MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0e943a3190bd714808505bef47752c11cf58ae444bfed34d44675ef4a043d8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0e943a3190bd714808505bef47752c11cf58ae444bfed34d44675ef4a043d8d
SHA3-384 hash: d786506a39b27c5e156e51a2004ef00f76938fa3dd24cf9267d1f8e43353cf5cd2bea448dcec5024fe0a6d515d228ec7
SHA1 hash: f191263fbe22d397f4522e2a3a26a5e5e838e5ac
MD5 hash: e75be95abaf67f381b83874453784b87
humanhash: cola-pennsylvania-orange-winner
File name:e75be95abaf67f381b83874453784b87.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:157'696 bytes
First seen:2020-12-28 17:47:51 UTC
Last seen:2020-12-28 18:54:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2144f9c12885542d4a4f22de64e840e1 (26 x RedLineStealer, 24 x Smoke Loader, 13 x RaccoonStealer)
ssdeep 1536:Ikr9hF1s1I6AsesyvuaD8mW14RjGdu1VGT9heL5IAnrA5cPmdZf13OK2lhPFxBIj:V1sNymi7W14Uu1+9QFIAnrh23OT
Threatray 1'956 similar samples on MalwareBazaar
TLSH 06F3026607AB4C33E3B145B0F65687C534A8E0021271B5DF89BAD46F283C197BADD36E
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
389
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e75be95abaf67f381b83874453784b87.exe
Verdict:
Suspicious activity
Analysis date:
2020-12-28 17:50:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c46876fa-88da-4728-a010-a8b68805efc5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/109600/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.32382.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt to an infection source
Deleting of the original file
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/570925
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary contains a suspicious time stamp
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to infect the boot sector
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Renames NTDLL to bypass HIPS
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 334522 Sample: fBTeh5eM2o.exe Startdate: 28/12/2020 Architecture: WINDOWS Score: 100 106 gxd3fp7fe7cac6jzn2sac.online 2->106 130 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->130 132 Multi AV Scanner detection for domain / URL 2->132 134 Antivirus detection for URL or domain 2->134 136 10 other signatures 2->136 12 fBTeh5eM2o.exe 1 2->12         started        15 biejwrt 1 2->15         started        signatures3 process4 file5 162 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->162 164 Renames NTDLL to bypass HIPS 12->164 166 Maps a DLL or memory area into another process 12->166 18 explorer.exe 12 12->18 injected 104 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 15->104 dropped 168 Checks if the current machine is a virtual machine (disk enumeration) 15->168 170 Creates a thread in another existing process (thread injection) 15->170 signatures6 process7 dnsIp8 108 79.110.52.117, 49740, 80 V4ESCROW-ASRO Romania 18->108 110 gamesforconsoles2222.top 5.2.76.209, 49736, 49754, 49759 LITESERVERNL Netherlands 18->110 112 4 other IPs or domains 18->112 80 C:\Users\user\AppData\Roaming\biejwrt, PE32 18->80 dropped 82 C:\Users\user\AppData\Local\Temp\3DF8.exe, PE32 18->82 dropped 84 C:\Users\user\AppData\Local\Temp\3637.exe, PE32 18->84 dropped 86 4 other files (3 malicious) 18->86 dropped 138 System process connects to network (likely due to code injection or exploit) 18->138 140 Benign windows process drops PE files 18->140 142 Deletes itself after installation 18->142 144 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->144 23 F236.exe 19 18->23         started        27 3637.exe 83 18->27         started        30 2435.exe 15 23 18->30         started        32 2 other processes 18->32 file9 signatures10 process11 dnsIp12 114 gxd3fp7fe7cac6jzn2sac.online 64.187.226.251, 49766, 49768, 49769 QUICKPACKETUS United States 23->114 116 95.181.152.177, 49767, 49770, 49786 MSKHOSTRU Russian Federation 23->116 88 C:\ProgramData88etHelper\...\nethelper.dll, PE32 23->88 dropped 90 C:\Users\user\AppData\...\nethelper[1].dll, PE32 23->90 dropped 34 cmd.exe 23->34         started        36 cmd.exe 23->36         started        39 cmd.exe 23->39         started        41 cmd.exe 23->41         started        124 2 other IPs or domains 27->124 92 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 27->92 dropped 94 C:\Users\user\AppData\...\vcruntime140.dll, PE32 27->94 dropped 96 C:\Users\user\AppData\...\ucrtbase.dll, PE32 27->96 dropped 98 56 other files (none is malicious) 27->98 dropped 148 Tries to steal Mail credentials (via file access) 27->148 150 Uses cmd line tools excessively to alter registry or file data 27->150 152 Tries to harvest and steal browser information (history, passwords, etc) 27->152 118 api.ip.sb 30->118 120 WHOIS.RIPE.NET 193.0.6.135, 43, 49813 RIPE-NCC-ASReseauxIPEuropeensNetworkCoordinationCentre Netherlands 30->120 126 3 other IPs or domains 30->126 154 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 30->154 156 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 30->156 122 193.124.66.33, 2229, 49781 MTW-ASRU Russian Federation 32->122 158 Contains functionality to infect the boot sector 32->158 160 Tries to harvest and steal ftp login credentials 32->160 file13 signatures14 process15 signatures16 43 rundll32.exe 34->43         started        48 conhost.exe 34->48         started        146 Uses cmd line tools excessively to alter registry or file data 36->146 50 conhost.exe 36->50         started        52 reg.exe 36->52         started        54 conhost.exe 39->54         started        56 reg.exe 39->56         started        58 conhost.exe 41->58         started        60 timeout.exe 41->60         started        process17 dnsIp18 128 udre3kvzatwrx6ues4p2u.top 193.38.55.37, 49778, 49871, 80 SERVERIUS-ASNL Russian Federation 43->128 100 C:\Users\user\AppData\Local\...\nethelper.exe, PE32 43->100 dropped 102 C:\Users\user\AppData\...\nethelper[1].info, PE32 43->102 dropped 172 System process connects to network (likely due to code injection or exploit) 43->172 62 cmd.exe 43->62         started        64 cmd.exe 43->64         started        66 cmd.exe 43->66         started        68 cmd.exe 43->68         started        file19 signatures20 process21 process22 70 conhost.exe 62->70         started        72 schtasks.exe 62->72         started        74 conhost.exe 64->74         started        76 schtasks.exe 64->76         started        78 conhost.exe 66->78         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0e943a3190bd714808505bef47752c11cf58ae444bfed34d44675ef4a043d8d/
Threat name:
Win32.Trojan.Zenpack
Create hunting rule
Status:
Malicious
First seen:
2020-12-28 17:48:08 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6duuhiyzbplrjaefaw7pi52syeoplcxeis762nguiz266sqehwgq._file
Verdict:
suspicious
Similar samples:
0969327fda05101320538ec7c3df4ca3a024fdffc9ff58bcf5570a0960bd9df7
Smoke Loader
0de430b38bdccba626c6c0c5c8297057fd434ccc7a0d4c84bc066eb9dde07420
Smoke Loader
118dd258630c48b0beacd8b4c04c9c9cd3b9f698b660b6a904b1dfc033e00cd1
Smoke Loader
52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea
Smoke Loader
6745aeb1cc8de5e42a94850247ea3d54c65865c95c2492006cf8a7b44da2a961
Smoke Loader
67e8fcfa65a48b5ef7288e91ac8ddab1180cf33150471357485511509955413c
Smoke Loader
856bcc47f2c9617ed7e2c5f702dc5cea6713713da600229b2db076d64f24dfdf
Smoke Loader
a8ae3cb248fb4721b27615276393e430bae895d37794b917f09980bd31c1176c
Smoke Loader
a8d6e8219c6ec6f8284026609f9989fa8caa68e517a239973da19793d1fc2d60
Smoke Loader
caa6e314a8ebbba3eadc8a0cd77e70e794928d24e6be19d7f2891383540440cb
Smoke Loader
+ 1'946 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor bootkit persistence trojan upx
Link:
https://tria.ge/reports/201228-t7ce6w9wvj/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Writes to the Master Boot Record (MBR)
Deletes itself
Loads dropped DLL
Executes dropped EXE
UPX packed file
SmokeLoader
Malware Config
C2 Extraction:
http://vtdilet.com/upload/
http://netvxi.com/upload/
http://tinnys.monster/upload/
Unpacked files
SH256 hash:
f0e943a3190bd714808505bef47752c11cf58ae444bfed34d44675ef4a043d8d
MD5 hash:
e75be95abaf67f381b83874453784b87
SHA1 hash:
f191263fbe22d397f4522e2a3a26a5e5e838e5ac
Link:
https://www.unpac.me/results/21b55a7d-d7e1-4b16-b668-592f73e18ae3/
SH256 hash:
fd101af6d4a30136f48a913bb386c3c4b34f2676735e21b7ad8f14a356f7e72f
MD5 hash:
8f4fbdb2a897585a1e5706016c23731a
SHA1 hash:
f2c38fd1a397030d64d4052aa7ddcf1c98bf2457
Link:
https://www.unpac.me/results/21b55a7d-d7e1-4b16-b668-592f73e18ae3/
SH256 hash:
6f2184dfe083c769ca14dc0cbfee5e2615b180aff2e58c6552a79c11a27c0e91
MD5 hash:
fd3cb401704fd1d4070139d45569b743
SHA1 hash:
6dfad0f23deaae5a3b12e7f90217d9f8a8376509
Link:
https://www.unpac.me/results/21b55a7d-d7e1-4b16-b668-592f73e18ae3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f0e943a3190bd714808505bef47752c11cf58ae444bfed34d44675ef4a043d8d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_smokeloader_a2
Create hunting rule
Author:pnx

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe f0e943a3190bd714808505bef47752c11cf58ae444bfed34d44675ef4a043d8d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/943588/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/109600/

Comments