MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b67badec6dbf8cd0653521bce25962e510a52d5cdbda11c31030714c17518735. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b67badec6dbf8cd0653521bce25962e510a52d5cdbda11c31030714c17518735
SHA3-384 hash: d6966c2e4d52c45614de3cceddfe61cd4d65c0d77ab8541add8f3959513cee08c41059f2560294a318290935223eaf91
SHA1 hash: 3ae8ee1b51d72db74272736d2da2cee6452837b7
MD5 hash: e29719aceb06a90bd47c10144c5f6de4
humanhash: alanine-washington-blossom-utah
File name:e29719aceb06a90bd47c10144c5f6de4.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:308'224 bytes
First seen:2021-03-11 07:50:49 UTC
Last seen:2021-03-11 09:47:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cc4b17d0e5d5a1e26966b8ee27266b0b (5 x Smoke Loader, 1 x DanaBot)
ssdeep 3072:Es484cuxsnsxbWTNzF7cf1OMFEVJeEBrh9MOnHUpVSAxm7JbM9cUK80uy5dvJgL:ET8zesW65zF7qv6/5BrDn0PxspMMg
Threatray 294 similar samples on MalwareBazaar
TLSH C9646B30A7A0C434F4B712B879BE9379E6297EB16B3490CF52D426EA5A346E4DC30747
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e29719aceb06a90bd47c10144c5f6de4.exe
Verdict:
Suspicious activity
Analysis date:
2021-03-11 08:05:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5df89443-2cfd-4fff-a232-a4880b80e810

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/123740/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader37.36146.27354.12681.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% directory
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Launching the default Windows debugger (dwwin.exe)
Launching a process
Searching for the window
Changing a file
Sending a custom TCP request
Connection attempt to an infection source
Forced shutdown of a system process
Deleting of the original file
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/636548
Signature
Benign windows process drops PE files
Binary contains a suspicious time stamp
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Renames NTDLL to bypass HIPS
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 367249 Sample: z9mXoeDPej.exe Startdate: 11/03/2021 Architecture: WINDOWS Score: 100 45 Multi AV Scanner detection for domain / URL 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected SmokeLoader 2->49 51 3 other signatures 2->51 8 z9mXoeDPej.exe 2->8         started        11 absvafd 2->11         started        13 explorer.exe 1 153 2->13         started        16 2 other processes 2->16 process3 dnsIp4 63 Detected unpacking (changes PE section rights) 8->63 18 z9mXoeDPej.exe 1 8->18         started        65 Multi AV Scanner detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 21 absvafd 1 11->21         started        43 192.168.2.1 unknown unknown 13->43 signatures5 process6 file7 53 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 18->53 55 Renames NTDLL to bypass HIPS 18->55 57 Maps a DLL or memory area into another process 18->57 24 explorer.exe 3 18->24 injected 31 C:\Users\user\AppData\Local\Temp\4DD3.tmp, PE32 21->31 dropped 59 Checks if the current machine is a virtual machine (disk enumeration) 21->59 61 Creates a thread in another existing process (thread injection) 21->61 signatures8 process9 dnsIp10 37 10022020newfolder33417-01242510022020.space 193.110.3.190, 49740, 80 GREENDC-ASRU Russian Federation 24->37 39 10022020test125831-service1002012510022020.space 24->39 41 7 other IPs or domains 24->41 33 C:\Users\user\AppData\Roaming\absvafd, PE32 24->33 dropped 35 C:\Users\user\...\absvafd:Zone.Identifier, ASCII 24->35 dropped 69 Benign windows process drops PE files 24->69 71 Deletes itself after installation 24->71 73 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->73 29 WerFault.exe 17 9 24->29         started        file11 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b67badec6dbf8cd0653521bce25962e510a52d5cdbda11c31030714c17518735/
Threat name:
Win32.Trojan.BotX
Create hunting rule
Status:
Malicious
First seen:
2021-03-11 07:17:37 UTC
AV detection:
18 of 47 (38.30%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0cac1630f56f25462bfc12aeeeb52d4eb515783c5cba8fd74d715e2e46adaca6
Smoke Loader
170ddb2583efd2402e84a7eb2c48754d978c8862e5c033fef9b7df34eadceb52
Smoke Loader
4853dce1d9a8c51244022d226378df142740101b09fa321830628612d6e6f284
Smoke Loader
4b74a532f2a5da62ae4298b75c9dc13ec959810a66c34aaefdf6b58c067396dd
Smoke Loader
666a5a0354a5f37b2de59a69f8dab856b9f7bb478bbdd2a996e040fe2b839650
Smoke Loader
854d167ff218c5caa012baaa7bb80a2bfdd1ec9c4c6b3a66bef57240ade29422
Smoke Loader
b9f3a45501f3b2bcff7c481546792f462bb2d49f06c8a7ed4b3599645c43f615
Smoke Loader
d5efd66f54dce6b51870e40a458fa30de366a2982ab2f83dddff5cb3349f654d
Smoke Loader
ea8588de894d9657daa047958ca98c5e9549ca25bc09e9df2a9c8ae044daef42
Smoke Loader
f69bdd82ca22268d090832707e37b1cae408ba96476843b55feedac11acc6277
Smoke Loader
+ 284 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor persistence trojan
Link:
https://tria.ge/reports/210311-556per52xx/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Deletes itself
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
http://10022020test61-service1002012510022020.website/
http://10022020test51-service1002012510022020.xyz/
http://10022020test41-service100201pro2510022020.ru/
http://10022020yest31-service100201rus2510022020.ru/
http://10022020rest21-service1002012510022020.eu/
http://10022020test11-service1002012510022020.press/
http://10022020newfolder4561-service1002012510022020.ru/
http://10022020rustest213-service1002012510022020.ru/
http://10022020test281-service1002012510022020.ru/
http://10022020test261-service1002012510022020.space/
http://10022020yomtest251-service1002012510022020.ru/
http://10022020yirtest231-service1002012510022020.ru/
Unpacked files
SH256 hash:
dd27344f15277c37d0e13059b5050aa600393af329a4b90b257959d4130e9ff2
MD5 hash:
221ef3f90d75405fdf80addb109faa7f
SHA1 hash:
80f2eec32cd644640a53beddef77d23e4a1bd817
Link:
https://www.unpac.me/results/36a6fb39-d88f-422e-bcf5-a1d64cc75683/
SH256 hash:
b67badec6dbf8cd0653521bce25962e510a52d5cdbda11c31030714c17518735
MD5 hash:
e29719aceb06a90bd47c10144c5f6de4
SHA1 hash:
3ae8ee1b51d72db74272736d2da2cee6452837b7
Link:
https://www.unpac.me/results/36a6fb39-d88f-422e-bcf5-a1d64cc75683/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b67badec6dbf8cd0653521bce25962e510a52d5cdbda11c31030714c17518735

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe b67badec6dbf8cd0653521bce25962e510a52d5cdbda11c31030714c17518735

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1060305/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/123740/

Comments