MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea8588de894d9657daa047958ca98c5e9549ca25bc09e9df2a9c8ae044daef42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea8588de894d9657daa047958ca98c5e9549ca25bc09e9df2a9c8ae044daef42
SHA3-384 hash: 4471997508b1070b0c28734ff49c9319193d4f9856953a5972e36b9085661731ba1fd89b9419d2160d59cd989daf5177
SHA1 hash: 28086f5cc0b9f97014575dac95b9de5065977a83
MD5 hash: 4945a14049174b18fc91e04b65dc0dd5
humanhash: eighteen-hotel-pizza-violet
File name:SecuriteInfo.com.W32.AIDetect.malware1.8119.17745
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:308'224 bytes
First seen:2021-03-11 04:42:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cc4b17d0e5d5a1e26966b8ee27266b0b (5 x Smoke Loader, 1 x DanaBot)
ssdeep 6144:5I8zesW65zF7av6/5BrznO5gCRMsC7Ot:5I8HN5zF7H5J7VSt
Threatray 201 similar samples on MalwareBazaar
TLSH 92647C30A7E0F034F1B612B849B5D3B9AE297EB1AB3490CF52D416EA56346E4DC30767
Reporter SecuriteInfoCom
Tags:Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.AIDetect.malware1.8119.17745
Verdict:
Suspicious activity
Analysis date:
2021-03-11 04:47:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0c7a658a-8177-48c6-8657-dfa713a3ada4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/123673/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% directory
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Launching the default Windows debugger (dwwin.exe)
Launching a process
Searching for the window
Changing a file
Sending a custom TCP request
Connection attempt to an infection source
Forced shutdown of a system process
Deleting of the original file
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/636387
Signature
Benign windows process drops PE files
Binary contains a suspicious time stamp
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Renames NTDLL to bypass HIPS
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 367168 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 11/03/2021 Architecture: WINDOWS Score: 100 42 10022020test125831-service1002012510022020.space 2->42 44 10022020newfolder33417-01242510022020.space 2->44 46 7 other IPs or domains 2->46 54 Multi AV Scanner detection for domain / URL 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 Yara detected SmokeLoader 2->58 60 2 other signatures 2->60 9 SecuriteInfo.com.W32.AIDetect.malware1.8119.exe 2->9         started        12 cdgwwth 2->12         started        14 cdgwwth 2->14         started        16 2 other processes 2->16 signatures3 process4 dnsIp5 72 Detected unpacking (changes PE section rights) 9->72 74 Contains functionality to inject code into remote processes 9->74 76 Injects a PE file into a foreign processes 9->76 19 SecuriteInfo.com.W32.AIDetect.malware1.8119.exe 1 9->19         started        78 Machine Learning detection for dropped file 12->78 22 cdgwwth 1 12->22         started        24 cdgwwth 14->24         started        40 192.168.2.1 unknown unknown 16->40 signatures6 process7 file8 62 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 19->62 64 Renames NTDLL to bypass HIPS 19->64 66 Maps a DLL or memory area into another process 19->66 27 explorer.exe 3 19->27 injected 34 C:\Users\user\AppData\Local\Temp\4DD3.tmp, PE32 24->34 dropped 68 Checks if the current machine is a virtual machine (disk enumeration) 24->68 70 Creates a thread in another existing process (thread injection) 24->70 signatures9 process10 dnsIp11 48 10022020newfolder33417-01242510022020.space 193.110.3.190, 49728, 49755, 80 GREENDC-ASRU Russian Federation 27->48 50 10022020test125831-service1002012510022020.space 27->50 52 7 other IPs or domains 27->52 36 C:\Users\user\AppData\Roaming\cdgwwth, PE32 27->36 dropped 38 C:\Users\user\...\cdgwwth:Zone.Identifier, ASCII 27->38 dropped 80 Benign windows process drops PE files 27->80 82 Deletes itself after installation 27->82 84 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->84 32 WerFault.exe 17 9 27->32         started        file12 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea8588de894d9657daa047958ca98c5e9549ca25bc09e9df2a9c8ae044daef42/
Threat name:
Win32.Trojan.BotX
Create hunting rule
Status:
Malicious
First seen:
2021-03-11 04:43:07 UTC
AV detection:
18 of 47 (38.30%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0cac1630f56f25462bfc12aeeeb52d4eb515783c5cba8fd74d715e2e46adaca6
Smoke Loader
170ddb2583efd2402e84a7eb2c48754d978c8862e5c033fef9b7df34eadceb52
Smoke Loader
1d6594dae8104135ded8e7ccb1adb6805ef9d770d866b8786dec290a639c9920
Smoke Loader
4f5a1f4b9e455ab7f9ca41af17f4fef53c5dbe28e6767ca069ff3d1931847fa6
Smoke Loader
8308508b1aa9b9843efceb21bfa235bbe44b86b3979a4dffae301b3ec8c0bce2
Smoke Loader
854d167ff218c5caa012baaa7bb80a2bfdd1ec9c4c6b3a66bef57240ade29422
Smoke Loader
abf61356eb007bc0eb51c4208af46dd2ed3d8d94c10dffa7ff5a5c0a4a802a74
Smoke Loader
c7d5bfc61e4ad60f64bbe4ed6de1774968ad5b66cae98bd5f93f27eb4067d4be
Smoke Loader
d5efd66f54dce6b51870e40a458fa30de366a2982ab2f83dddff5cb3349f654d
Smoke Loader
f69bdd82ca22268d090832707e37b1cae408ba96476843b55feedac11acc6277
Smoke Loader
+ 191 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader backdoor discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/210311-4lvz6rzrxj/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Checks SCSI registry key(s)
Delays execution with timeout.exe
Enumerates system info in registry
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
Modifies Installed Components in the registry
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
http://10022020test61-service1002012510022020.website/
http://10022020test51-service1002012510022020.xyz/
http://10022020test41-service100201pro2510022020.ru/
http://10022020yest31-service100201rus2510022020.ru/
http://10022020rest21-service1002012510022020.eu/
http://10022020test11-service1002012510022020.press/
http://10022020newfolder4561-service1002012510022020.ru/
http://10022020rustest213-service1002012510022020.ru/
http://10022020test281-service1002012510022020.ru/
http://10022020test261-service1002012510022020.space/
http://10022020yomtest251-service1002012510022020.ru/
http://10022020yirtest231-service1002012510022020.ru/
Unpacked files
SH256 hash:
4b9c51d5605031fdcb4cd3374b2c94c8e005cd2e194c15f819cebf217be29cde
MD5 hash:
fc5da54a45d4525c5177a85475c18df7
SHA1 hash:
8a56851efbd5bc0a3fdd1f8c8556acd29e739f04
Link:
https://www.unpac.me/results/09eb666d-e8bf-4638-9593-373d524afd53/
SH256 hash:
ea8588de894d9657daa047958ca98c5e9549ca25bc09e9df2a9c8ae044daef42
MD5 hash:
4945a14049174b18fc91e04b65dc0dd5
SHA1 hash:
28086f5cc0b9f97014575dac95b9de5065977a83
Link:
https://www.unpac.me/results/09eb666d-e8bf-4638-9593-373d524afd53/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea8588de894d9657daa047958ca98c5e9549ca25bc09e9df2a9c8ae044daef42

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe ea8588de894d9657daa047958ca98c5e9549ca25bc09e9df2a9c8ae044daef42

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1060315/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/123673/

Comments