MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f85b4fcd61a36635fe0e40af704b607ab33afdc97131c14fd958f6ae101ad1da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f85b4fcd61a36635fe0e40af704b607ab33afdc97131c14fd958f6ae101ad1da
SHA3-384 hash: 22092756aee008713e3a3aade1c735c9bdeaead314793938f191a64c3b2617544dd258f058bd8e5d3df77375e6b5cec3
SHA1 hash: 578b09212a9362a935e2ebe0102a834ce85a2fb1
MD5 hash: e4a8353fe21399271fd178d6dc975db9
humanhash: pizza-emma-kitten-table
File name:e4a8353fe21399271fd178d6dc975db9.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:326'656 bytes
First seen:2020-10-06 07:29:50 UTC
Last seen:2020-10-06 09:14:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7df8a80cd50f02792452401aeb3ba103 (1 x Smoke Loader)
ssdeep 3072:XlNzE/TedByqV0MtjfZ2kruX1YSa5bOnaMvOBEZnXrZB0VsPHy7:4WBF0mx2auX1L+O52BEZbhfW
Threatray 89 similar samples on MalwareBazaar
TLSH F4649E10BFF1CC32C1D744744461D2A0A63B7912667BCA8B2B951FAA7EF42C11BB771A
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68515/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending an HTTP POST request
Sending a UDP request
Creating a file in the %temp% directory
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Connection attempt to an infection source
Deleting of the original file
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/482529
Signature
Benign windows process drops PE files
Binary contains a suspicious time stamp
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Renames NTDLL to bypass HIPS
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download HTTP data from a sinkholed server
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f85b4fcd61a36635fe0e40af704b607ab33afdc97131c14fd958f6ae101ad1da/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 06:33:25 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1765e5f0ee49b2b6cf4a7361bbaac484f15c6c1d003de02338fffdb615e831d8
Smoke Loader
237097d56dbe6e685d11f86815a8fa3a5e51b1f48e80a9f7e51d1cfabe0ae4aa
Smoke Loader
5acec93c640ee499d02f78f646af7cf65605a56fc20add62c4dabdb402943114
Smoke Loader
7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91
Smoke Loader
89e0507c4dc79363bdfbdc93dcbaa19084553db2c7fe3a8f746ff973b155c62a
Smoke Loader
95a4cf409c7e7813bfa744598bee2e0e572b2d05ec31622867237ea6dab8a813
Smoke Loader
9b28aa737bbfec90341c6a42e2d44f3308659e4fb9dd42d98a0b46cde7aaed63
Smoke Loader
d95b7c505dbb3905f88c71bb1efedfe716a0d65862a622eb932f3d774a07a740
Smoke Loader
e237d6e3b44c0bcacf4eff59f58c8028a48c0675f283adc96490ae6daf645bd7
Smoke Loader
f43fa7b7115450b5a3b8b97c6f578afe6c55692a06d1f872415d547c570da288
Smoke Loader
+ 79 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
trojan backdoor family:smokeloader
Link:
https://tria.ge/reports/201006-m9m726hcmj/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Deletes itself
Loads dropped DLL
SmokeLoader
Malware Config
C2 Extraction:
http://informatioshopname.ru/
http://ukronet.ru/
http://gmbshop.ru/
http://ucar.ug/
http://woproperty.xyz/
http://smatrhouseforyou.ru/
http://maningfarmllc.ru/
Unpacked files
SH256 hash:
f85b4fcd61a36635fe0e40af704b607ab33afdc97131c14fd958f6ae101ad1da
MD5 hash:
e4a8353fe21399271fd178d6dc975db9
SHA1 hash:
578b09212a9362a935e2ebe0102a834ce85a2fb1
Link:
https://www.unpac.me/results/8294ab7d-199b-4b8d-a2ca-172b25027fa9/
SH256 hash:
5152fd00b855c069182e9ef3d9306181ee5a9803b599453f0038bd2d67c3b1b3
MD5 hash:
8004ec618f6894bb8733775df472cd5e
SHA1 hash:
d7415b4099f9a970f8c67933d708319ef229cfe7
Link:
https://www.unpac.me/results/8294ab7d-199b-4b8d-a2ca-172b25027fa9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Glupteba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f85b4fcd61a36635fe0e40af704b607ab33afdc97131c14fd958f6ae101ad1da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_smokeloader_a2
Create hunting rule
Author:pnx

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe f85b4fcd61a36635fe0e40af704b607ab33afdc97131c14fd958f6ae101ad1da

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/68515/
  
URLhaus
https://urlhaus.abuse.ch/url/360909/
  
Delivery method
Distributed via web download

Comments


Avatar
QVM360 commented on 2020-10-06 07:39:02 UTC

#Danabot
https://analyze.intezer.com/analyses/9f27d130-89ec-4940-b2d1-72c4b44008cf/sub/7d8d971e-87fb-4115-87c8-fb65d5cabf8c