Malware-Traffic-Analysis.net - 2017-11-02 - Adventures with
Smoke Loader
Archived: 2026-04-05 17:11:41 UTC
NOTICE:
The zip archives on this page have been updated, and they now use the new password scheme.  For the new
password, see the "about" page of this website.
ASSOCIATED FILES:
2017-11-02-Smoke-Loader-infection-traffic.pcap.zip   712.0 kB (711,971 bytes)
2017-11-02-Neutrino-malware-infection-traffic.pcap.zip   4.4 MB (4,417,303 bytes)
2017-11-02-associated-malware-samples.zip   1.1 MB (1,089,242 bytes)
INFECTION SUMMARY
89.38.98[.]150/sZioajajaj.exe (Smoke Loader) --> Neutrino malware --> Lethic spambot infection
IMAGES
Shown above:  Smoke Loader infection traffic filtered in Wireshark.
http://www.malware-traffic-analysis.net/2017/11/02/index.html
Page 1 of 8

Shown above:  Alerts from Smoke Loader infection traffic on Security Onion using Sguil with Suricata and the
EmergingThreats Pro (ETPRO) ruleset.
Shown above:  Neutrino malware infection traffic filtered in Wireshark.
http://www.malware-traffic-analysis.net/2017/11/02/index.html
Page 2 of 8

Shown above:  Neutrino pcap filtered to show some of the post-infection IPs/ports for Lethic spambot activity,
Shown above:  Alerts from the Neutrino & Lethic spambot traffic on Security Onion using Sguil with Suricata and
the EmergingThreats Pro (ETPRO) ruleset.
http://www.malware-traffic-analysis.net/2017/11/02/index.html
Page 3 of 8

Shown above:  TCP stream of Lethic spambot traffic.
DETAILS
NOTES:
Saw a malicious HTTP request to 89.38.98[.]150 led to Sharik/Smoke Loader.
When I tested it in my lab, it retrieved Neutrino malware, which then retrieved Lethic spambot malware.
About an hour I tried this, 89.38.98[.]150/sZioajajaj.exe returned a different file hash that was still
Sharik/Smoke Loader.
DOMAINS OR URLS TO BLOCK:
hxxp[:]//89.38.98[.]150/sZioajajaj.exe
hxxp[:]//89.38.98[.]150/85cZioajajaj.exe
hxxp[:]//89.38.98[.]150/17Zioajajaj.exe
hxxp[:]//89.38.98[.]150/74Zioajajaj.exe
hxxp[:]//89.38.98[.]150/121Zioajajaj.exe
hxxp[:]//89.38.98[.]150/123Zioajajaj.exe
hxxp[:]//89.38.98[.]150/226Zioajajaj.exe
hxxp[:]//89.38.98[.]150/38Zioajajaj.exe
hxxp[:]//89.38.98[.]150/161Zioajajaj.exe
eeaglelifedd.com
n31.smokemenowhhalala.bit
http://www.malware-traffic-analysis.net/2017/11/02/index.html
Page 4 of 8

INITIAL MALWARE - SHARIK/SMOKE LOADER:
SHA256 hash: 6401c4de903ec06a5493adf7a9dd45e123c9ce3033b44e1083e10bc5709c3964
File size: 122,880 bytes
Online location: 89.38.98[.]150/sZioajajaj.exe
On infected host at: C:\Users\[username]\AppData\Roaming\Microsoft\ujwbersj\gresctab.exe
Associated Windows registry update: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SHA256 hash: 035f394168da1c15cf98792f12b0292fefdb7dd29538c3b1e019d2fb09d3dfa6
File size: 118,272 bytes
Online location: 89.38.98[.]150/sZioajajaj.exe
On infected host at: C:\Users\[username]\AppData\Roaming\Microsoft\ujwbersj\gresctab.exe
Associated Windows registry update: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SHARIK/SMOKE LOADER TRAFFIC:
Start date/time: 2017-11-02 at 17:20 UTC
89.38.98[.]150 port 80 - 89.38.98[.]150 - GET /sZioajajaj.exe
www.bing[.]com - GET /
java[.]com - POST /help
java[.]com - GET /en/download/help/index.html
java[.]com - GET /en/download/help/
support.microsoft[.]com - POST /kb/2460049
www.adobe[.]com - POST /
www.adobe[.]com - POST /go/flashplayer_support/
www.adobe[.]com - POST /support/flashplayer
www.adobe[.]com - POST /support/main.html
helpx.adobe[.]com - GET /flash-player.html
helpx.adobe[.]com - GET /support.html
go.microsoft[.]com - POST /fwlink/?LinkId=133405
go.microsoft[.]com - POST /fwlink/?LinkId=164164
msdn.microsoft[.]com - GET /vstudio
www.microsoft[.]com - GET /
45.77.141[.]25 port 80 - eeaglelifedd[.]com - POST /hosting20/
ASSOCIATED EMERGING THREATS (ET) AND ETPRO ALERTS:
ET TROJAN Sharik/Smoke Loader Microsoft Connectivity Check
ET TROJAN Sharik/Smoke Loader Adobe Connectivity Check
ET TROJAN Sharik/Smoke Loader Adobe Connectivity Check 2
ET TROJAN Sharik/Smoke Loader Adobe Connectivity Check 3
ETPRO TROJAN Smoke/Sharik HTTP 404 Containing EXE
FOLLOW-UP MALWARE - NEUTRINO MALWARE:
http://www.malware-traffic-analysis.net/2017/11/02/index.html
Page 5 of 8

SHA256 hash: 517e92c585449b75d6b8a5e5f00323fb5f3b125972cd1442b1251ca7087107fc
File size: 255,488 bytes
File returned from HTTP POST to: eeaglelifedd[.]com/hosting20/
On infected host at: C:\Users\[username]\AppData\Roaming\Xl5jVVxcVWIx\jevgr.exe
NEUTRINO MALWARE INFECTION TRAFFIC:
DNS queries for ns.dotbit[.]me - resolved to 107.161.16[.]236
107.161.16[.]236 port 53 - DNS queries (UDP) for n31.smokemenowhhalala[.]bit
118.193.174[.]133 port 80 - n31.smokemenowhhalala[.]bit - POST /newfiz31/logout.php
89.38.98[.]150 port 80 - 89.38.98[.]150 - GET /85cZioajajaj.exe
89.38.98[.]150 port 80 - 89.38.98[.]150 - GET /17Zioajajaj.exe
89.38.98[.]150 port 80 - 89.38.98[.]150 - GET /74Zioajajaj.exe
89.38.98[.]150 port 80 - 89.38.98[.]150 - GET /121Zioajajaj.exe
89.38.98[.]150 port 80 - 89.38.98[.]150 - GET /123Zioajajaj.exe
89.38.98[.]150 port 80 - 89.38.98[.]150 - GET /226Zioajajaj.exe
89.38.98[.]150 port 80 - 89.38.98[.]150 - GET /38Zioajajaj.exe
89.38.98[.]150 port 80 - 89.38.98[.]150 - GET /161Zioajajaj.exe
ASSOCIATED EMERGING THREATS (ET) AND ETPRO ALERTS:
ETPRO TROJAN Win32/Neutrino checkin 4 (118.193.174[.]133 port 80)
FOLLOW-UP MALWARE FROM NEUTRINO MALWARE INFECTION - ALL LETHIC SPAMBOT
MALWARE BINARIES:
SHA256 hash: e324c63717a4c2011fde7d1af0d8dbe8ddb0897fe4e7f80f3147a7498e2166fe
File size: 185,344 bytes
Location: 89.38.98[.]150/161Zioajajaj.exe
Location: C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196818750\backwindow32.exe
Associated Windows registry update: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SHA256 hash: f55be01c217b2ec9be0aa45a007661adb1365a9651e306329679a6ba2d5b119d
File size: 192,512 bytes
Location: 89.38.98[.]150/85cZioajajaj.exe
Location: C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196818750\backwindow132.exe
Associated Windows registry update: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SHA256 hash: 701a2461d31b1a717fc9dad4fd61458c3484836bb89b4c72c0841ce9b3948d52
File size: 186,880 bytes
Location: 89.38.98[.]150/17Zioajajaj.exe
Location: C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196818750\backwindow232.exe
Associated Windows registry update: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SHA256 hash: eacbc0588d0e8fc22daf80479598cfb49a6bdc7155efd2bd3c24740a22716d17
File size: 191,488 bytes
http://www.malware-traffic-analysis.net/2017/11/02/index.html
Page 6 of 8

Location: 89.38.98[.]150/74Zioajajaj.exe
Location: C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-
1968138750\backwindow332.exe
Associated Windows registry update: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SHA256 hash: 8b57e7424e305a87cb55ff69c1454855341e5b138cec648b3b3a96df53d1076a
File size: 186,368 bytes
Location: 89.38.98[.]150/121Zioajajaj.exe
Location: C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-
1968138750\backwindow432.exe
Associated Windows registry update: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SHA256 hash: f3eadfd04bdf3615afb5f4b9b3b7386579846a834a389585cbbee6a3c7640ca3
File size: 188,928 bytes
Location: 89.38.98[.]150/123Zioajajaj.exe
Location: C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-
1968138750\backwindow532.exe
Associated Windows registry update: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SHA256 hash: 2de7e6763fd895757e4504e72389a8aee9f2f63f651d02efc22b1865bbd4f1b0
File size: 193,024 bytes
Location: 89.38.98[.]150/226Zioajajaj.exe
Location: C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-
1968138750\backwindow632.exe
Associated Windows registry update: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SHA256 hash: b7137c65b7c8884329c252d14fe32d4ffa96fd1a9886f895b39b1d3419c01895
File size: 187,392 bytes
Location: 89.38.98[.]150/38Zioajajaj.exe
Location: C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-
1968152800\systimwindow32.exe
Associated Windows registry update: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
LETHIC SPAMBOT INFECTION TRAFFIC:
Various IP addresses over TCP port 25 - attempted SMTP traffic
Various IP addresses over TCP port 25, 5500, 6600, and 7700 - SMTP and similar spambot traffic
Possibly other IP addresses over similar ports that didn't establish a full TCP connection
ASSOCIATED EMERGING THREATS (ET) AND ETPRO ALERTS:
ET TROJAN Lethic Spambot CnC Initial Connect Bot Response
ET TROJAN Lethic Spambot CnC Bot Command Confirmation
ET TROJAN Lethic Spambot CnC Bot Transaction Relay
ET TROJAN Lethic Client Alive
http://www.malware-traffic-analysis.net/2017/11/02/index.html
Page 7 of 8

Click here to return to the main page.
Source: http://www.malware-traffic-analysis.net/2017/11/02/index.html
http://www.malware-traffic-analysis.net/2017/11/02/index.html
Page 8 of 8

msdn.microsoft[.]com www.microsoft[.]com - GET - GET /vstudio / 
45.77.141[.]25 port 80-eeaglelifedd[.]com -POST /hosting20/
ASSOCIATED EMERGING THREATS (ET) AND ETPRO ALERTS:
ET TROJAN Sharik/Smoke Loader Microsoft Connectivity Check
ET TROJAN Sharik/Smoke Loader Adobe Connectivity Check
ET TROJAN Sharik/Smoke Loader Adobe Connectivity Check 2
ET TROJAN Sharik/Smoke Loader Adobe Connectivity Check 3
ETPRO TROJAN Smoke/Sharik HTTP 404 Containing EXE
FOLLOW-UP MALWARE -NEUTRINO MALWARE: 
   Page 5 of 8