MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs 2 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8
SHA3-384 hash: a6eced138bcf9190ed08379327b182ed3f162d892060eb27fbda8db8bded80aa898f98a4aef6392f938e6c493e6b0aff
SHA1 hash: ea77f8f24c106948eb398d682826afde02c7270d
MD5 hash: a6ba5fc790a5f555b8b6f28e7837253c
humanhash: lactose-blossom-oven-william
File name:a6ba5fc790a5f555b8b6f28e7837253c.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:4'428'817 bytes
First seen:2021-10-27 08:35:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:J3KOJtrOPjVShZyRB2o4X0xgkwY9BdqoC:JaOTUVt+X0xgkwSMoC
Threatray 658 similar samples on MalwareBazaar
TLSH T1412633AAD61954EFFF418FB10DD4A5E2B03E793110E902AB67E4EC067E0D0CAD959393
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe Smoke Loader


Avatar
abuse_ch
Smoke Loader C2:
213.142.148.231:58682

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
213.142.148.231:58682 https://threatfox.abuse.ch/ioc/237755/
185.215.113.94:15564 https://threatfox.abuse.ch/ioc/237962/

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/200408/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Socelars-9901327-1
Create hunting rule

Win.Malware.Socelars-9901374-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys overlay packed
Link:
https://www.filescan.io/uploads/61790f75a9d585e6d53adbc3/reports/5cf81b1c-1f22-4243-84d8-9034130d4043/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/094fe3b7-2b3a-43ca-8b6f-11b654838386
Result
Threat name:
Backstage Stealer FormBook SmokeLoader S
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/877584
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Backstage Stealer
Yara detected FormBook
Yara detected SmokeLoader
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 510018 Sample: jGK42jrs2j.exe Startdate: 27/10/2021 Architecture: WINDOWS Score: 100 75 185.43.6.152 THEFIRST-ASRU Russian Federation 2->75 77 34.64.183.91 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 2->77 79 2 other IPs or domains 2->79 119 Malicious sample detected (through community Yara rule) 2->119 121 Antivirus detection for URL or domain 2->121 123 Antivirus detection for dropped file 2->123 125 20 other signatures 2->125 11 jGK42jrs2j.exe 10 2->11         started        signatures3 process4 file5 49 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->49 dropped 14 setup_installer.exe 17 11->14         started        process6 file7 51 C:\Users\user\AppData\...\setup_install.exe, PE32 14->51 dropped 53 C:\Users\user\...\Sat06f5ed0e3bb24.exe, PE32 14->53 dropped 55 C:\Users\user\...\Sat06ebc37d1c94352.exe, PE32 14->55 dropped 57 12 other files (7 malicious) 14->57 dropped 17 setup_install.exe 1 14->17         started        process8 dnsIp9 69 8.8.8.8 GOOGLEUS United States 17->69 71 172.67.196.33 CLOUDFLARENETUS United States 17->71 73 127.0.0.1 unknown unknown 17->73 115 Adds a directory exclusion to Windows Defender 17->115 117 Disables Windows Defender (via service or powershell) 17->117 21 cmd.exe 17->21         started        23 cmd.exe 1 17->23         started        25 cmd.exe 1 17->25         started        27 9 other processes 17->27 signatures10 process11 signatures12 30 Sat0618d93ac2c5c.exe 21->30         started        35 Sat0647140c100d63.exe 23->35         started        37 Sat062000ca9aa6.exe 2 25->37         started        127 Adds a directory exclusion to Windows Defender 27->127 129 Disables Windows Defender (via service or powershell) 27->129 39 Sat0619212f22dd7.exe 27->39         started        41 Sat060fd7e42d2.exe 27->41         started        43 Sat0663b341399ee.exe 7 27->43         started        45 4 other processes 27->45 process13 dnsIp14 81 45.142.182.152 XSSERVERNL Germany 30->81 83 103.155.92.29 TWIDC-AS-APTWIDCLimitedHK unknown 30->83 89 8 other IPs or domains 30->89 59 C:\Users\...\ojqJx_Y7hzJjvjwebkCHqSFm.exe, PE32 30->59 dropped 61 C:\Users\...\c1fjP1PCIa3bvmjdH9Mtu6DC.exe, PE32 30->61 dropped 63 C:\Users\user\...\search_hyperfs_204[1].exe, PE32 30->63 dropped 67 26 other files (10 malicious) 30->67 dropped 95 Antivirus detection for dropped file 30->95 97 Creates HTML files with .exe extension (expired dropper behavior) 30->97 99 Tries to harvest and steal browser information (history, passwords, etc) 30->99 101 Disable Windows Defender real time protection (registry) 30->101 103 Machine Learning detection for dropped file 35->103 105 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 35->105 107 Maps a DLL or memory area into another process 35->107 109 Checks if the current machine is a virtual machine (disk enumeration) 35->109 111 Injects a PE file into a foreign processes 37->111 91 2 other IPs or domains 39->91 65 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 39->65 dropped 113 Creates processes via WMI 39->113 85 208.95.112.1 TUT-ASUS United States 41->85 87 45.136.151.102 ENZUINC-US Latvia 41->87 47 mshta.exe 43->47         started        93 2 other IPs or domains 45->93 file15 signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-23 22:12:30 UTC
AV detection:
19 of 36 (52.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bfx4cyxncogmhwpomjrrgjoa27jjk7lkdn7oy4c5uwiajob723ea._file
Verdict:
unknown
Similar samples:
3eaed1d4442ddd5cb4691a9cfd5aef6f374be2a3489b934d9043bb6e980a4841
Smoke Loader
4cd754af5d3b9faa7e9626f79fccc35464224247a10f4d01ef502a0423e637a7
Smoke Loader
5f30eae71c1b0d08e7ec5adfc9a0dc98078595502b60a584a8df5cdf8cacf7fa
Smoke Loader
80594c4ce01c53c6bcc472e88329cc23f51b0d3276c8f5b3a686033f8d2d452e
Smoke Loader
91c43b63ed3549c521e4166ab7358e29ce19f8087c9053a8c6b6e4f17ddeb4c5
Smoke Loader
941478d129063e71885f97791339a49c58c72991ccc8309734f12ef60aee5530
Smoke Loader
9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806
Smoke Loader
c48cd55efee57f0b7ff4547a0a20ebfbdf4188d059512b10a29879bf30c4fc19
Smoke Loader
f5f477d945634e37e1abca7c1390e03a7535005c9ff071a191f4d24274bdf075
Smoke Loader
+ 648 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:xloader campaign:s0iw aspackv2 backdoor evasion infostealer loader rat spyware stealer themida trojan
Link:
https://tria.ge/reports/211027-khk2vsbba9/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies Internet Explorer settings
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Xloader Payload
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Xloader
Malware Config
C2 Extraction:
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
http://www.kyiejenner.com/s0iw/
Unpacked files
SH256 hash:
ec26d8562b104559a213080a8d54075c3209f96559c961569fb66ea5384b2b5d
MD5 hash:
c4012e116fb7b9f7bef87601296f45cf
SHA1 hash:
ddc1dba8d0f10a2e9e1dbcf9048bc1363837ff42
Link:
https://www.unpac.me/results/5eaee662-3e28-4bfa-aba0-4ab45eac56ef/
SH256 hash:
c59a4018c4fd9b75ca10061f9157b219f22ef6400166778990056788cbb22a95
MD5 hash:
e1db51335e71cc036a0e221502d9b4f5
SHA1 hash:
174ca6f2f73cc1d2afc539cabca9c0c42dfe10dc
Link:
https://www.unpac.me/results/5eaee662-3e28-4bfa-aba0-4ab45eac56ef/
SH256 hash:
2010b113bce681120cbdbe50fd2c3393587d723b97d13a5777429570621bb339
MD5 hash:
ae22fdfdaf90dc3174ebe91333125e1e
SHA1 hash:
3a62fed1ee6e36ca58c3ec19d0a4ae9f9eb0e2b8
Link:
https://www.unpac.me/results/5eaee662-3e28-4bfa-aba0-4ab45eac56ef/
Parent samples :
40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
c3a26ccd56b024806184b0271b6651399e6eb3ecb37862047f2e69cf5b0097eb
MD5 hash:
a79110584de394d139246e6ee5827f4d
SHA1 hash:
b6394529006c7795080b24c0c747a6df65a3dffa
Link:
https://www.unpac.me/results/5eaee662-3e28-4bfa-aba0-4ab45eac56ef/
SH256 hash:
27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128
MD5 hash:
de1b3c28ea026c0ede620dd78199ddc5
SHA1 hash:
ee402371a36bff44c765323ccd8c7e4a56bc8d12
Link:
https://www.unpac.me/results/5eaee662-3e28-4bfa-aba0-4ab45eac56ef/
SH256 hash:
43da19a0f18ca201ee3f213e30699e121bbe812bb14e405344dfe43e52b95d6a
MD5 hash:
c83860b0db60b9f69468301ee2a58fca
SHA1 hash:
d826cc0323eb208e36b3e9ef00225430c6f031e1
Link:
https://www.unpac.me/results/5eaee662-3e28-4bfa-aba0-4ab45eac56ef/
SH256 hash:
04092e0386b64fbfcd1c41807cf1b68c65257e73639bf669ec6a77d90140bc80
MD5 hash:
055a4e9f63665c4b93dec2927ba65a9e
SHA1 hash:
ce832e4d8edc0d5c639cdf3aeeed82205480a180
Link:
https://www.unpac.me/results/5eaee662-3e28-4bfa-aba0-4ab45eac56ef/
SH256 hash:
8baebd75762401310b8c249ff4937f494917c53e43a577e27d20ab1573cc4cf9
MD5 hash:
abdb3014d509b09905a5e331626f4d05
SHA1 hash:
37dcf9da07989f16854f3912f1109f805f316f1b
Link:
https://www.unpac.me/results/5eaee662-3e28-4bfa-aba0-4ab45eac56ef/
SH256 hash:
586265f6e3128e95fa2a99a3453bc80df896d0d886a7af0ba16b0382c4dd10f1
MD5 hash:
6c32be4451a545ad4ab844316d3042f3
SHA1 hash:
30c12455c253f1eeac43c5b3567d0a31c2b2f9eb
Link:
https://www.unpac.me/results/5eaee662-3e28-4bfa-aba0-4ab45eac56ef/
SH256 hash:
68495c1b62ca5b14a5d2be76554f661d8ece2c0959594cf8096be439bea9932a
MD5 hash:
9e454b6347e34aae343e9e3660eb1b3e
SHA1 hash:
2c2dc3cd17d922a8563cf013ac51e93a0aaf521a
Link:
https://www.unpac.me/results/5eaee662-3e28-4bfa-aba0-4ab45eac56ef/
SH256 hash:
17606ed6149eac40f605da232cb7e5876e67db518ff7ad94e37288a0ff1424a4
MD5 hash:
39439331e88ec1d03dbdcedaa431a664
SHA1 hash:
2bfc66e0ee692664122f8db9d9c53e3bb97aabc5
Link:
https://www.unpac.me/results/5eaee662-3e28-4bfa-aba0-4ab45eac56ef/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/5eaee662-3e28-4bfa-aba0-4ab45eac56ef/
SH256 hash:
57357e1d304ed1c4db3d22dbbd6a01327237d1fad37437db58f0a7d97a3d7ba3
MD5 hash:
42c09e2ff1923e01e6b465436b1d176f
SHA1 hash:
6fc4b58ff71392865812ba14a6b469ddec5df7d4
Link:
https://www.unpac.me/results/5eaee662-3e28-4bfa-aba0-4ab45eac56ef/
Parent samples :
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
8e8f1164731c92313ee2e150b43cec5fb84d55c82344d3d77439e5dc608fd899
MD5 hash:
dc225bb49990d88901d5bf402b1fdeac
SHA1 hash:
77a1b8fae65453dc45020b78b692cef4341b5465
Link:
https://www.unpac.me/results/5eaee662-3e28-4bfa-aba0-4ab45eac56ef/
SH256 hash:
0bb9bb0248ff89fac4e513cc1891f8aabbcc076446790c68d849e5a6c007c1ca
MD5 hash:
2fbf0040b06b8719902326d9584c29c3
SHA1 hash:
f2983c7b2d3d91722fb88198ac2441c5e098c2cf
Link:
https://www.unpac.me/results/5eaee662-3e28-4bfa-aba0-4ab45eac56ef/
SH256 hash:
f5aaa18c555705af4a58a6a2f4d510c7a357f3d150339c3ba5f4fc5f866dd9e0
MD5 hash:
f14a7069347353008dbf99492f1936c2
SHA1 hash:
b47cec5b48b6cbce0bf7f0ee5999a1f1a1aeba29
Link:
https://www.unpac.me/results/5eaee662-3e28-4bfa-aba0-4ab45eac56ef/
SH256 hash:
b74fc1f90d7ed6b1485bdab3fb37416dc22c3fb28dbe6dc011086a24057f4c6a
MD5 hash:
e660edd4314e4ebfbfb9fa9e8c353f3b
SHA1 hash:
456f1fc53661d83f9db3b6551be99f4f4c390a26
Link:
https://www.unpac.me/results/5eaee662-3e28-4bfa-aba0-4ab45eac56ef/
SH256 hash:
096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8
MD5 hash:
a6ba5fc790a5f555b8b6f28e7837253c
SHA1 hash:
ea77f8f24c106948eb398d682826afde02c7270d
Link:
https://www.unpac.me/results/5eaee662-3e28-4bfa-aba0-4ab45eac56ef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:extracted_at_0x44b
Create hunting rule
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/200408/

Comments