MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f388fde192c9233fde404cdf139894b3506bba91dc87261e6ccd341e4e30d14a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f388fde192c9233fde404cdf139894b3506bba91dc87261e6ccd341e4e30d14a
SHA3-384 hash: 71da49ca4e8ebf95d355bd64313d7705ce48eb8489f13739d7260be27d8002e7529351816388d53c218744721f85741e
SHA1 hash: f222b56eaebbd6b94e5eaee357ae91fe5b569e04
MD5 hash: 1d6114342cca0819c8997110a9ca69d2
humanhash: cardinal-october-kitten-jupiter
File name:1d6114342cca0819c8997110a9ca69d2.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:23'913'512 bytes
First seen:2022-10-23 01:12:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (259 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 393216:3qfwn3tZchFiP4K3LJsAvwYcElYfD7jq5qycuQ1+s6CVAJW1dQN00Qkt2x7bWYPT:64n378Fa7rJcElYD7uFcw+uWn+aoRKyc
TLSH T1EF37337BB37F6E2EC4EB067205736F229877E66064164C1A23F4048CDFAA5701E3A6D5
TrID 61.8% (.EXE) Inno Setup installer (109740/4/30)
23.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
5.9% (.EXE) Win64 Executable (generic) (10523/12/4)
2.5% (.EXE) Win32 Executable (generic) (4505/5/1)
1.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon e88e2b6969338ee8 (1 x RecordBreaker, 1 x Smoke Loader)
Reporter abuse_ch
Tags:exe signed Smoke Loader

Code Signing Certificate

Organisation:www.decompress.com
Issuer:www.decompress.com
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-18T23:32:18Z
Valid to:2023-10-18T23:52:18Z
Serial number: 509a6dc5eafd2e94460118409f7b7f03
Thumbprint Algorithm:SHA256
Thumbprint: cf7c376b711e6c026bcee0b36ca0fb7d87fced0cd0b53f7ee4bdecaf6a498d23
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
None C2:
http://5.255.103.158/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.255.103.158/ https://threatfox.abuse.ch/ioc/915902/

Intelligence

File Origin
# of uploads :
1
# of downloads :
433
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1d6114342cca0819c8997110a9ca69d2.exe
Verdict:
Malicious activity
Analysis date:
2022-10-23 01:13:58 UTC
Tags:
installer
Link:
https://app.any.run/tasks/3b2f7296-07ba-4ed5-851a-3489528dbd58

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Moving a file to the %temp% subdirectory
Creating a file
Moving a recently created file
Running batch commands
Creating a process with a hidden window
Sending an HTTP GET request
Launching a process
Downloading the file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/44578/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed raccoon setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/63549520fdf6478a15afc0ff/reports/3023d235-a266-4bb4-a855-6de972b84af0/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
bank.adwa.spyw.evad.troj
Score:
62 / 100
Link:
https://www.joesandbox.com/analysis/1095706
Signature
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Creates an undocumented autostart registry key
Disable Windows Defender notifications (registry)
Encrypted powershell cmdline option found
Installs a browser helper object (BHO)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has a writeable .text section
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses 7zip to decompress a password protected archive
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 728347 Sample: 2ZJtRNBbFp.exe Startdate: 23/10/2022 Architecture: WINDOWS Score: 62 114 Snort IDS alert for network traffic 2->114 116 Multi AV Scanner detection for dropped file 2->116 118 Multi AV Scanner detection for submitted file 2->118 120 2 other signatures 2->120 12 2ZJtRNBbFp.exe 2 2->12         started        process3 file4 108 C:\Users\user\AppData\...\2ZJtRNBbFp.tmp, PE32 12->108 dropped 156 Obfuscated command line found 12->156 16 2ZJtRNBbFp.tmp 5 18 12->16         started        signatures5 process6 file7 82 C:\Users\user\AppData\Local\...\is-V89QH.tmp, PE32 16->82 dropped 84 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 16->84 dropped 86 C:\...\IObit Uninstaller 11.6.0.12.exe (copy), PE32 16->86 dropped 88 3 other files (none is malicious) 16->88 dropped 19 IObit Uninstaller 11.6.0.12.exe 2 16->19         started        23 cmd.exe 3 2 16->23         started        process8 file9 90 C:\Users\...\IObit Uninstaller 11.6.0.12.tmp, PE32 19->90 dropped 122 Obfuscated command line found 19->122 25 IObit Uninstaller 11.6.0.12.tmp 36 165 19->25         started        124 Wscript starts Powershell (via cmd or directly) 23->124 126 Uses ping.exe to sleep 23->126 128 Uses cmd line tools excessively to alter registry or file data 23->128 130 5 other signatures 23->130 29 wscript.exe 23->29         started        32 7za.exe 23->32         started        34 powershell.exe 15 17 23->34         started        36 conhost.exe 23->36         started        signatures10 process11 dnsIp12 110 192.168.2.1 unknown unknown 25->110 92 C:\Users\user\AppData\...\syspin.exe (copy), PE32 25->92 dropped 94 C:\Users\user\AppData\Local\...\is-J5NB7.tmp, PE32 25->94 dropped 96 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 25->96 dropped 104 118 other files (64 malicious) 25->104 dropped 38 PPUninstaller.exe 22 25->38         started        41 regsvr32.exe 9 25->41         started        43 net.exe 1 25->43         started        158 Wscript starts Powershell (via cmd or directly) 29->158 45 cmd.exe 29->45         started        47 cmd.exe 29->47         started        49 cmd.exe 29->49         started        51 2 other processes 29->51 98 C:\ProgramData\...\compil23_obf.bat, Unicode 32->98 dropped 100 C:\ProgramData\...\CurrentControlSet002.bat, Unicode 32->100 dropped 102 C:\...\CurrentControlSet001_obf.bat, DOS 32->102 dropped 106 2 other malicious files 32->106 dropped 112 31.42.177.171, 49705, 80 YANINA-ASUA Ukraine 34->112 file13 signatures14 process15 signatures16 140 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 38->140 142 Tries to harvest and steal browser information (history, passwords, etc) 38->142 53 cmd.exe 38->53         started        144 Creates an undocumented autostart registry key 41->144 146 Installs a browser helper object (BHO) 41->146 62 2 other processes 43->62 148 Uses cmd line tools excessively to alter registry or file data 45->148 150 Adds a directory exclusion to Windows Defender 45->150 56 cmd.exe 45->56         started        58 cmd.exe 45->58         started        60 reg.exe 45->60         started        64 7 other processes 45->64 152 Wscript starts Powershell (via cmd or directly) 47->152 66 2 other processes 47->66 68 2 other processes 49->68 154 Uses ping.exe to sleep 51->154 70 4 other processes 51->70 process17 signatures18 132 Wscript starts Powershell (via cmd or directly) 53->132 134 Encrypted powershell cmdline option found 53->134 72 powershell.exe 53->72         started        74 conhost.exe 53->74         started        136 Adds a directory exclusion to Windows Defender 56->136 76 powershell.exe 56->76         started        78 powershell.exe 58->78         started        138 Disable Windows Defender notifications (registry) 60->138 process19 process20 80 chcp.com 72->80         started       
Gathering data
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-10-19 19:33:51 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
10 of 26 (38.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6oep3ymszert7xsajtprhgeuwnigxour3sdsmhtmzu2b4trq2ffa._file
Verdict:
unknown
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor evasion trojan
Link:
https://tria.ge/reports/221023-bk36safgan/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies registry class
Runs net.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
Detects Smokeloader packer
Modifies Windows Defender notification settings
SmokeLoader
Malware Config
Dropper Extraction:
http://31.42.177.171/hfile.bin
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/767a1fb0-5679-44ff-9204-38194dccfd8f
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f388fde192c9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f388fde192c9233fde404cdf139894b3506bba91dc87261e6ccd341e4e30d14a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments