MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b3d482dd4c05dafe53de7afbef7d8d13a62c687a7e705c212fcfe536ec22d9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b3d482dd4c05dafe53de7afbef7d8d13a62c687a7e705c212fcfe536ec22d9e
SHA3-384 hash: 69a503ddf4fbf8476f9c0463461e445f2706c30ccbe6fb186b0ebb74499e0d59b087265049b5f20108defc6f6dd49e63
SHA1 hash: 448d7e0994c44bb56f95e9073891ccd5c6d51a86
MD5 hash: c009d4d9d319cf4e11aa99b6d57fb433
humanhash: quebec-spaghetti-north-helium
File name:SecuriteInfo.com.Win32.PWSX-gen.16966.19531
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:332'800 bytes
First seen:2024-04-12 07:28:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e03af4c47837fbfefcd192e4bab71da3 (4 x Stealc, 2 x Smoke Loader, 1 x LummaStealer)
ssdeep 3072:W7oggIL3mnqnjGt4RI5BnqV6olpiaRqUQ5iru5y7qQ:W7HgIL3WqjGt4RiRqV6OlqUuku5yW
TLSH T12A649E21B3A3B77DF6221E309959CBE059AEBC105A745657E3BC2A2F1D7C3908933352
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 3370e4d2c4f0335a (3 x Stealc, 1 x Smoke Loader, 1 x RiseProStealer)
Reporter SecuriteInfoCom
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
341
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0b3d482dd4c05dafe53de7afbef7d8d13a62c687a7e705c212fcfe536ec22d9e.exe
Verdict:
Malicious activity
Analysis date:
2024-04-12 07:34:32 UTC
Tags:
loader smokeloader
Link:
https://app.any.run/tasks/51b009d5-8491-42bf-bac1-3353955456e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Connection attempt to an infection source
DNS request
Connection attempt
Sending an HTTP POST request
Sending a custom TCP request
Launching a process
Moving a file to the Program Files subdirectory
Replacing files
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint
Link:
https://www.filescan.io/uploads/6618e2c135699b4745c71ada/reports/2f947be1-e6bb-4054-9ab6-2dc272502fb9/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/0b3d482dd4c05dafe53de7afbef7d8d13a62c687a7e705c212fcfe536ec22d9e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3f3f0499-edc7-4039-949b-2a6fd555136d
Result
Threat name:
PureLog Stealer, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1424955
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: PowerShell DownloadFile
Sigma detected: Set autostart key via New-ItemProperty Cmdlet
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download and execute files (via powershell)
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1424955 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 12/04/2024 Architecture: WINDOWS Score: 100 66 uama.com.ua 2->66 68 talesofpirates.net 2->68 70 6 other IPs or domains 2->70 82 Snort IDS alert for network traffic 2->82 84 Multi AV Scanner detection for domain / URL 2->84 86 Found malware configuration 2->86 88 13 other signatures 2->88 12 SecuriteInfo.com.Win32.PWSX-gen.16966.19531.exe 2->12         started        15 bfsureu 2->15         started        signatures3 process4 signatures5 116 Detected unpacking (changes PE section rights) 12->116 118 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->118 120 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->120 128 2 other signatures 12->128 17 explorer.exe 99 9 12->17 injected 122 Antivirus detection for dropped file 15->122 124 Multi AV Scanner detection for dropped file 15->124 126 Maps a DLL or memory area into another process 15->126 process6 dnsIp7 60 189.163.132.34, 49762, 49763, 49764 UninetSAdeCVMX Mexico 17->60 62 nidoe.org 93.136.70.55, 49710, 49716, 49721 T-HTCroatianTelecomIncHR Croatia (LOCAL Name: Hrvatska) 17->62 64 5 other IPs or domains 17->64 52 C:\Users\user\AppData\Roaming\bfsureu, PE32 17->52 dropped 54 C:\Users\user\AppData\Local\Temp\CC4D.exe, PE32 17->54 dropped 56 C:\Users\user\...\bfsureu:Zone.Identifier, ASCII 17->56 dropped 90 Benign windows process drops PE files 17->90 92 Deletes itself after installation 17->92 94 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->94 22 CC4D.exe 2 17->22         started        25 RuntimeBroker2.exe 17->25         started        28 RuntimeBroker2.exe 17->28         started        file8 signatures9 process10 dnsIp11 96 Multi AV Scanner detection for dropped file 22->96 98 Machine Learning detection for dropped file 22->98 100 Adds a directory exclusion to Windows Defender 22->100 30 CC4D.exe 22->30         started        74 38.180.95.205, 5885 COGENT-174US United States 25->74 102 Antivirus detection for dropped file 25->102 104 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 25->104 signatures12 process13 signatures14 130 Adds a directory exclusion to Windows Defender 30->130 33 cmd.exe 1 30->33         started        process15 signatures16 76 Suspicious powershell command line found 33->76 78 Tries to download and execute files (via powershell) 33->78 80 Adds a directory exclusion to Windows Defender 33->80 36 powershell.exe 15 34 33->36         started        41 conhost.exe 33->41         started        process17 dnsIp18 72 18.238.49.86, 443, 49760 AMAZON-02US United States 36->72 58 C:\Users\user\AppData\...\RuntimeBroker2.exe, PE32 36->58 dropped 106 Suspicious powershell command line found 36->106 108 Loading BitLocker PowerShell Module 36->108 110 Powershell drops PE file 36->110 43 powershell.exe 23 36->43         started        46 RuntimeBroker2.exe 36->46         started        48 powershell.exe 36->48         started        50 2 other processes 36->50 file19 signatures20 process21 signatures22 112 Loading BitLocker PowerShell Module 43->112 114 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 46->114
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0b3d482dd4c05dafe53de7afbef7d8d13a62c687a7e705c212fcfe536ec22d9e
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0b3d482dd4c05dafe53de7afbef7d8d13a62c687a7e705c212fcfe536ec22d9e/
Threat name:
Win32.Trojan.BotX
Create hunting rule
Status:
Malicious
First seen:
2024-04-12 07:29:07 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bm6uqlouybo27zj546x3556y2e5gfruhu7tqlqqs7t7fg3wcfwpa._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:pub3 backdoor trojan
Link:
https://tria.ge/reports/240412-ja8yaagg24/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Deletes itself
Executes dropped EXE
SmokeLoader
Malware Config
C2 Extraction:
http://nidoe.org/tmp/index.php
http://sodez.ru/tmp/index.php
http://uama.com.ua/tmp/index.php
http://talesofpirates.net/tmp/index.php
Unpacked files
SH256 hash:
f2380c9c7ebf5be61444882b40a85dccb6790b14877bcc8c4e1d39f3bc89d683
MD5 hash:
ffc4c4b2e33bc7a54671352f724ab869
SHA1 hash:
01d94427bee5a9a2d0bcbbd3af807ad8591e2eb9
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/41851592-cc29-4199-977e-4957f45987f5/
Parent samples :
1f32111ab49e505b1b6e062a6391e06d44222371883d08abee1ba453309a6780
17f9ab3ff113a9dda69111ab6ab03c0da95d47ab419a858b54374e3333ce516b
1efbc80ffd55c78287134a11add66b10bf7b2cd724913721a7f305d483050593
2952319efa611dd3cd0704bd8bf3f6bce423cd88aace8e28e51b19c672d209cf
fd602cbf605a4f9baffac0737c13291635ad0019567db051809d5bf8823dce5b
430be53678e8616b604b7210d16dd57f1561aa9cebb32ac451247387a53aa919
083c9a8679034f65137bce38b2f1db98225a8d1f18dc351ee4d5adfc464fa72b
d671b17afb9e245e629823dccd61d78257df00834fb2b1fa9431c6439c62fd45
0b3d482dd4c05dafe53de7afbef7d8d13a62c687a7e705c212fcfe536ec22d9e
205ba28bab34053be3bb4798a4f950839a1c8a6519787c92fbb0db8d1c3ce83c
3b6c00f64a1d047dfbed967d4fe8f320f4e4de9421a82d94dcb3eba07f23d939
9480a889b8c683f9db1b39f004e186337da6eed7c96c61aff2e2c034525399e1
SH256 hash:
0b3d482dd4c05dafe53de7afbef7d8d13a62c687a7e705c212fcfe536ec22d9e
MD5 hash:
c009d4d9d319cf4e11aa99b6d57fb433
SHA1 hash:
448d7e0994c44bb56f95e9073891ccd5c6d51a86
Link:
https://www.unpac.me/results/41851592-cc29-4199-977e-4957f45987f5/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0b3d482dd4c0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0b3d482dd4c05dafe53de7afbef7d8d13a62c687a7e705c212fcfe536ec22d9e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Windows_Trojan_Generic_2993e5a5
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 0b3d482dd4c05dafe53de7afbef7d8d13a62c687a7e705c212fcfe536ec22d9e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2809766/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::FindNextVolumeMountPointA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetConsoleTitleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleAliasExesLengthA
KERNEL32.dll::GetConsoleAliasesLengthA
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameA

Comments