MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cea8d7f1b5eaf8e7c82bc5f88499369439721d1caf78200bfdc652492c41c266. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	cea8d7f1b5eaf8e7c82bc5f88499369439721d1caf78200bfdc652492c41c266
SHA3-384 hash:	bebd717e5b5eef27795d9e1063f4482018806bd19c67dc7d9141913dc767fce90f54074e1798773f24a6423da398ed5b
SHA1 hash:	448082c8912a61809b137777ff60f86dcd36aa44
MD5 hash:	8480ce94db6eb551de753b6f5480002d
humanhash:	ack-idaho-queen-utah
File name:	8480ce94db6eb551de753b6f5480002d.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	233'984 bytes
First seen:	2022-04-18 15:57:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	36dfb94e2fea360320c145e499a37060 (2 x RedLineStealer, 2 x DanaBot, 1 x Smoke Loader)
ssdeep	3072:EYw6AeOi2iEZV3tZ/vXs3+sTqpxCsxkgaBChhr21y:08OpiaVdBvXGTs/iga70
TLSH	T189347C1276E1C032E2B35E306474D7ACDA7BB8636A30517EE2646B6F1E317D189B1723
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	480c1c4c4f594b14 (172 x Smoke Loader, 134 x RedLineStealer, 98 x Amadey)
Reporter	abuse_ch
Tags:	Dofoil exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

533

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/264382/

Detection(s):

Win.Malware.Filerepmalware-9941437-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Sending an HTTP POST request

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/625d8a98482f2f41cacba217/reports/85723c3c-64c4-429a-b8e8-e37d1063822e/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f2db9269-9556-4a9f-8b3c-7e6a3fd371db

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/978324

Signature

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cea8d7f1b5eaf8e7c82bc5f88499369439721d1caf78200bfdc652492c41c266/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2022-04-18 12:17:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=z2unp4nv5l4opsblyx4ijgjwsq4xehi4v54cac75yzjeslcbyjta._file

Verdict:

malicious

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor trojan

Link:

https://tria.ge/reports/220418-teg1gaecck/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Downloads MZ/PE file

Executes dropped EXE

SmokeLoader

Malware Config

C2 Extraction:

http://coralee.at/upload/
http://ducvietcao.com/upload/
http://biz-acc.ru/upload/
http://toimap.com/upload/
http://bbb7d.com/upload/
http://piratia-life.ru/upload/
http://curvreport.com/upload/
http://viagratos.com/upload/
http://mordo.ru/upload/
http://pkodev.net/upload/
http://monsutiur4.com/
http://nusurionuy5ff.at/
http://moroitomo4.net/
http://susuerulianita1.net/
http://cucumbetuturel4.com/
http://nunuslushau.com/
http://linislominyt11.at/
http://luxulixionus.net/
http://lilisjjoer44.com/
http://nikogminut88.at/
http://limo00ruling.org/
http://mini55tunul.com/
http://samnutu11nuli.com/
http://nikogkojam.org/