MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8a3130c779904e23b50d69b4e73a714b345e296feebb9f64a732d5c73e7973b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8a3130c779904e23b50d69b4e73a714b345e296feebb9f64a732d5c73e7973b
SHA3-384 hash: 52e8b0b16368ce2057d4b70b6d931b28fbf0fe5b7e957e7ed163b76841dd99a3e9c9c5674d29d158a52f3d94ced10238
SHA1 hash: 47a5850ad4c2b7e6708fa28300f8fdaf54839ebf
MD5 hash: 553cc8aee992da42454595e76d7afb37
humanhash: burger-oscar-table-kentucky
File name:pax_389.bin
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:228'352 bytes
First seen:2024-01-02 20:45:22 UTC
Last seen:2024-01-02 20:46:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b2e3875b9432f537090e379200a83dca (4 x Stealc, 2 x Tofsee, 2 x Smoke Loader)
ssdeep 6144:u4sxL7SMoJcll5+CZNdX9O3LidITCW2HTfKs0qxIT:u4UHSMecXhJg3LiGTCW2HDKrqi
Threatray 2'327 similar samples on MalwareBazaar
TLSH T10724C0027580D872C9A250348C38D2F5777FBC679A695A8776683FAF7E323826771312
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon ecccccc4d4e8e4d4 (1 x Smoke Loader)
Reporter themalwareguy
Tags:exe Smoke Loader SmokeLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
363
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CR51720.zip
Verdict:
Malicious activity
Analysis date:
2023-09-19 13:03:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/813ffc1c-74da-49f7-98fd-7ebe99fd2ea5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Win.Packed.Chapak-10010783-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed smokeloader
Link:
https://www.filescan.io/uploads/65947620b855eb36930d8609/reports/fb42d072-acbc-48c6-863b-a92cada92f5a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a8a3130c779904e23b50d69b4e73a714b345e296feebb9f64a732d5c73e7973b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f2f3fb95-e282-44b7-8ae8-c0135f69e3d9
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1369018
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download HTTP data from a sinkholed server
Tries to resolve many domain names, but no domain seems valid
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1369018 Sample: pax_389.bin.exe Startdate: 02/01/2024 Architecture: WINDOWS Score: 100 28 zasadacafe.by 2->28 30 zakrylki809.ru 2->30 32 18 other IPs or domains 2->32 50 Tries to download HTTP data from a sinkholed server 2->50 52 Snort IDS alert for network traffic 2->52 54 Multi AV Scanner detection for domain / URL 2->54 56 8 other signatures 2->56 8 pax_389.bin.exe 2->8         started        11 fjivahi 2->11         started        13 fjivahi 2->13         started        signatures3 process4 signatures5 58 Detected unpacking (changes PE section rights) 8->58 60 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->60 62 Maps a DLL or memory area into another process 8->62 15 explorer.exe 4 3 8->15 injected 64 Multi AV Scanner detection for dropped file 11->64 66 Machine Learning detection for dropped file 11->66 68 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->68 70 Checks if the current machine is a virtual machine (disk enumeration) 13->70 72 Creates a thread in another existing process (thread injection) 13->72 20 explorer.exe 15 145 13->20         started        process6 dnsIp7 34 diplombar.by 15->34 36 tvoyaradostetoya.ru 195.123.219.57, 49735, 49738, 49740 ITLDC-NLUA Bulgaria 15->36 38 popuasyfromua.ru 194.58.112.174, 49736, 49739, 49741 AS-REGRU Russian Federation 15->38 24 C:\Users\user\AppData\Roaming\fjivahi, PE32 15->24 dropped 26 C:\Users\user\...\fjivahi:Zone.Identifier, ASCII 15->26 dropped 40 System process connects to network (likely due to code injection or exploit) 15->40 42 Benign windows process drops PE files 15->42 44 Deletes itself after installation 15->44 46 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->46 22 WerFault.exe 21 15->22         started        48 Query firmware table information (likely to detect VMs) 20->48 file8 signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a8a3130c779904e23b50d69b4e73a714b345e296feebb9f64a732d5c73e7973b
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a8a3130c779904e23b50d69b4e73a714b345e296feebb9f64a732d5c73e7973b/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-09-19 07:45:03 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
32 of 36 (88.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vcrrgddxtecoeo2q22nu445hcszulyuw73v3t5skomwvy47hs45q._file
Verdict:
malicious
Similar samples:
106318f8a5c025270e181cf5ca8f39cf6644086b5ff763467ecd318a8fe211af
Smoke Loader
2a29d30d6d6621afde713d8854f19f0887283cb9648f116b73c9966447746fc1
Smoke Loader
3a0dfd9052b7a4dd33b5eedd0126eda62bffbb8dde2a3595b8942b4b927723f8
Smoke Loader
5614d697eb4e5bcd273915b53899372c08cb099b1fac6720b17ba4f6564a5cfe
Smoke Loader
5da130a02677de7c3623de109f8db22fa5abacb4381194a89ad62215303b6592
Smoke Loader
7c311a6be00d9c513752760c26d44ea69159a222f4d9719629342e4cc157ac90
Smoke Loader
bc7bc2e78ad0bbb1be1f4c60f7cc6f2ed639c9d1f6a9a42f6f1497e6a083708b
Smoke Loader
d0f9030dbeed2cf285881eaa72226b8fb572ca7b70238cf79a0aa587d122cb39
Smoke Loader
eca8f5d25f650cab4032c7aec6c629efa5cf886ff41130acec5cc4c29446a478
Smoke Loader
+ 2'317 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/240102-233wvaech8/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Deletes itself
Executes dropped EXE
SmokeLoader
Malware Config
C2 Extraction:
http://dublebomber.ru/
http://yavasponimayu.ru/
http://nomnetozhedenyuzhkanuzhna.ru/
http://prostosmeritesya.ru/
http://ipoluchayteudovolstvie.ru/
http://super777bomba.ru/
http://specnaznachenie.ru/
http://zakrylki809.ru/
http://propertyminsk.by/
http://iloveua.ir/
http://moyabelorussiya.by/
http://tvoyaradostetoya.ru/
http://zasadacafe.by/
http://restmantra.by/
http://kozachok777.ru/
http://propertyiran.ir/
http://sakentoshi.ru/
http://popuasyfromua.ru/
http://diplombar.by/
Unpacked files
SH256 hash:
2100d850a75c59b8fd9397410bec6a3632db5166657514b68fcb6342dad20dc5
MD5 hash:
e590ed2a0eac4f068beae4014c422e91
SHA1 hash:
b8b2fe7268cf00e91e74083022e87b080fc719e8
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/a1d30755-33f5-47c7-ab4a-9a064f68215e/
Parent samples :
143310670009099214b1b1a812e98a485db3e2879ab35dca8ba63005a62a610c
9a528b2b31d9d59018878fdf3b9d8db235df606500c67a4b8be3075701b014fc
efd2a3ddbf2b7e68a8f3359865dfcd6fd1403fb7d1dc945aa7aa4ccb50284ee7
8ba20520e093f97c81b1f698a3a3a75fa894040777ef32993a920c165613fbfa
d3bff8ee2566c13a391cec24be134d3d04ee65b87529e1c98caf93b5b559fce4
4d311d7c8d8233168a120ce059b0e6376033ef73a2f5504f00f5a288d09df133
a8a3130c779904e23b50d69b4e73a714b345e296feebb9f64a732d5c73e7973b
SH256 hash:
a8a3130c779904e23b50d69b4e73a714b345e296feebb9f64a732d5c73e7973b
MD5 hash:
553cc8aee992da42454595e76d7afb37
SHA1 hash:
47a5850ad4c2b7e6708fa28300f8fdaf54839ebf
Link:
https://www.unpac.me/results/a1d30755-33f5-47c7-ab4a-9a064f68215e/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a8a3130c7799/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a8a3130c779904e23b50d69b4e73a714b345e296feebb9f64a732d5c73e7973b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/october/The%20Surge%20in%20Smokeloader%20Attacks%20on%20Ukrainian%20Institutions%20UA.pdf
  
Delivery method
Multiple

Comments