MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9d54a962d46e4a2d40da284aa8b3a25a3b4e93b7c388890cd38b838a1a65433. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9d54a962d46e4a2d40da284aa8b3a25a3b4e93b7c388890cd38b838a1a65433
SHA3-384 hash: 96f5780559c46bd0966f1c525dd64c6a72ebc7284f23613a33b1fe92116558d50d1da34e41e1afbbdb395238e699edc5
SHA1 hash: 7b6aff6f3181b5e3ff902e2b0894935b4db29269
MD5 hash: 6c1f8b04da7ac6bb394cf07c4d3b731a
humanhash: mississippi-september-network-beryllium
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:324'608 bytes
First seen:2020-12-08 18:38:51 UTC
Last seen:2020-12-08 20:36:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a63f78fc727e8da52b75868d40530d91 (1 x Smoke Loader)
ssdeep 6144:YZ5udv2vqZ4C1xtkRnRzlcgv1GS03/oBG4WT773iQo6C/kjmVuT:YcZ4Ux2nRwPeq3Hnj1
Threatray 130 similar samples on MalwareBazaar
TLSH 0964AF93A8F08132D25E047588A7EAA0D75B68662F13B6CBC7F65BB94F202D11737349
Reporter fabjer
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Sly.com
Verdict:
Suspicious activity
Analysis date:
2020-12-08 05:10:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a04806e2-6c5b-4e63-aba0-6918c02d5b32

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107339/
Detection(s):
PUA.Win.Downloader.Firseria-6804617-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Launching a process
Creating a window
Launching the default Windows debugger (dwwin.exe)
Deleting of the original file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/557555
Signature
Benign windows process drops PE files
Binary contains a suspicious time stamp
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Renames NTDLL to bypass HIPS
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 327875 Sample: Sly.com Startdate: 08/12/2020 Architecture: WINDOWS Score: 100 49 Multi AV Scanner detection for domain / URL 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected SmokeLoader 2->53 55 2 other signatures 2->55 8 Sly.exe 3 2->8         started        11 bahuhhu 3 2->11         started        process3 file4 61 Detected unpacking (changes PE section rights) 8->61 63 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->63 65 Renames NTDLL to bypass HIPS 8->65 73 2 other signatures 8->73 14 explorer.exe 3 8->14 injected 31 C:\Users\user\AppData\Local\Temp\44DA.tmp, PE32 11->31 dropped 67 Multi AV Scanner detection for dropped file 11->67 69 Machine Learning detection for dropped file 11->69 71 Maps a DLL or memory area into another process 11->71 signatures5 process6 dnsIp7 39 thirdgearback.net 91.203.193.144, 49742, 80 GARANT-PARK-INTERNETRU Russian Federation 14->39 33 C:\Users\user\AppData\Roaming\bahuhhu, PE32 14->33 dropped 35 C:\Users\user\...\bahuhhu:Zone.Identifier, ASCII 14->35 dropped 41 Benign windows process drops PE files 14->41 43 Injects code into the Windows Explorer (explorer.exe) 14->43 45 Deletes itself after installation 14->45 47 2 other signatures 14->47 19 explorer.exe 14->19         started        22 explorer.exe 14->22         started        24 explorer.exe 14->24         started        26 4 other processes 14->26 file8 signatures9 process10 signatures11 57 Tries to harvest and steal browser information (history, passwords, etc) 19->57 59 Found evasive API chain (may stop execution after checking mutex) 22->59 28 WerFault.exe 20 9 24->28         started        process12 dnsIp13 37 192.168.2.1 unknown unknown 28->37
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a9d54a962d46e4a2d40da284aa8b3a25a3b4e93b7c388890cd38b838a1a65433/
Threat name:
Win32.Dropper.Dropback
Create hunting rule
Status:
Malicious
First seen:
2020-12-08 04:01:27 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vhkuvfrni3skfvanukckvcz2ewr3j2j3pq4iregnhc4dringkqzq._file
Verdict:
malicious
Similar samples:
038db8698b6bf0a2b258c072ef1e9fe90e1b846c386631085da6daf730bbef88
Smoke Loader
1765e5f0ee49b2b6cf4a7361bbaac484f15c6c1d003de02338fffdb615e831d8
Smoke Loader
666a5a0354a5f37b2de59a69f8dab856b9f7bb478bbdd2a996e040fe2b839650
Smoke Loader
91647ac947d5d5d3a0dc69e98070bfc2f9841d7839b579d69c524b02869a497f
Smoke Loader
939b640dab052ec6a08e17075397aa34abb4d4943768628a767f93d9f7d973f8
Smoke Loader
ab7d156971b4c71bd112c92043ac2fcace480d0032f6303beda28fb2a5001b3d
Smoke Loader
b566ebf0eb9ddf87b1392a660af7b1826e80427ec8352cdcc29e49d226f13184
Smoke Loader
ba1b8c4a78257830c7fa8528e9788af055d62d3605de94e7c433260ebdd9a286
Smoke Loader
d95b7c505dbb3905f88c71bb1efedfe716a0d65862a622eb932f3d774a07a740
Smoke Loader
fc25512ebc702b7b64fe49986b457e95884386944560d4fbdcf8a573e612629e
Smoke Loader
+ 120 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor spyware trojan
Link:
https://tria.ge/reports/201208-5e1x2bcxes/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Loads dropped DLL
Deletes itself
Reads user/profile data of web browsers
SmokeLoader
Malware Config
C2 Extraction:
http://thirdgearback.net/
Unpacked files
SH256 hash:
a9d54a962d46e4a2d40da284aa8b3a25a3b4e93b7c388890cd38b838a1a65433
MD5 hash:
6c1f8b04da7ac6bb394cf07c4d3b731a
SHA1 hash:
7b6aff6f3181b5e3ff902e2b0894935b4db29269
Link:
https://www.unpac.me/results/fcabd84f-52d6-4cf7-a837-580c2210c1e7/
SH256 hash:
357db255be78b101b693af1bf4b6c7d1c4d5a0837569e76f92b7107230b03ee2
MD5 hash:
af4c8de66e8c0cabac227c9883f350ba
SHA1 hash:
5d120985c115624c42ba229899d2299748bbf422
Link:
https://www.unpac.me/results/fcabd84f-52d6-4cf7-a837-580c2210c1e7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Smokeloader
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9d54a962d46e4a2d40da284aa8b3a25a3b4e93b7c388890cd38b838a1a65433

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Smoke Loader

lha 92d27ddad8c8e5781c8a30b21aefcd5f821b7c62a50549aff47f519c07245702

Smoke Loader

Executable exe a9d54a962d46e4a2d40da284aa8b3a25a3b4e93b7c388890cd38b838a1a65433

(this sample)

  
Dropped by
SHA256 92d27ddad8c8e5781c8a30b21aefcd5f821b7c62a50549aff47f519c07245702
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/107339/

Comments