a23b57d66949e6374af9823cf19
3957dc37cd4d875f102e28f5a5af6b5abd41bbf4bd614ac3ea23fc5b02b3645b
SH256 hash:
a880225c884054d3b9f9feb7fe62decfb6de2f2b0f57f0e1b301fbe2f1b82720
MD5 hash:
9e853faf77b84e30e058cbdc397e5883
SHA1 hash:
ec80d8ef6fa8ecee80abc0c9c2bc2ea28db4a18d
Malware family:
SmokeLoader
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | pdb_YARAify |
|---|---|
| Author: | @wowabiy314 |
| Description: | PDB |
| Rule name: | Windows_Trojan_Smokeloader_3687686f |
|---|---|
| Author: | Elastic Security |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.