MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d024a12783f607991e43239c14604d2aa749e86484f6c7deab274795afa585f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	d024a12783f607991e43239c14604d2aa749e86484f6c7deab274795afa585f4
SHA3-384 hash:	2df3c36ebde20522e834f31541639a147ffa1e23f540f839fd432f74cc77d7a80f5263d347f77094a2baaaf9f247ef0f
SHA1 hash:	ae6fbd897e33a50af6f58ed51d5d8fc4c0f4f4c3
MD5 hash:	91ec6e6fa2c7366ba0b6f5983f0f9855
humanhash:	network-washington-arkansas-charlie
File name:	91ec6e6fa2c7366ba0b6f5983f0f9855.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	305'664 bytes
First seen:	2021-12-25 08:06:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7c30ab8503fc786b2a76e9b03687201e (1 x Smoke Loader)
ssdeep	3072:0r/JRoyCMAluVwwqZEp+LfTewILiySz8ca1DJdiU0KFdUEKHqkgXQ547VAKzvuUU:ppzd+GZ8TNJdz/KSpXruUB
Threatray	3'381 similar samples on MalwareBazaar
TLSH	T1CB547D1077A0D035F1B722F949B99378A53E7DA1AB3091CB63D42AEE9A356D0EC70707
File icon (PE):
dhash icon	b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter	abuse_ch
Tags:	Dofoil exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

359

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Windows_Photoshop+CC+2018v19.0.1.190x32.zip

Verdict:

Malicious activity

Analysis date:

2021-12-24 21:29:25 UTC

Tags:

evasion trojan loader rat redline stealer vidar opendir

Link:

https://app.any.run/tasks/1f813a68-b6f7-4ff2-b580-61d67c38048c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/216332/

Detection(s):

Win.Packed.Ulise-9917518-0

Win.Malware.Generic-9917519-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Sending an HTTP POST request

Searching for synchronization primitives

Reading critical registry keys

Unauthorized injection to a system process

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/3187/overview

Behaviour

SystemUptime

MeasuringTime

EvasionGetTickCount

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61c6d1294ab5c44cbf507997/reports/baf4cebc-aebf-4c0a-ae81-c0cc0636005c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6c5a8a5c-eed8-433e-bcbb-91e9122d3c81

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/912706

Signature

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Detected unpacking (changes PE section rights)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d024a12783f607991e43239c14604d2aa749e86484f6c7deab274795afa585f4/

Threat name:

Win32.Trojan.Smokeloader

Status:

Malicious

First seen:

2021-12-24 21:28:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2askcj4d6ydzshsdeoobiycnfktut2deqt3mpxvle5dzll5fqx2a._file

Verdict:

malicious

Smoke Loader

6f279d711337e4691a39d38937f64047e8d07215f4216f195517772ff6a4706f

Smoke Loader

8577213832eecf00f77003ddf49fb6630af4906b10b350f9dd88a899d9720a98

Smoke Loader

8b4d4a6e3af1d577c192958aa2a1e4c9fa973e488ebeb90b65a1bbda9de10919

Smoke Loader

9f3dec0a7c87752adf73a31d927609a05570f72799d243d82978dc4428d3ecbd

Smoke Loader

bc94b163517e1a81cec89823d0d4bb7045cd09e72a46da38f1b52573cde695a8

Smoke Loader

d3184ceae376a789ccd61e767da3f21cacd72dfc7162a5e1a9569c7244d0bf9a

Smoke Loader

e34fc70bee3b2e9051e1115f1053aec2bbd3555a8d71600e90890662ea718ff1

Smoke Loader

+ 3'371 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor suricata trojan

Link:

https://tria.ge/reports/211225-jz1m7sgbbp/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Deletes itself

SmokeLoader

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Malware Config

C2 Extraction:

http://melchen-testet.at/upload/
http://zjymf.com/upload/
http://pbxbmu70275.cn/upload/
http://mnenenravitsya.ru/upload/
http://pitersprav.ru/upload/

Unpacked files

SH256 hash:

98c98d350145f38e2bda90d78e0b0b3299fc312d9b9a0ed361def4e4fc791eac

MD5 hash:

cc416d95ceeb22347a2d9e73b23c3ef3

SHA1 hash:

b2928874b18a58296a1e8f69085016b8ca3b8875

Link:

https://www.unpac.me/results/071741ec-6b46-46e7-8399-ec8bcbc7ef15/

SH256 hash:

d024a12783f607991e43239c14604d2aa749e86484f6c7deab274795afa585f4

MD5 hash:

91ec6e6fa2c7366ba0b6f5983f0f9855

SHA1 hash:

ae6fbd897e33a50af6f58ed51d5d8fc4c0f4f4c3

Link:

https://www.unpac.me/results/071741ec-6b46-46e7-8399-ec8bcbc7ef15/

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/d024a12783f6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d024a12783f607991e43239c14604d2aa749e86484f6c7deab274795afa585f4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/216332/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample