MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9f3a45501f3b2bcff7c481546792f462bb2d49f06c8a7ed4b3599645c43f615. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9f3a45501f3b2bcff7c481546792f462bb2d49f06c8a7ed4b3599645c43f615
SHA3-384 hash: ebe860edf047235fa6416f694d782a1a07ef50831ca0e93f9e7c3a16225497caecc37cf38f54f814b4cb84cd539b7d20
SHA1 hash: 179ca4fa4deeead8475901906bcec3a674d2271c
MD5 hash: f8e46da8ada2e8cd36468df680203f0c
humanhash: five-mexico-green-magazine
File name:SecuriteInfo.com.W32.AIDetect.malware1.13347.26113
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:308'736 bytes
First seen:2021-03-11 04:42:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cc4b17d0e5d5a1e26966b8ee27266b0b (5 x Smoke Loader, 1 x DanaBot)
ssdeep 6144:5U8DusAGBjmq/JxydVMSHtm6aYrDUOTzw:5UM3AGBjtJYLt5aSUWE
Threatray 293 similar samples on MalwareBazaar
TLSH 6C647C30A7A0C430F4BA22BC497A937DA92D7E716724A1CF56D12AEA52746F4DC3074F
Reporter SecuriteInfoCom
Tags:Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.AIDetect.malware1.13347.26113
Verdict:
Suspicious activity
Analysis date:
2021-03-11 04:47:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ec353d8b-0952-4f47-b6b2-b5f5d4e7b51b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/123671/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.13347.26113.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% directory
Sending a UDP request
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Launching the default Windows debugger (dwwin.exe)
Launching a process
Searching for the window
Changing a file
Connection attempt to an infection source
Forced shutdown of a system process
Deleting of the original file
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/636389
Signature
Benign windows process drops PE files
Binary contains a suspicious time stamp
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Renames NTDLL to bypass HIPS
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 367170 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 11/03/2021 Architecture: WINDOWS Score: 100 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected SmokeLoader 2->54 56 Machine Learning detection for sample 2->56 58 2 other signatures 2->58 8 SecuriteInfo.com.W32.AIDetect.malware1.13347.exe 2->8         started        11 svibvvf 2->11         started        13 explorer.exe 1 150 2->13         started        15 SearchUI.exe 2 32 2->15         started        process3 signatures4 60 Detected unpacking (changes PE section rights) 8->60 17 SecuriteInfo.com.W32.AIDetect.malware1.13347.exe 1 8->17         started        62 Machine Learning detection for dropped file 11->62 64 Contains functionality to inject code into remote processes 11->64 66 Injects a PE file into a foreign processes 11->66 20 svibvvf 1 11->20         started        process5 file6 42 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 17->42 44 Renames NTDLL to bypass HIPS 17->44 46 Maps a DLL or memory area into another process 17->46 23 explorer.exe 3 17->23 injected 30 C:\Users\user\AppData\Local\Temp\4DD3.tmp, PE32 20->30 dropped 48 Checks if the current machine is a virtual machine (disk enumeration) 20->48 50 Creates a thread in another existing process (thread injection) 20->50 signatures7 process8 dnsIp9 36 10022020test125831-service1002012510022020.space 23->36 38 10022020newfolder3100231-service1002.space 23->38 40 7 other IPs or domains 23->40 32 C:\Users\user\AppData\Roaming\svibvvf, PE32 23->32 dropped 34 C:\Users\user\...\svibvvf:Zone.Identifier, ASCII 23->34 dropped 68 Benign windows process drops PE files 23->68 70 Deletes itself after installation 23->70 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->72 28 WerFault.exe 17 9 23->28         started        file10 signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b9f3a45501f3b2bcff7c481546792f462bb2d49f06c8a7ed4b3599645c43f615/
Threat name:
Win32.Trojan.BotX
Create hunting rule
Status:
Malicious
First seen:
2021-03-11 04:43:06 UTC
AV detection:
17 of 47 (36.17%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0cac1630f56f25462bfc12aeeeb52d4eb515783c5cba8fd74d715e2e46adaca6
Smoke Loader
170ddb2583efd2402e84a7eb2c48754d978c8862e5c033fef9b7df34eadceb52
Smoke Loader
290980462cb21d689c20276b2aac1aa8dc704b237235723e847199a109218e1e
Smoke Loader
4853dce1d9a8c51244022d226378df142740101b09fa321830628612d6e6f284
Smoke Loader
4b74a532f2a5da62ae4298b75c9dc13ec959810a66c34aaefdf6b58c067396dd
Smoke Loader
666a5a0354a5f37b2de59a69f8dab856b9f7bb478bbdd2a996e040fe2b839650
Smoke Loader
854d167ff218c5caa012baaa7bb80a2bfdd1ec9c4c6b3a66bef57240ade29422
Smoke Loader
d5efd66f54dce6b51870e40a458fa30de366a2982ab2f83dddff5cb3349f654d
Smoke Loader
ea8588de894d9657daa047958ca98c5e9549ca25bc09e9df2a9c8ae044daef42
Smoke Loader
f69bdd82ca22268d090832707e37b1cae408ba96476843b55feedac11acc6277
Smoke Loader
+ 283 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor persistence trojan
Link:
https://tria.ge/reports/210311-stvcv9m69j/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Enumerates connected drives
Deletes itself
Loads dropped DLL
Modifies Installed Components in the registry
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
http://10022020test61-service1002012510022020.website/
http://10022020test51-service1002012510022020.xyz/
http://10022020test41-service100201pro2510022020.ru/
http://10022020yest31-service100201rus2510022020.ru/
http://10022020rest21-service1002012510022020.eu/
http://10022020test11-service1002012510022020.press/
http://10022020newfolder4561-service1002012510022020.ru/
http://10022020rustest213-service1002012510022020.ru/
http://10022020test281-service1002012510022020.ru/
http://10022020test261-service1002012510022020.space/
http://10022020yomtest251-service1002012510022020.ru/
http://10022020yirtest231-service1002012510022020.ru/
Unpacked files
SH256 hash:
79b4ddbc090a1d42533748c1154c86a537f01754e4e399d9d429a514ddbd6d21
MD5 hash:
d754acbacab8dadbace7de8feb317a05
SHA1 hash:
8ced5cae16a454dc3fc59c8a8a1e8b76482109a3
Link:
https://www.unpac.me/results/c58c5844-344d-4a91-a41f-be12ddca5ab5/
SH256 hash:
b9f3a45501f3b2bcff7c481546792f462bb2d49f06c8a7ed4b3599645c43f615
MD5 hash:
f8e46da8ada2e8cd36468df680203f0c
SHA1 hash:
179ca4fa4deeead8475901906bcec3a674d2271c
Link:
https://www.unpac.me/results/c58c5844-344d-4a91-a41f-be12ddca5ab5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b9f3a45501f3b2bcff7c481546792f462bb2d49f06c8a7ed4b3599645c43f615

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe b9f3a45501f3b2bcff7c481546792f462bb2d49f06c8a7ed4b3599645c43f615

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1060314/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/123671/

Comments