MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8e32a8b7c14f229a8fa62db658d7edf31f5f182219c9e5a03a477b793f64c51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	a8e32a8b7c14f229a8fa62db658d7edf31f5f182219c9e5a03a477b793f64c51
SHA3-384 hash:	782ff35f43563b6ec224727a589901aec987417aadd865e598b1531c68881931782e28dbae3de511157acc58301835b2
SHA1 hash:	10285f1d23863aa277c36627f43d15d160c8bfec
MD5 hash:	f3207b1a2c3b09be2cd6c16e9277d2d7
humanhash:	happy-ohio-solar-carbon
File name:	f3207b1a2c3b09be2cd6c16e9277d2d7.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	282'624 bytes
First seen:	2021-08-19 08:29:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8a6418b2bb39e9edb3ac9aabaf7ba016 (6 x Amadey, 5 x RedLineStealer, 2 x Smoke Loader)
ssdeep	6144:/UKVJHQOUqa+gOaWdOlOaqCKi3ip3M3c:VBQOPa+WWdOQh3iypn
Threatray	1'092 similar samples on MalwareBazaar
TLSH	T151547D20B691C035E1A613F558B583A8AB2CBD745B2450DF62D63BFE67382D49C3076B
dhash icon	ead8ac9cc6e68ae0 (3 x RaccoonStealer, 1 x DanaBot, 1 x Smoke Loader)
Reporter	abuse_ch
Tags:	Dofoil exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

213

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

f3207b1a2c3b09be2cd6c16e9277d2d7.exe

Verdict:

No threats detected

Analysis date:

2021-08-19 08:33:03 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f945eddb-6b07-4142-a1bb-807ed1ece5eb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/180590/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader41.16114.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Connection attempt

Sending an HTTP POST request

Deleting of the original file

Enabling autorun by creating a file

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DanaBot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f734ae45-a6de-44b1-be46-97a866712679

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/835625

Signature

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a8e32a8b7c14f229a8fa62db658d7edf31f5f182219c9e5a03a477b793f64c51/

Threat name:

Win32.Trojan.Sabsik

Status:

Malicious

First seen:

2021-08-19 03:17:20 UTC

AV detection:

16 of 47 (34.04%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vdrsvc34ctzctkh2mlnwldl634y7l4mcegoj4wqdur33pe7wjriq._file

Verdict:

suspicious

Smoke Loader

1d76266267ca27570b9cfb6f2a84b80ef607e9450d475eabad2e630cfbd77b7e

Smoke Loader

328e682510e9c0e0c37a7c8d347ecb4e7791a03b44962675a3f5f23d85250e08

Smoke Loader

39326cdd0c863e1766ecc3d119ec18fdaa93ef886cfbc887f76784f745df73e4

Smoke Loader

41ce43aa875bf977ec9eb039e5853ade1af522dd0dff4f19282f6c8038ae2dff

Smoke Loader

5f0caccb3ca599a30b5f298f9bb414fe721121c83b7bedc7c59ffe4128c96b61

Smoke Loader

c5fc8453bf6cdd3e96740b1616ba2f6b359710ce2eb32f02faf8c0e299a0a057

Smoke Loader

c7839db336f11c965ab8e6fbad1a6c757711a24362cc20d63d4ce37aef9b83b1

Smoke Loader

cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1

Smoke Loader

+ 1'082 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:smokeloader family:vidar botnet:517 backdoor discovery persistence stealer suricata trojan

Link:

https://tria.ge/reports/210819-vxh1v9gysa/

Behaviour

Checks SCSI registry key(s)

Creates scheduled task(s)

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Looks up external IP address via web service

Deletes itself

Loads dropped DLL

Modifies file permissions

Downloads MZ/PE file

Executes dropped EXE

Vidar Stealer

SmokeLoader

Vidar

suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

Malware Config

C2 Extraction:

http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
https://lenak513.tumblr.com/

Unpacked files

SH256 hash:

18cd8e90fcd46329480f24d43baa489683b3ee2fcd274bf1714947ef307a6ab2

MD5 hash:

f2fecf6872ad4c61a3a506159fddd4fc

SHA1 hash:

28e039eb96dcf58841992280c66433a2bbab8e84

Link:

https://www.unpac.me/results/a1079a25-7784-46c7-afee-5f5576f02c47/

SH256 hash:

a8e32a8b7c14f229a8fa62db658d7edf31f5f182219c9e5a03a477b793f64c51

MD5 hash:

f3207b1a2c3b09be2cd6c16e9277d2d7

SHA1 hash:

10285f1d23863aa277c36627f43d15d160c8bfec

Link:

https://www.unpac.me/results/a1079a25-7784-46c7-afee-5f5576f02c47/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a8e32a8b7c14f229a8fa62db658d7edf31f5f182219c9e5a03a477b793f64c51

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

exe a8e32a8b7c14f229a8fa62db658d7edf31f5f182219c9e5a03a477b793f64c51

(this sample)

Cape

https://www.capesandbox.com/analysis/180590/

URLhaus

https://urlhaus.abuse.ch/url/1533747/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample