{
	"id": "f3f2bb41-7073-449e-bbc3-8bb9215e23b4",
	"created_at": "2026-04-06T00:09:42.575683Z",
	"updated_at": "2026-04-10T03:21:16.1449Z",
	"deleted_at": null,
	"sha1_hash": "cc35cc52b423e32105ea764dd0040eb7dcbad5e9",
	"title": "Malware-Traffic-Analysis.net - 2017-11-02 - Adventures with Smoke Loader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1356797,
	"plain_text": "Malware-Traffic-Analysis.net - 2017-11-02 - Adventures with\r\nSmoke Loader\r\nArchived: 2026-04-05 17:11:41 UTC\r\nNOTICE:\r\nThe zip archives on this page have been updated, and they now use the new password scheme.  For the new\r\npassword, see the \"about\" page of this website.\r\nASSOCIATED FILES:\r\n2017-11-02-Smoke-Loader-infection-traffic.pcap.zip   712.0 kB (711,971 bytes)\r\n2017-11-02-Neutrino-malware-infection-traffic.pcap.zip   4.4 MB (4,417,303 bytes)\r\n2017-11-02-associated-malware-samples.zip   1.1 MB (1,089,242 bytes)\r\nINFECTION SUMMARY\r\n89.38.98[.]150/sZioajajaj.exe (Smoke Loader) --\u003e Neutrino malware --\u003e Lethic spambot infection\r\nIMAGES\r\nShown above:  Smoke Loader infection traffic filtered in Wireshark.\r\nhttp://www.malware-traffic-analysis.net/2017/11/02/index.html\r\nPage 1 of 8\n\nShown above:  Alerts from Smoke Loader infection traffic on Security Onion using Sguil with Suricata and the\r\nEmergingThreats Pro (ETPRO) ruleset.\r\nShown above:  Neutrino malware infection traffic filtered in Wireshark.\r\nhttp://www.malware-traffic-analysis.net/2017/11/02/index.html\r\nPage 2 of 8\n\nShown above:  Neutrino pcap filtered to show some of the post-infection IPs/ports for Lethic spambot activity,\r\nShown above:  Alerts from the Neutrino \u0026 Lethic spambot traffic on Security Onion using Sguil with Suricata and\r\nthe EmergingThreats Pro (ETPRO) ruleset.\r\nhttp://www.malware-traffic-analysis.net/2017/11/02/index.html\r\nPage 3 of 8\n\nShown above:  TCP stream of Lethic spambot traffic.\r\nDETAILS\r\nNOTES:\r\nSaw a malicious HTTP request to 89.38.98[.]150 led to Sharik/Smoke Loader.\r\nWhen I tested it in my lab, it retrieved Neutrino malware, which then retrieved Lethic spambot malware.\r\nAbout an hour I tried this, 89.38.98[.]150/sZioajajaj.exe returned a different file hash that was still\r\nSharik/Smoke Loader.\r\nDOMAINS OR URLS TO BLOCK:\r\nhxxp[:]//89.38.98[.]150/sZioajajaj.exe\r\nhxxp[:]//89.38.98[.]150/85cZioajajaj.exe\r\nhxxp[:]//89.38.98[.]150/17Zioajajaj.exe\r\nhxxp[:]//89.38.98[.]150/74Zioajajaj.exe\r\nhxxp[:]//89.38.98[.]150/121Zioajajaj.exe\r\nhxxp[:]//89.38.98[.]150/123Zioajajaj.exe\r\nhxxp[:]//89.38.98[.]150/226Zioajajaj.exe\r\nhxxp[:]//89.38.98[.]150/38Zioajajaj.exe\r\nhxxp[:]//89.38.98[.]150/161Zioajajaj.exe\r\neeaglelifedd.com\r\nn31.smokemenowhhalala.bit\r\nhttp://www.malware-traffic-analysis.net/2017/11/02/index.html\r\nPage 4 of 8\n\nINITIAL MALWARE - SHARIK/SMOKE LOADER:\r\nSHA256 hash: 6401c4de903ec06a5493adf7a9dd45e123c9ce3033b44e1083e10bc5709c3964\r\nFile size: 122,880 bytes\r\nOnline location: 89.38.98[.]150/sZioajajaj.exe\r\nOn infected host at: C:\\Users\\[username]\\AppData\\Roaming\\Microsoft\\ujwbersj\\gresctab.exe\r\nAssociated Windows registry update: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nSHA256 hash: 035f394168da1c15cf98792f12b0292fefdb7dd29538c3b1e019d2fb09d3dfa6\r\nFile size: 118,272 bytes\r\nOnline location: 89.38.98[.]150/sZioajajaj.exe\r\nOn infected host at: C:\\Users\\[username]\\AppData\\Roaming\\Microsoft\\ujwbersj\\gresctab.exe\r\nAssociated Windows registry update: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nSHARIK/SMOKE LOADER TRAFFIC:\r\nStart date/time: 2017-11-02 at 17:20 UTC\r\n89.38.98[.]150 port 80 - 89.38.98[.]150 - GET /sZioajajaj.exe\r\nwww.bing[.]com - GET /\r\njava[.]com - POST /help\r\njava[.]com - GET /en/download/help/index.html\r\njava[.]com - GET /en/download/help/\r\nsupport.microsoft[.]com - POST /kb/2460049\r\nwww.adobe[.]com - POST /\r\nwww.adobe[.]com - POST /go/flashplayer_support/\r\nwww.adobe[.]com - POST /support/flashplayer\r\nwww.adobe[.]com - POST /support/main.html\r\nhelpx.adobe[.]com - GET /flash-player.html\r\nhelpx.adobe[.]com - GET /support.html\r\ngo.microsoft[.]com - POST /fwlink/?LinkId=133405\r\ngo.microsoft[.]com - POST /fwlink/?LinkId=164164\r\nmsdn.microsoft[.]com - GET /vstudio\r\nwww.microsoft[.]com - GET /\r\n45.77.141[.]25 port 80 - eeaglelifedd[.]com - POST /hosting20/\r\nASSOCIATED EMERGING THREATS (ET) AND ETPRO ALERTS:\r\nET TROJAN Sharik/Smoke Loader Microsoft Connectivity Check\r\nET TROJAN Sharik/Smoke Loader Adobe Connectivity Check\r\nET TROJAN Sharik/Smoke Loader Adobe Connectivity Check 2\r\nET TROJAN Sharik/Smoke Loader Adobe Connectivity Check 3\r\nETPRO TROJAN Smoke/Sharik HTTP 404 Containing EXE\r\nFOLLOW-UP MALWARE - NEUTRINO MALWARE:\r\nhttp://www.malware-traffic-analysis.net/2017/11/02/index.html\r\nPage 5 of 8\n\nSHA256 hash: 517e92c585449b75d6b8a5e5f00323fb5f3b125972cd1442b1251ca7087107fc\r\nFile size: 255,488 bytes\r\nFile returned from HTTP POST to: eeaglelifedd[.]com/hosting20/\r\nOn infected host at: C:\\Users\\[username]\\AppData\\Roaming\\Xl5jVVxcVWIx\\jevgr.exe\r\nNEUTRINO MALWARE INFECTION TRAFFIC:\r\nDNS queries for ns.dotbit[.]me - resolved to 107.161.16[.]236\r\n107.161.16[.]236 port 53 - DNS queries (UDP) for n31.smokemenowhhalala[.]bit\r\n118.193.174[.]133 port 80 - n31.smokemenowhhalala[.]bit - POST /newfiz31/logout.php\r\n89.38.98[.]150 port 80 - 89.38.98[.]150 - GET /85cZioajajaj.exe\r\n89.38.98[.]150 port 80 - 89.38.98[.]150 - GET /17Zioajajaj.exe\r\n89.38.98[.]150 port 80 - 89.38.98[.]150 - GET /74Zioajajaj.exe\r\n89.38.98[.]150 port 80 - 89.38.98[.]150 - GET /121Zioajajaj.exe\r\n89.38.98[.]150 port 80 - 89.38.98[.]150 - GET /123Zioajajaj.exe\r\n89.38.98[.]150 port 80 - 89.38.98[.]150 - GET /226Zioajajaj.exe\r\n89.38.98[.]150 port 80 - 89.38.98[.]150 - GET /38Zioajajaj.exe\r\n89.38.98[.]150 port 80 - 89.38.98[.]150 - GET /161Zioajajaj.exe\r\nASSOCIATED EMERGING THREATS (ET) AND ETPRO ALERTS:\r\nETPRO TROJAN Win32/Neutrino checkin 4 (118.193.174[.]133 port 80)\r\nFOLLOW-UP MALWARE FROM NEUTRINO MALWARE INFECTION - ALL LETHIC SPAMBOT\r\nMALWARE BINARIES:\r\nSHA256 hash: e324c63717a4c2011fde7d1af0d8dbe8ddb0897fe4e7f80f3147a7498e2166fe\r\nFile size: 185,344 bytes\r\nLocation: 89.38.98[.]150/161Zioajajaj.exe\r\nLocation: C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781862338-196818750\\backwindow32.exe\r\nAssociated Windows registry update: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nSHA256 hash: f55be01c217b2ec9be0aa45a007661adb1365a9651e306329679a6ba2d5b119d\r\nFile size: 192,512 bytes\r\nLocation: 89.38.98[.]150/85cZioajajaj.exe\r\nLocation: C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781862338-196818750\\backwindow132.exe\r\nAssociated Windows registry update: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nSHA256 hash: 701a2461d31b1a717fc9dad4fd61458c3484836bb89b4c72c0841ce9b3948d52\r\nFile size: 186,880 bytes\r\nLocation: 89.38.98[.]150/17Zioajajaj.exe\r\nLocation: C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781862338-196818750\\backwindow232.exe\r\nAssociated Windows registry update: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nSHA256 hash: eacbc0588d0e8fc22daf80479598cfb49a6bdc7155efd2bd3c24740a22716d17\r\nFile size: 191,488 bytes\r\nhttp://www.malware-traffic-analysis.net/2017/11/02/index.html\r\nPage 6 of 8\n\nLocation: 89.38.98[.]150/74Zioajajaj.exe\r\nLocation: C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781862338-\r\n1968138750\\backwindow332.exe\r\nAssociated Windows registry update: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nSHA256 hash: 8b57e7424e305a87cb55ff69c1454855341e5b138cec648b3b3a96df53d1076a\r\nFile size: 186,368 bytes\r\nLocation: 89.38.98[.]150/121Zioajajaj.exe\r\nLocation: C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781862338-\r\n1968138750\\backwindow432.exe\r\nAssociated Windows registry update: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nSHA256 hash: f3eadfd04bdf3615afb5f4b9b3b7386579846a834a389585cbbee6a3c7640ca3\r\nFile size: 188,928 bytes\r\nLocation: 89.38.98[.]150/123Zioajajaj.exe\r\nLocation: C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781862338-\r\n1968138750\\backwindow532.exe\r\nAssociated Windows registry update: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nSHA256 hash: 2de7e6763fd895757e4504e72389a8aee9f2f63f651d02efc22b1865bbd4f1b0\r\nFile size: 193,024 bytes\r\nLocation: 89.38.98[.]150/226Zioajajaj.exe\r\nLocation: C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781862338-\r\n1968138750\\backwindow632.exe\r\nAssociated Windows registry update: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nSHA256 hash: b7137c65b7c8884329c252d14fe32d4ffa96fd1a9886f895b39b1d3419c01895\r\nFile size: 187,392 bytes\r\nLocation: 89.38.98[.]150/38Zioajajaj.exe\r\nLocation: C:\\RECYCLER\\S-1-5-21-0243556031-888888379-781862338-\r\n1968152800\\systimwindow32.exe\r\nAssociated Windows registry update: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nLETHIC SPAMBOT INFECTION TRAFFIC:\r\nVarious IP addresses over TCP port 25 - attempted SMTP traffic\r\nVarious IP addresses over TCP port 25, 5500, 6600, and 7700 - SMTP and similar spambot traffic\r\nPossibly other IP addresses over similar ports that didn't establish a full TCP connection\r\nASSOCIATED EMERGING THREATS (ET) AND ETPRO ALERTS:\r\nET TROJAN Lethic Spambot CnC Initial Connect Bot Response\r\nET TROJAN Lethic Spambot CnC Bot Command Confirmation\r\nET TROJAN Lethic Spambot CnC Bot Transaction Relay\r\nET TROJAN Lethic Client Alive\r\nhttp://www.malware-traffic-analysis.net/2017/11/02/index.html\r\nPage 7 of 8\n\nClick here to return to the main page.\r\nSource: http://www.malware-traffic-analysis.net/2017/11/02/index.html\r\nhttp://www.malware-traffic-analysis.net/2017/11/02/index.html\r\nPage 8 of 8\n\nmsdn.microsoft[.]com www.microsoft[.]com - GET - GET /vstudio / \n45.77.141[.]25 port 80-eeaglelifedd[.]com -POST /hosting20/\nASSOCIATED EMERGING THREATS (ET) AND ETPRO ALERTS:\nET TROJAN Sharik/Smoke Loader Microsoft Connectivity Check\nET TROJAN Sharik/Smoke Loader Adobe Connectivity Check\nET TROJAN Sharik/Smoke Loader Adobe Connectivity Check 2\nET TROJAN Sharik/Smoke Loader Adobe Connectivity Check 3\nETPRO TROJAN Smoke/Sharik HTTP 404 Containing EXE\nFOLLOW-UP MALWARE -NEUTRINO MALWARE: \n   Page 5 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://www.malware-traffic-analysis.net/2017/11/02/index.html"
	],
	"report_names": [
		"index.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434182,
	"ts_updated_at": 1775791276,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cc35cc52b423e32105ea764dd0040eb7dcbad5e9.pdf",
		"text": "https://archive.orkl.eu/cc35cc52b423e32105ea764dd0040eb7dcbad5e9.txt",
		"img": "https://archive.orkl.eu/cc35cc52b423e32105ea764dd0040eb7dcbad5e9.jpg"
	}
}