MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0297db387476575d1e8dea19a04f088af54732b9053404734901585e97ef23be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0297db387476575d1e8dea19a04f088af54732b9053404734901585e97ef23be
SHA3-384 hash: 5c836f5d2214515c71fd9f393366a0f666430d5a941058b48e5a4709889fe203ded593f5ddd025543f87a726e91b7a48
SHA1 hash: 385507607e30fe809ac7070fa18b035db1009afa
MD5 hash: fad9b3d3d9c4712e130e0d232c3a1ff4
humanhash: low-august-magazine-papa
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:282'112 bytes
First seen:2023-05-28 00:18:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d302e4ac3406067f8ed838633897aebb (4 x Smoke Loader, 3 x Glupteba, 2 x ArkeiStealer)
ssdeep 3072:lzvD8VGtBA8QS8F1patOpgVv6DGCsXW6x1nRvIfs/hPd5gG+uGvAjM:BD8VGLQS0Pak+Vv7RXms2GHn
Threatray 61 similar samples on MalwareBazaar
TLSH T14C543D0396E2BC54ED664B729E2FC6ED761EF2508F19B76921185A1F04702B2C7B3723
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 02424a2a03120200 (1 x Smoke Loader)
Reporter andretavare5
Tags:exe Smoke Loader


Avatar
andretavare5
Sample downloaded from http://hugersi.com/dl/6523.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
US US
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-05-28 00:21:00 UTC
Tags:
loader smoke trojan ransomware stop stealer vidar
Link:
https://app.any.run/tasks/9bc4952c-a1d1-4f6a-9070-4fdd3f857013

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/392687/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for synchronization primitives
Creating a window
Creating a file
Creating a process with a hidden window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Query of malicious DNS domain
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending a TCP request to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mokes packed xpack
Link:
https://www.filescan.io/uploads/64729df6a4e82deee725b779/reports/2c362fed-4c04-42c6-a4f7-d5461586ecf0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0297db387476575d1e8dea19a04f088af54732b9053404734901585e97ef23be
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f457bdab-c098-4ade-ad1c-2a970b34f418
Result
Threat name:
Amadey, Babuk, Clipboard Hijacker, Djvu,
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1243920
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found ransom note / readme
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes a notice file (html or txt) to demand a ransom
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Babuk Ransomware
Yara detected Clipboard Hijacker
Yara detected Djvu Ransomware
Yara detected Fabookie
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 876930 Sample: file.exe Startdate: 28/05/2023 Architecture: WINDOWS Score: 100 106 zexeq.com 2->106 108 colisumy.com 2->108 110 2 other IPs or domains 2->110 148 Snort IDS alert for network traffic 2->148 150 Multi AV Scanner detection for domain / URL 2->150 152 Found malware configuration 2->152 154 21 other signatures 2->154 14 file.exe 2->14         started        17 gaudavh 2->17         started        19 B84F.exe 2->19         started        21 mstsca.exe 2->21         started        signatures3 process4 signatures5 174 Detected unpacking (changes PE section rights) 14->174 176 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 14->176 178 Maps a DLL or memory area into another process 14->178 23 explorer.exe 12 53 14->23 injected 180 Multi AV Scanner detection for dropped file 17->180 182 Checks if the current machine is a virtual machine (disk enumeration) 17->182 184 Creates a thread in another existing process (thread injection) 17->184 186 Detected unpacking (overwrites its own PE header) 19->186 188 Machine Learning detection for dropped file 19->188 190 Injects a PE file into a foreign processes 19->190 28 B84F.exe 14 19->28         started        process6 dnsIp7 112 toobussy.com 201.124.33.177 UninetSAdeCVMX Mexico 23->112 114 shsplatform.co.uk 80.66.203.53 UKFASTGB United Kingdom 23->114 122 12 other IPs or domains 23->122 88 C:\Users\user\AppData\Roaming\gaudavh, PE32 23->88 dropped 90 C:\Users\user\AppData\Roaming\abudavh, PE32 23->90 dropped 92 C:\Users\user\AppData\Local\Temp\FD28.exe, PE32 23->92 dropped 94 20 other malicious files 23->94 dropped 160 System process connects to network (likely due to code injection or exploit) 23->160 162 Benign windows process drops PE files 23->162 164 Deletes itself after installation 23->164 166 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->166 30 B84F.exe 23->30         started        33 77C.exe 23->33         started        35 4BCD.exe 23->35         started        37 5 other processes 23->37 116 123.140.161.243, 49715, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 28->116 118 zexeq.com 28->118 120 api.2ip.ua 28->120 file8 signatures9 process10 file11 192 Multi AV Scanner detection for dropped file 30->192 194 Detected unpacking (changes PE section rights) 30->194 196 Detected unpacking (overwrites its own PE header) 30->196 198 Writes a notice file (html or txt) to demand a ransom 30->198 40 B84F.exe 1 16 30->40         started        200 Machine Learning detection for dropped file 33->200 202 Injects a PE file into a foreign processes 33->202 44 77C.exe 33->44         started        204 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 35->204 206 Maps a DLL or memory area into another process 35->206 208 Checks if the current machine is a virtual machine (disk enumeration) 35->208 210 Creates a thread in another existing process (thread injection) 35->210 80 C:\Users\user\AppData\Local\Temp\aafg31.exe, PE32+ 37->80 dropped 82 C:\Users\user\AppData\Local\...\XandETC.exe, PE32+ 37->82 dropped 84 C:\Users\user\AppData\Local\...84ewPlayer.exe, PE32 37->84 dropped 212 Antivirus detection for dropped file 37->212 46 FD28.exe 37->46         started        48 E900.exe 37->48         started        50 B84F.exe 37->50         started        52 2 other processes 37->52 signatures12 process13 dnsIp14 124 api.2ip.ua 162.0.217.254, 443, 49704, 49711 ACPCA Canada 40->124 96 C:\Users\user\AppData\Local\...\B84F.exe, PE32 40->96 dropped 54 B84F.exe 40->54         started        57 icacls.exe 40->57         started        59 77C.exe 44->59         started        file15 process16 signatures17 156 Injects a PE file into a foreign processes 54->156 61 B84F.exe 54->61         started        158 Sample uses process hollowing technique 59->158 process18 dnsIp19 130 zexeq.com 187.245.185.123, 49714, 49721, 80 MegaCableSAdeCVMX Mexico 61->130 132 183.100.39.157, 49713, 80 KIXS-AS-KRKoreaTelecomKR Korea Republic of 61->132 134 3 other IPs or domains 61->134 98 C:\Users\user\AppData\Local\...\build3[1].exe, PE32 61->98 dropped 100 C:\Users\user\AppData\Local\...\build2[1].exe, PE32 61->100 dropped 102 C:\Users\user\AppData\Local\...\build3.exe, PE32 61->102 dropped 104 8 other malicious files 61->104 dropped 214 Modifies existing user documents (likely ransomware behavior) 61->214 66 build2.exe 61->66         started        69 build3.exe 61->69         started        file20 signatures21 process22 file23 136 Multi AV Scanner detection for dropped file 66->136 138 Detected unpacking (changes PE section rights) 66->138 140 Detected unpacking (overwrites its own PE header) 66->140 146 2 other signatures 66->146 72 build2.exe 66->72         started        86 C:\Users\user\AppData\Roaming\...\mstsca.exe, PE32 69->86 dropped 142 Antivirus detection for dropped file 69->142 144 Uses schtasks.exe or at.exe to add and modify task schedules 69->144 76 schtasks.exe 69->76         started        signatures24 process25 dnsIp26 126 t.me 149.154.167.99, 443, 49730 TELEGRAMRU United Kingdom 72->126 128 188.34.154.187, 30303, 49732 HETZNER-ASDE Germany 72->128 168 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 72->168 170 Tries to harvest and steal browser information (history, passwords, etc) 72->170 172 Tries to steal Crypto Currency Wallets 72->172 78 conhost.exe 76->78         started        signatures27 process28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0297db387476575d1e8dea19a04f088af54732b9053404734901585e97ef23be/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-05-28 00:19:04 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=akl5woduozlv2hun5im2atyirl2uomvzau2ai42jafmf5f7peo7a._file
Verdict:
malicious
Similar samples:
0d3ef6b4cf3172125dc208808d24392b8a3ff9a55b00b86608c3bc692cd15cec
Smoke Loader
34d81fa01e7570ee734e04e8d2be5c2d54c3a343ad3340b26105627b6124a2db
Smoke Loader
41b4ef28bcb4fcca37c63f3c34d9a40236c49fd7a49b5f41952ece56cda836e0
Smoke Loader
4e8c752b8a016e8d4fc9723ada1498af8a3b3f46e89f3388782f4082575d3218
Smoke Loader
73157ee8d240700d07209acb69539e3814313582253246d7550024281b91b07a
Smoke Loader
a4bb9762185f053519b66a792b63b2d207c8861facbfdb8b3d25b051367eed97
Smoke Loader
a5b31ba24b4f2fff4a559084e8efe01a379ccd53ef0368656d2ba9d198e16466
Smoke Loader
cf1fb9950ced59966ffb235f4a8247c23075d44a09eb0c354f9183585a4faea3
Smoke Loader
cfff129e77416c81657499a1aa091ff549ee037ef6b4783495a37f7891b87970
Smoke Loader
e4cd79a7adcc7c1f587a938d418d4e224e3f2cbc5979a35107cb1c1fdeb707fb
Smoke Loader
+ 51 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:djvu family:smokeloader family:vidar botnet:e44c96dfdf315ccf17cdd4b93cfe6e48 botnet:pub1 backdoor discovery persistence ransomware stealer trojan
Link:
https://tria.ge/reports/230528-al6smade84/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Modifies file permissions
Downloads MZ/PE file
Amadey
Detected Djvu ransomware
Djvu Ransomware
SmokeLoader
Vidar
Malware Config
C2 Extraction:
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
http://toobussy.com/tmp/
http://wuc11.com/tmp/
http://ladogatur.ru/tmp/
http://kingpirate.ru/tmp/
http://zexeq.com/raud/get.php
http://zexeq.com/lancer/get.php
45.9.74.80/0bjdn2Z/index.php
https://steamcommunity.com/profiles/76561199508624021
https://t.me/looking_glassbot
Gathering data
Malware family:
STOP
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0297db387476/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0297db387476575d1e8dea19a04f088af54732b9053404734901585e97ef23be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2479364/
Cape
Cape
https://www.capesandbox.com/analysis/392687/

Comments