MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d999ea24a63d51de747956882700b282102765b563c8b477a038e3ec17a31679. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d999ea24a63d51de747956882700b282102765b563c8b477a038e3ec17a31679
SHA3-384 hash: 5977698ce91b8c7d2726623215e6f501c235258789f5302280198753fa03177a0b0716bd16d401567abb59620380c09c
SHA1 hash: e39a65573360d7f7d7286fbc411e51b7977997d5
MD5 hash: 61a832c04d2bd73ef6701ca0089d8fde
humanhash: nevada-shade-mobile-four
File name:SecuriteInfo.com.Trojan.Siggen17.52642.32412.19127
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:307'200 bytes
First seen:2022-05-18 15:41:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash db57d5e3d04b9a257784f752aaee46da (3 x RedLineStealer, 2 x Smoke Loader, 1 x RemcosRAT)
ssdeep 3072:zyqm8uObqO0VIrP6LZ/n2Vb/OOjNV3lsxkgaBChUpZa9uD6Vdyhk:uZgqO0VIryR2VbGc6iga3wVf
Threatray 9'441 similar samples on MalwareBazaar
TLSH T1FE64BE12F791C470E0921D305471D7B25B3BFA325670A50BF790AB6E1EB33E09AB6B16
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 5c599a3ce0c3c850 (43 x Stop, 37 x RedLineStealer, 36 x Smoke Loader)
Reporter SecuriteInfoCom
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Siggen17.52642.32412.19127
Verdict:
No threats detected
Analysis date:
2022-05-18 17:25:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/873eec23-2ba3-454d-b256-46185625e88d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/272159/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.52642.32412.19127.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP GET request
Launching a process
Creating a file in the %temp% directory
Launching the default Windows debugger (dwwin.exe)
Setting browser functions hooks
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/18759/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Gathering data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f08dec99-cea7-4e61-96d3-a81a1c5a3cf1
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/996939
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 629438 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 18/05/2022 Architecture: WINDOWS Score: 100 38 Multi AV Scanner detection for domain / URL 2->38 40 Found malware configuration 2->40 42 Antivirus detection for URL or domain 2->42 44 4 other signatures 2->44 8 SecuriteInfo.com.Trojan.Siggen17.52642.32412.exe 2->8         started        11 dvhigga 2->11         started        process3 signatures4 56 Detected unpacking (changes PE section rights) 8->56 58 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->58 60 Maps a DLL or memory area into another process 8->60 62 Creates a thread in another existing process (thread injection) 8->62 13 explorer.exe 3 8->13 injected 64 Multi AV Scanner detection for dropped file 11->64 66 Machine Learning detection for dropped file 11->66 68 Checks if the current machine is a virtual machine (disk enumeration) 11->68 process5 dnsIp6 36 ejeana.co.ug 35.228.140.43, 49796, 49799, 80 GOOGLEUS United States 13->36 30 C:\Users\user\AppData\Roaming\dvhigga, PE32 13->30 dropped 32 C:\Users\user\...\dvhigga:Zone.Identifier, ASCII 13->32 dropped 70 Benign windows process drops PE files 13->70 72 Injects code into the Windows Explorer (explorer.exe) 13->72 74 Deletes itself after installation 13->74 76 2 other signatures 13->76 18 explorer.exe 8 13->18         started        22 explorer.exe 13->22         started        24 explorer.exe 13->24         started        26 12 other processes 13->26 file7 signatures8 process9 dnsIp10 34 ejeana.co.ug 18->34 46 System process connects to network (likely due to code injection or exploit) 18->46 48 Found evasive API chain (may stop execution after checking mutex) 18->48 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->50 54 3 other signatures 18->54 52 Tries to harvest and steal browser information (history, passwords, etc) 22->52 28 WerFault.exe 20 9 24->28         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d999ea24a63d51de747956882700b282102765b563c8b477a038e3ec17a31679/
Threat name:
Win32.Trojan.RelineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-05-18 15:42:07 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3gm6ujfghvi545dzk2ecoafsqiicoznvmpeli55ahdr6yf5dcz4q._file
Verdict:
malicious
Similar samples:
3675d239f3a7fe82634e98680149821d4e573e349f183b0aec58261450d4807c
Smoke Loader
380352f1c2acc2574f8eb08b31232252835758f1c35229c07ae48b375508adf0
Smoke Loader
38ccecf332445e56428fba1f9352f2977b3afdfe31f84d69ea50129079d9344b
Smoke Loader
450fe551f9989c51ae6b8ad556b22c4f34076f1cc61d2ffdfab5c55522d6e210
Smoke Loader
49c7ce5e90b5bce33ac0ea6f02d309e030e81462e290e83403048822e52b1500
Smoke Loader
b8e63ce3226f61cde7d51196c3ca300ca39882f4715e87938ed5d3ae68ef879d
Smoke Loader
c03f0aebf7867cd5195061605cec8e933575787fc59950b15ae2947dc34a2a42
Smoke Loader
ef538d7c9dbc1375659c258adcc719b020621b8ced9666032ec2a823192a5608
Smoke Loader
+ 9'431 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/220518-s5bqpsebak/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Program crash
SmokeLoader
Malware Config
C2 Extraction:
http://ejeana.co.ug/index.php
https://ejeana.co.ug/index.php
Unpacked files
SH256 hash:
8e321979a49803602d1fecd56aefb0eac2793be81527ff33b9cdcc78e3f43804
MD5 hash:
b93e72481389200ac6cbd9fa007b1cff
SHA1 hash:
d235689865d7ed2073cacbff38f7d78848ec54ec
Link:
https://www.unpac.me/results/b0d16e89-611e-49ff-9121-5f0898408dea/
SH256 hash:
d999ea24a63d51de747956882700b282102765b563c8b477a038e3ec17a31679
MD5 hash:
61a832c04d2bd73ef6701ca0089d8fde
SHA1 hash:
e39a65573360d7f7d7286fbc411e51b7977997d5
Link:
https://www.unpac.me/results/b0d16e89-611e-49ff-9121-5f0898408dea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d999ea24a63d51de747956882700b282102765b563c8b477a038e3ec17a31679

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe d999ea24a63d51de747956882700b282102765b563c8b477a038e3ec17a31679

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2199420/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/272159/

Comments