MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5185d4e070e8cf1120790d078dd9d3dc33539b59c33ffc607d88ee30e3e1dff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 18


Intelligence 18 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5185d4e070e8cf1120790d078dd9d3dc33539b59c33ffc607d88ee30e3e1dff
SHA3-384 hash: bedf8d7072dc6e2fbf6c1ec0431a536867ac155d4c5feda1aa880a664623d65373432eeddb3729683733ab450eeb9ced
SHA1 hash: 81e6978bc064c0c745dc6b32bdf05eafeb10fc31
MD5 hash: 311f4f130fad70c7159cbae042926bee
humanhash: mike-friend-vermont-hydrogen
File name:5ded80193e96c1d11f9694fa793bd7005864abd8668e3c997617b8e10e9ecb04_payload.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:41'369 bytes
First seen:2024-05-21 04:15:11 UTC
Last seen:2024-05-21 05:20:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:O2fNN6rUCUQN3rlhRtSEObrfWrZrZZGazbv61kTtnIx1y0qWb:OQNsrII7P7sbrOZXGaXi1kyG0P
TLSH T1CC03DFC7274A336AD77B0C7221774EA7B2FC26C6510AE3ACE811DDB6C109D4AB526C34
TrID 42.6% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
18.9% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
0.2% (.VXD) VXD Driver (29/21)
Reporter ukycircle
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
370
Origin country :
JP JP
Vendor Threat Intelligence
Malware family:
upatre
Create hunting rule
ID:
1
File name:
f5185d4e070e8cf1120790d078dd9d3dc33539b59c33ffc607d88ee30e3e1dff.exe
Verdict:
Malicious activity
Analysis date:
2024-05-21 04:36:13 UTC
Tags:
upatre
Link:
https://app.any.run/tasks/8a100cd0-f338-4347-a0a5-d070f96eb587

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.3247.2162.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Tags:
Encryption Network Static Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending a custom TCP request
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/664c2009d7fb0506c93f42e1/reports/8b34639e-0025-4162-bee7-eb9d06b3d9c3/overview
Verdict:
Malicious
Labled as:
Trojan.Heur.Generic
Link:
https://www.hybrid-analysis.com/sample/f5185d4e070e8cf1120790d078dd9d3dc33539b59c33ffc607d88ee30e3e1dff
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fb993a98-46c5-4000-abe3-562695f86294
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1444745
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for dropped file
PE file has a writeable .text section
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1444745 Sample: 5ded80193e96c1d11f9694fa793... Startdate: 21/05/2024 Architecture: WINDOWS Score: 100 51 time.windows.com 2->51 53 airwide-land.com 2->53 55 bg.microsoft.map.fastly.net 2->55 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus / Scanner detection for submitted sample 2->67 69 4 other signatures 2->69 10 5ded80193e96c1d11f9694fa793bd7005864abd8668e3c997617b8e10e9ecb04_payload.exe 2->10         started        13 tbtjsrg 2->13         started        15 msiexec.exe 2->15         started        signatures3 process4 signatures5 95 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->95 97 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 10->97 99 Maps a DLL or memory area into another process 10->99 101 Creates a thread in another existing process (thread injection) 10->101 17 explorer.exe 33 6 10->17 injected 103 Antivirus detection for dropped file 13->103 105 Machine Learning detection for dropped file 13->105 107 Checks if the current machine is a virtual machine (disk enumeration) 13->107 process6 dnsIp7 49 airwide-land.com 23.227.203.30, 443, 49704, 49705 HVC-ASUS United States 17->49 43 C:\Users\user\AppData\Roaming\tbtjsrg, PE32 17->43 dropped 45 C:\Users\user\AppData\Local\Temp17E.exe, PE32+ 17->45 dropped 47 C:\Users\user\...\tbtjsrg:Zone.Identifier, ASCII 17->47 dropped 71 Benign windows process drops PE files 17->71 73 Injects code into the Windows Explorer (explorer.exe) 17->73 75 Deletes itself after installation 17->75 77 2 other signatures 17->77 22 E17E.exe 14 17->22         started        25 explorer.exe 20 17->25         started        27 explorer.exe 17->27         started        29 4 other processes 17->29 file8 signatures9 process10 signatures11 79 Multi AV Scanner detection for dropped file 22->79 81 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->81 83 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 22->83 93 4 other signatures 22->93 31 cmd.exe 1 22->31         started        85 System process connects to network (likely due to code injection or exploit) 25->85 87 Found evasive API chain (may stop execution after checking mutex) 25->87 89 Tries to steal Mail credentials (via file / registry access) 25->89 91 Tries to harvest and steal browser information (history, passwords, etc) 27->91 process12 signatures13 109 Uses netsh to modify the Windows network and firewall settings 31->109 111 Uses ipconfig to lookup or modify the Windows network settings 31->111 113 Modifies the windows firewall 31->113 34 WMIC.exe 1 31->34         started        37 systeminfo.exe 31->37         started        39 conhost.exe 31->39         started        41 16 other processes 31->41 process14 signatures15 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 34->57 59 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 34->59 61 Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes) 34->61
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f5185d4e070e8cf1120790d078dd9d3dc33539b59c33ffc607d88ee30e3e1dff
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f5185d4e070e8cf1120790d078dd9d3dc33539b59c33ffc607d88ee30e3e1dff/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2024-05-21 04:16:06 UTC
File Type:
PE (Exe)
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6umf2tqhb2gpceqhsdihrxm5hxbtkonvtqz77rqh3chogdr6dx7q._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:sel2 backdoor collection evasion spyware stealer trojan
Link:
https://tria.ge/reports/240521-evs1cahd3s/
Behaviour
Checks SCSI registry key(s)
Enumerates processes with tasklist
Gathers network information
Gathers system information
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Deletes itself
Executes dropped EXE
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Modifies Windows Firewall
SmokeLoader
Malware Config
C2 Extraction:
https://airwide-land.com/calcroom.php
https://summerwaterhall.com/calcroom.php
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e854ad2e-70c2-4c35-9df4-0aa0c9be5666
Unpacked files
SH256 hash:
f5185d4e070e8cf1120790d078dd9d3dc33539b59c33ffc607d88ee30e3e1dff
MD5 hash:
311f4f130fad70c7159cbae042926bee
SHA1 hash:
81e6978bc064c0c745dc6b32bdf05eafeb10fc31
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/193c5e07-1dfd-4b99-83db-a83250607f83/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f5185d4e070e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dofoil
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/f5185d4e070e8cf1120790d078dd9d3dc33539b59c33ffc607d88ee30e3e1dff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments