MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e72e8c80ea742dba5a9670e8c4db51e817396033f6b821bab8ba82764756fc38. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 18

Intelligence 18 IOCs YARA File information Comments

SHA256 hash:	e72e8c80ea742dba5a9670e8c4db51e817396033f6b821bab8ba82764756fc38
SHA3-384 hash:	951e7032604d7dd0c0ac783c26623ec63c1c0433c81537ea8c4d4b8d520102aeedf3e76e8ad1e54bcbf033484781e4b1
SHA1 hash:	1e976d410387c3792103acf28e541afa9826c524
MD5 hash:	63541bdb9504a9cd3a80c455bf2e7ee4
humanhash:	social-west-oscar-cat
File name:	63541bdb9504a9cd3a80c455bf2e7ee4.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	292'352 bytes
First seen:	2023-12-24 08:23:53 UTC
Last seen:	2023-12-24 10:14:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2217a8c5b0dd2408ef1805b58b7c86d5 (4 x Smoke Loader, 2 x Amadey, 1 x Stealc)
ssdeep	6144:ptr3ZOeLdWg2lnlgCAR8jwrMeDUHu2mMYd2fSVtV:vr37IHnlgCAmsrMEGuWYsfSPV
TLSH	T180548C1572E4C232E2E30A354A74C7B44E7B78722825A58FABD42A791F607D1EB2531F
TrID	46.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 25.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 8.5% (.EXE) Win64 Executable (generic) (10523/12/4) 5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	9170ccd2ccf031da (2 x Smoke Loader, 1 x Stop)
Reporter	abuse_ch
Tags:	exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

303

Origin country :

Vendor Threat Intelligence

Malware family:

smoke

ID:

File name:

63541bdb9504a9cd3a80c455bf2e7ee4.exe

Verdict:

Malicious activity

Analysis date:

2023-12-24 08:28:43 UTC

Tags:

loader smoke smokeloader

Link:

https://app.any.run/tasks/e7eec6d6-81df-44eb-a744-e8f0ec3d4856

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

SmokeLoader

Link:

https://www.capesandbox.com/analysis/469203/

Detection(s):

SecuriteInfo.com.Trojan.Siggen22.50467.8943.25850.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Sending an HTTP GET request

Query of malicious DNS domain

Sending a TCP request to an infection source

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6587eaa4b290743934ebe4d0/reports/f6874add-1068-4048-9701-6df9397a83cd/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/e72e8c80ea742dba5a9670e8c4db51e817396033f6b821bab8ba82764756fc38

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/51e1c376-3b72-4e3f-ab4b-bd8ae56cc685

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1366667

Signature

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e72e8c80ea742dba5a9670e8c4db51e817396033f6b821bab8ba82764756fc38

Detection:

smokeloader

Link:

https://mwdb.cert.pl/sample/e72e8c80ea742dba5a9670e8c4db51e817396033f6b821bab8ba82764756fc38/

Threat name:

Win32.Trojan.DllCheck

Status:

Malicious

First seen:

2023-12-24 08:01:21 UTC

AV detection:

17 of 37 (45.95%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=44xizahkoqw3uwuwodumjw2r5altsybt624cdovyxkbhmr2w7q4a._file

Verdict:

malicious

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader botnet:pub1 backdoor trojan

Link:

https://tria.ge/reports/231224-kaqmdadgg4/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Deletes itself

SmokeLoader

Malware Config

C2 Extraction:

http://humydrole.com/tmp/index.php
http://trunk-co.ru/tmp/index.php
http://weareelight.com/tmp/index.php
http://pirateking.online/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php