{ "id": "e7d856c3-2afd-42b6-bc97-ce2277410991", "created_at": "2026-04-06T00:21:29.460274Z", "updated_at": "2026-04-10T03:26:04.880833Z", "deleted_at": null, "sha1_hash": "95573b53f648d736d26011b3d3cc242e1dbe3434", "title": "Quick-Analysis/SmokeLoader/SmokeLoader.md at main · vc0RExor/Quick-Analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2111806, "plain_text": "Quick-Analysis/SmokeLoader/SmokeLoader.md at main ·\r\nvc0RExor/Quick-Analysis\r\nBy vc0RExor\r\nArchived: 2026-04-05 21:22:45 UTC\r\n_Overview\r\nSmokeLoader is a malware that generally acts as a backdoor and is commonly used as a loader for other\r\nmalware. Attributed to the criminal group Smoky Spider, a group that uses SmokeLoader and Sasfis, loader and\r\ndownloader respectively. SmokeLoader has been used as a bot in infrastructures and contains strong evasion\r\ncapabilities as well as Anti-Analysis, Anti-VM and Anti-DBG techniques.\r\n_Technical Analysis\r\nSmokeLoader appears on systems usually through phishing, although it can be loaded by other PUP/PUA or\r\nmalware. The main execution will revolve around a document that will spawn the SmokeLoader which will run, in\r\nmost of its versions, a version of itself in a suspended state to inject code, after which it will execute an\r\nexplorer.exe that it will inject again in order to perform the malicious C\u0026C actions or download other files using\r\nlegitimate software.\r\nhttps://github.com/vc0RExor/Quick-Analysis/blob/main/SmokeLoader/SmokeLoader.md\r\nPage 1 of 11\n\nThe samples that have been found have in most cases been detected as packed, due to the high level of entropy\r\ncontained in their sections.\r\nhttps://github.com/vc0RExor/Quick-Analysis/blob/main/SmokeLoader/SmokeLoader.md\r\nPage 2 of 11\n\nAt the initial point, we see how it tries to load libraries in RunTime, something really useful since it prevents us\r\nfrom being able to discern its intentions if we perform a basic static analysis, so it will obtain new functionalities\r\nduring its execution.\r\nhttps://github.com/vc0RExor/Quick-Analysis/blob/main/SmokeLoader/SmokeLoader.md\r\nPage 3 of 11\n\nIn some of the techniques used to hinder the analysis, such as code obfuscation, we find different hidden calls, as\r\nwell as abuses of RET to reach calls that we will not see statically.\r\nhttps://github.com/vc0RExor/Quick-Analysis/blob/main/SmokeLoader/SmokeLoader.md\r\nPage 4 of 11\n\nAs mentioned above, it fetches libraries during runtime and is dedicated to resolving APIs that it could use later on\r\nhttps://github.com/vc0RExor/Quick-Analysis/blob/main/SmokeLoader/SmokeLoader.md\r\nPage 5 of 11\n\nAt all times, it has control over what is running on the machine, as it subsequently performs various Anti-Vm and\r\nAnti-dbg techniques, so having all running processes mapped is always a good technique.\r\nhttps://github.com/vc0RExor/Quick-Analysis/blob/main/SmokeLoader/SmokeLoader.md\r\nPage 6 of 11\n\nAfter this, it starts loading APIs that will serve it moments later, in which we will see a routine that will be loading\r\nfrom memory and using LoadLibrary + GetProcAddress\r\nhttps://github.com/vc0RExor/Quick-Analysis/blob/main/SmokeLoader/SmokeLoader.md\r\nPage 7 of 11\n\nAPIs:\r\nCreateFileA\r\nCreateWindowExA\r\nCreateProcessA\r\nWriteProcessMemory\r\nResumeThread\r\nDefWindowProcA\r\nNtWriteVirtualMemory\r\nRegisterClassExA\r\nGetStartupInfoA\r\nSetThreadContext\r\nGetCommandLineA\r\nPostMessageA\r\nVirtualAllocEx\r\nCloseHandle\r\nVirtualAlloc\r\nVirtualFree\r\nVirtualProtectEx\r\nhttps://github.com/vc0RExor/Quick-Analysis/blob/main/SmokeLoader/SmokeLoader.md\r\nPage 8 of 11\n\nExitProcess\r\nGetMessageExtraInfo\r\nWaitForSingleObject\r\nNtUnmapViewOfSection\r\nMessageBoxA\r\nReadProcessMemory\r\nGetThreadContext\r\nWriteFile\r\nGetModuleFileNameA\r\nGetFileAttributesA\r\nWinExec\r\nGetMessageA\r\nOnce it has the libraries, APIs and processes controlled, it creates a process in suspended state, for this it uses\r\nCreateProcessInternalA that will call CreateProcessInternalW entering 0x04 in dwCreationflags to create the\r\nprocess in suspended state.\r\nOnce the process is created in a suspended state, it proceeds to introduce the binary inside the previously spawned\r\nprocess, which, through ProcessHollowing, will unmap data from itself, to write the binary inside, this is usually\r\ndone through ZwUnmapViewOfSection + VirtualAlloc + ZwWriteVirtualMemory, once introduced into the\r\nmemory of the process in suspension, it will stop being suspended and will execute it, so the memory file will be\r\ndetonated.\r\nhttps://github.com/vc0RExor/Quick-Analysis/blob/main/SmokeLoader/SmokeLoader.md\r\nPage 9 of 11\n\n[ The binary extracted from memory, which will inject explorer.exe, is very interesting, we will follow soon :) ️\r\n]\r\n_IOC\r\n_SHA256\r\nEbdebba349aba676e9739df18c503ab8c16c7fa1b853fd183f0a005c0e4f68ae\r\nD618d086cdfc61b69e6d93a13cea06e98ac2ad7d846f044990f2ce8305fe8d1b\r\nEe8f0ff6b0ee6072a30d45c135228108d4c032807810006ec77f2bf72856e04a\r\n6b48d5999d04db6b4c7f91fa311bfff6caee938dd50095a7a5fb7f222987efa3\r\nB961d6795d7ceb3ea3cd00e037460958776a39747c8f03783d458b38daec8025\r\n02083f46860f1ad11e62b2b5f601a86406f7ee3c456e6699ee2912c5d1d89cb9\r\n059d615ce6dee655959d7feae7b70f3b7c806f3986deb1826d01a07aec5a39cf\r\n5318751b75d8c6152d90bbbf2864558626783f497443d4be1a003b64bc2acbc2\r\n79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10\r\nF92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938d\r\n_IP\r\n216.128.137.31\r\n8.209.71.53\r\n_Domains\r\nhttps://github.com/vc0RExor/Quick-Analysis/blob/main/SmokeLoader/SmokeLoader.md\r\nPage 10 of 11\n\nhost-file-host6[.]com\r\nhost-host-file8[.]com\r\nfiskahlilian16[.]top\r\npaishancho17[.]top\r\nydiannetter18[.]top\r\nazarehanelle19[.]top\r\nquericeriant20[.]top\r\nxpowebs[.]ga\r\nvenis[.]ml\r\ntootoo[.]ga\r\neyecosl[.]ga\r\nbullions[.]tk\r\nmizangs[.]tw\r\nmbologwuholing[.]co[.]ug\r\nquadoil[.]ru\r\n🦖 vc0=Rexor ️\r\nSource: https://github.com/vc0RExor/Quick-Analysis/blob/main/SmokeLoader/SmokeLoader.md\r\nhttps://github.com/vc0RExor/Quick-Analysis/blob/main/SmokeLoader/SmokeLoader.md\r\nPage 11 of 11\n\n https://github.com/vc0RExor/Quick-Analysis/blob/main/SmokeLoader/SmokeLoader.md \nAt the initial point, we see how it tries to load libraries in RunTime, something really useful since it prevents us\nfrom being able to discern its intentions if we perform a basic static analysis, so it will obtain new functionalities\nduring its execution. \n Page 3 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://github.com/vc0RExor/Quick-Analysis/blob/main/SmokeLoader/SmokeLoader.md" ], "report_names": [ "SmokeLoader.md" ], "threat_actors": [ { "id": "539855ac-def3-46a0-a490-f33abde7976f", "created_at": "2025-08-07T02:03:24.802704Z", "updated_at": "2026-04-10T02:00:03.718613Z", "deleted_at": null, "main_name": "GOLD ANDREW", "aliases": [ "Smoky Spider " ], "source_name": "Secureworks:GOLD ANDREW", "tools": [ "Smoke Loader" ], "source_id": "Secureworks", "reports": null }, { "id": "058823d4-60c2-42ab-a3aa-4c10f0ff37c9", "created_at": "2022-10-25T16:07:24.57064Z", "updated_at": "2026-04-10T02:00:05.036609Z", "deleted_at": null, "main_name": "Smoky Spider", "aliases": [], "source_name": "ETDA:Smoky Spider", "tools": [ "Dofoil", "Oficla", "Sasfis", "Sharik", "Smoke Loader", "SmokeLoader" ], "source_id": "ETDA", "reports": null }, { "id": "fdf30f70-537c-458d-82b2-54b4f09cea48", "created_at": "2023-01-06T13:46:39.119613Z", "updated_at": "2026-04-10T02:00:03.221272Z", "deleted_at": null, "main_name": "SMOKY SPIDER", "aliases": [], "source_name": "MISPGALAXY:SMOKY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434889, "ts_updated_at": 1775791564, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/95573b53f648d736d26011b3d3cc242e1dbe3434.pdf", "text": "https://archive.orkl.eu/95573b53f648d736d26011b3d3cc242e1dbe3434.txt", "img": "https://archive.orkl.eu/95573b53f648d736d26011b3d3cc242e1dbe3434.jpg" } }