MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2192a15f07f6741a9ab30ce24654196dbbb07f696125f08d4b1ae9aca209381. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	d2192a15f07f6741a9ab30ce24654196dbbb07f696125f08d4b1ae9aca209381
SHA3-384 hash:	abe128de11f28e750bb9c6b6e45d1e8cd3a3e7fbfbc4ccaf9758eda351068172fc9c15409bf21d6e36f0af1846f2e167
SHA1 hash:	04ecc262bcb769b02f8edc603d09ff5f84e7db99
MD5 hash:	c650e636fc15d5d84df800efa5317a6e
humanhash:	high-jig-fanta-oven
File name:	c650e636fc15d5d84df800efa5317a6e.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	291'328 bytes
First seen:	2022-02-27 09:46:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5e1f63f34b43ecfa62fae8fb0ed58ea9 (1 x ArkeiStealer, 1 x Smoke Loader)
ssdeep	3072:V2ujZYdjSbZynothV7QGqN5PVggjcGkNIVqIOM/h3isxkgaBChRx7Yap:fwjSbewr7/G7ITsqxeigaW
Threatray	7'181 similar samples on MalwareBazaar
TLSH	T1E0548CE17681EC71D0463E31A47A8FA05A6FAC11CA605A47F7B46B5F2A313D1727A30F
File icon (PE):
dhash icon	81bcdcac9cccb48c (4 x RaccoonStealer, 3 x Smoke Loader, 3 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

302

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/245068/

Detection(s):

Win.Dropper.Raccoon-9916366-0

Win.Dropper.Stop-9938042-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %temp% directory

Creating a process from a recently created file

Query of malicious DNS domain

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/7517/overview

Behaviour

SystemUptime

MeasuringTime

EvasionGetTickCount

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/621b489cdfdfa8501c64fd5b/reports/76d36359-e8f0-450e-bed6-009814ebc95c/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a9e796b0-228d-4fc4-aec7-94a23e43ce88

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/946895

Signature

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Execution of Suspicious File Type Extension

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d2192a15f07f6741a9ab30ce24654196dbbb07f696125f08d4b1ae9aca209381/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-02-27 00:46:02 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Verdict:

malicious

Smoke Loader

29a5461cca77683d6a47c83eb774235bd0ae092adc58c987e571eeecb3e1cd03

Smoke Loader

4f9f2d3789809c1f34877a5cd109aabeccea14c1cfe423ea271cc7cd0178b23a

Smoke Loader

8bbdda1786e15a568a573a2f38762e95de138af969e0a13b96d7086aaa98bfc2

Smoke Loader

8cedc3fb74185394bbf60d2dc1f9618b1e576986f13031b9e29ef12daa6eaf2c

Smoke Loader

eb24b3b9375f0b3272fac6eecc9329f79eab274d802b2ad37037cc83a46fa3f1

Smoke Loader

+ 7'171 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor trojan

Link:

https://tria.ge/reports/220227-lr7snabhg9/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

SmokeLoader

Malware Config

C2 Extraction:

http://host-data-coin-11.com/
http://file-coin-host-12.com/

Unpacked files

SH256 hash:

721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589

MD5 hash:

b984a027c8a2abf874f3eb306a831613

SHA1 hash:

d3b3f8890adc840b0bd411cf304eef15d415ed48

Link:

https://www.unpac.me/results/2aaf1a8b-0df7-4d06-963f-fb3fbaf314ea/

Parent samples :

fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a

SH256 hash:

d2192a15f07f6741a9ab30ce24654196dbbb07f696125f08d4b1ae9aca209381

MD5 hash:

c650e636fc15d5d84df800efa5317a6e

SHA1 hash:

04ecc262bcb769b02f8edc603d09ff5f84e7db99

Link:

https://www.unpac.me/results/2aaf1a8b-0df7-4d06-963f-fb3fbaf314ea/

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/d2192a15f07f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d2192a15f07f6741a9ab30ce24654196dbbb07f696125f08d4b1ae9aca209381

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

exe d2192a15f07f6741a9ab30ce24654196dbbb07f696125f08d4b1ae9aca209381

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2059402/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/245068/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample