MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8489f43ed8b96cd5f5b28f6e570dbb57571656869c7b0a8ba215fb375857070. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8489f43ed8b96cd5f5b28f6e570dbb57571656869c7b0a8ba215fb375857070
SHA3-384 hash: f4302ef229c6e0454548a44205e79b2c6e4d3677721442a37cea6095727cc704be122743635b4e73759f17327626c26f
SHA1 hash: 40eed8cad9ecf219ed52948f3f203273d0bd663b
MD5 hash: c221b419e707c1180a0de18ae270aef4
humanhash: kilo-carolina-salami-may
File name:c221b419e707c1180a0de18ae270aef4.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:76'800 bytes
First seen:2020-11-03 13:39:30 UTC
Last seen:2020-11-03 16:04:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9668b7091de4529d55cf638b279f602e (4 x Phorpiex, 1 x Smoke Loader)
ssdeep 768:jmleoM6DS921C15D+tK/vu3ahehXBJ/dReF+H/q42+ZSDr:jkKeS9HDl/G3akhXeF+SCZSD
Threatray 13 similar samples on MalwareBazaar
TLSH 0C731FB4C7F5DC79F1582037B020815A2BDA5E2CCDE4017BD2AC795A35B2AC261FAD1B
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/82049/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.14421.13920.4136.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file in the %temp% directory
Deleting a recently created file
Creating a window
Searching for the window
Searching for many windows
DNS request
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the Windows Security Center notifications
Creating a file in the mass storage device
Enabling threat expansion on mass storage devices by creating a special LNK file
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/519200
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to detect the country of the analysis system (by using the IP)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 308701 Sample: rXyLfG57OF.exe Startdate: 03/11/2020 Architecture: WINDOWS Score: 100 42 Antivirus detection for URL or domain 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 5 other signatures 2->48 7 rXyLfG57OF.exe 2 16 2->7         started        12 svchost.exe 13 2->12         started        14 svchost.exe 13 2->14         started        16 5 other processes 2->16 process3 dnsIp4 36 api.wipmania.com 212.83.168.196, 49729, 49732, 49735 OnlineSASFR France 7->36 30 C:\13024132311349\svchost.exe, PE32 7->30 dropped 58 Drops PE files with benign system names 7->58 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->60 18 svchost.exe 4 23 7->18         started        62 System process connects to network (likely due to code injection or exploit) 12->62 38 127.0.0.1 unknown unknown 16->38 file5 signatures6 process7 dnsIp8 32 trik.ws 217.8.117.10, 49733, 49734, 49755 CREXFEXPEX-RUSSIARU Russian Federation 18->32 34 api.wipmania.com 18->34 26 C:\Users\user\AppData\...\2664922881.exe, data 18->26 dropped 28 C:\Users\user\AppData\...\1079012626.exe, data 18->28 dropped 50 Antivirus detection for dropped file 18->50 52 System process connects to network (likely due to code injection or exploit) 18->52 54 Multi AV Scanner detection for dropped file 18->54 56 3 other signatures 18->56 23 2664922881.exe 13 18->23         started        file9 signatures10 process11 dnsIp12 40 api.wipmania.com 23->40
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d8489f43ed8b96cd5f5b28f6e570dbb57571656869c7b0a8ba215fb375857070/
Threat name:
Win32.Worm.Phorpiex
Create hunting rule
Status:
Malicious
First seen:
2020-11-03 13:10:38 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3bej6q7nrolm2x23fd3ok4g3wv2xczlinhd3bkf2efp3g5mfobya._file
Verdict:
malicious
Similar samples:
0ba5efbb88dd3a6cf12923ed9f6abe16431e839cf0d0beebc3e2e0cdf1a6af5a
Smoke Loader
251960c51a68122710e9f928d7ea49ea52573f6e9af906e47ce91cfd518e39a7
Smoke Loader
4acacf2ce809228cef96a81a0800bdb497c7aefb2b278420e88ee9dfa49d24d8
Smoke Loader
5d9b6c49a8c84b01122da49a1237c880e2eb71d44f264e8a0effc56b7b586bf6
Smoke Loader
7f99d6f0dd72b4b86fa136ed7771fd55dd6b40e8f890d61b90d8a88d117c9858
Smoke Loader
ab47f2c37d0612239214050393cff3f26715448550ead7c3180fe2c842df19e4
Smoke Loader
cdb2b4c85d67ee5d29410f0411776be88c42a21df4c153b831db9562f7a5f8da
Smoke Loader
d03c04a685a0a4f735c0456cb4d1073792a19ea0fbf18a0c28d7b445798a4a18
Smoke Loader
e6e1567dba427fd20cec7ffd9a830a1f144db637856ae7567d257387b0218f63
Smoke Loader
f8a3b64aa3c1c639a5ce1b100de860d4f97703879df0d01ce0118ae97c1b7423
Smoke Loader
+ 3 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/201103-py572jhl1j/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Windows security modification
Executes dropped EXE
Windows security bypass
Unpacked files
SH256 hash:
d8489f43ed8b96cd5f5b28f6e570dbb57571656869c7b0a8ba215fb375857070
MD5 hash:
c221b419e707c1180a0de18ae270aef4
SHA1 hash:
40eed8cad9ecf219ed52948f3f203273d0bd663b
Detections:
win_phorpiex_auto
Create hunting rule
Link:
https://www.unpac.me/results/d6b2ef2f-63a6-4ee9-a650-6c7c93aef71e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Vilsel
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/d8489f43ed8b96cd5f5b28f6e570dbb57571656869c7b0a8ba215fb375857070

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe d8489f43ed8b96cd5f5b28f6e570dbb57571656869c7b0a8ba215fb375857070

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/748778/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/373422/
  
URLhaus
https://urlhaus.abuse.ch/url/748743/
  
URLhaus
https://urlhaus.abuse.ch/url/404589/
  
URLhaus
https://urlhaus.abuse.ch/url/621240/
  
URLhaus
https://urlhaus.abuse.ch/url/404588/
Cape
Cape
https://www.capesandbox.com/analysis/82049/

Comments