MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b67dfb73a9ef15956bc9e471c3376491967ec2bb5ebe70e5ef3ec52d24c210c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b67dfb73a9ef15956bc9e471c3376491967ec2bb5ebe70e5ef3ec52d24c210c
SHA3-384 hash: a472c2951539d605d8585f52ca1c86a3f6102f11e2ec5188b8cbf4313a015de0409d108135f27f9b04366f083a67c5c4
SHA1 hash: a7542c1e1130bca74192fc55f8e8c2925ba74a13
MD5 hash: c243e6ab205f545f83e86a3ef1061873
humanhash: arizona-cat-autumn-nuts
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:269'824 bytes
First seen:2023-10-02 10:22:03 UTC
Last seen:2023-10-02 16:52:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 6144:JS4qAGRKmmzGdwwAwxF3JIPajZBDFqhoPWE8XMxxaIKu:4YGRKmmqeT4paajHcKx88PzK
TLSH T1D344D095E2F5560CE1E68A3ACE50A2E4673635273A13D72ACC84D50D783DBD78AC0DB3
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter andretavare5
Tags:exe Smoke Loader


Avatar
andretavare5
Sample downloaded from http://185.225.74.144/files/Umm2.exe

Intelligence

File Origin
# of uploads :
8
# of downloads :
307
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://coossa.com/soft9w/idm-download-with-crack-64-bit-2023.7z?c=yfHsiY20iOiJXaW5kb3dzIiwic3MiOiIxNjg5MTA0Njc2IiwicnMiOiIyNjM3IiwiZHMiOiIyNjU0NTUifXw
Verdict:
Malicious activity
Analysis date:
2023-10-02 13:52:53 UTC
Tags:
privateloader evasion opendir loader risepro stealer lumma redline smoke fabookie stealc tofsee botnet amadey trojan miner teamspy remote phonk ransomware stop vidar arkei
Link:
https://app.any.run/tasks/abc1d6c5-a8c4-43ca-bce5-048ca54c69e6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/452593/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
Creating a window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Blocking the User Account Control
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/651a9a0732ffdb7a7a1c515d/reports/cae2bb90-8e4c-4eda-923d-eca569307cf8/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/0b67dfb73a9ef15956bc9e471c3376491967ec2bb5ebe70e5ef3ec52d24c210c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3f71a596-e2de-4afe-b5f8-b98dee515419
Result
Threat name:
Amadey, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1317856
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Disables UAC (registry)
Drops script or batch files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: Stop multiple services
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1317856 Sample: file.exe Startdate: 02/10/2023 Architecture: WINDOWS Score: 100 143 Multi AV Scanner detection for domain / URL 2->143 145 Found malware configuration 2->145 147 Malicious sample detected (through community Yara rule) 2->147 149 19 other signatures 2->149 10 file.exe 2 4 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 4 other processes 2->17 process3 dnsIp4 157 Writes to foreign memory regions 10->157 159 Allocates memory in foreign processes 10->159 161 Adds a directory exclusion to Windows Defender 10->161 167 2 other signatures 10->167 20 aspnet_regbrowsers.exe 15 352 10->20         started        25 powershell.exe 21 10->25         started        27 AddInUtil.exe 10->27         started        163 Uses powercfg.exe to modify the power settings 13->163 165 Modifies power options to not sleep / hibernate 13->165 29 conhost.exe 13->29         started        31 MOkxlqG13eXv18j01swGpl25.exe 13->31         started        37 2 other processes 15->37 129 35.182.67.195 AMAZON-02US United States 17->129 33 conhost.exe 17->33         started        35 conhost.exe 17->35         started        39 6 other processes 17->39 signatures5 process6 dnsIp7 131 85.217.144.143 WS171-ASRU Bulgaria 20->131 133 69.49.241.44 UNIFIEDLAYER-AS-1US United States 20->133 135 28 other IPs or domains 20->135 97 C:\Users\...\zylf72BfsABGU3p0SnsFmxgF.exe, PE32 20->97 dropped 99 C:\Users\...\zQFBa57R2O91dEQKxbBl3aBg.exe, PE32 20->99 dropped 101 C:\Users\...\z6t7t8N03QCd4Ous5fQAoJcP.exe, PE32 20->101 dropped 103 203 other malicious files 20->103 dropped 151 Drops script or batch files to the startup folder 20->151 41 FlYONYJ24H9U7G0L7moTMIwt.exe 20->41         started        45 zylf72BfsABGU3p0SnsFmxgF.exe 20->45         started        47 d24nhBtnXUkM9MEOgbCYsX7Y.exe 20->47         started        51 7 other processes 20->51 49 conhost.exe 25->49         started        file8 signatures9 process10 file11 121 C:\Users\user\AppData\Local\...\nhdues.exe, PE32 41->121 dropped 169 Contains functionality to inject code into remote processes 41->169 53 nhdues.exe 41->53         started        123 C:\Users\...\zylf72BfsABGU3p0SnsFmxgF.tmp, PE32 45->123 dropped 58 zylf72BfsABGU3p0SnsFmxgF.tmp 45->58         started        125 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 47->125 dropped 127 C:\Windows\System32\drivers\etc\hosts, ASCII 47->127 dropped 171 Modifies the hosts file 47->171 173 Adds a directory exclusion to Windows Defender 47->173 175 Sample uses process hollowing technique 51->175 signatures12 process13 dnsIp14 137 193.42.32.29 EENET-ASEE Germany 53->137 105 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 53->105 dropped 107 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 53->107 dropped 109 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 53->109 dropped 111 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32+ 53->111 dropped 153 Creates an undocumented autostart registry key 53->153 155 Uses schtasks.exe or at.exe to add and modify task schedules 53->155 60 rundll32.exe 53->60         started        62 cmd.exe 53->62         started        64 schtasks.exe 53->64         started        66 rundll32.exe 53->66         started        113 C:\Users\user\AppData\...\unins000.exe (copy), PE32 58->113 dropped 115 C:\Users\user\AppData\...\is-VTCHJ.tmp, PE32+ 58->115 dropped 117 C:\Users\user\AppData\...\is-5LJI4.tmp, PE32 58->117 dropped 119 4 other files (3 malicious) 58->119 dropped 68 _setup64.tmp 58->68         started        70 schtasks.exe 58->70         started        72 schtasks.exe 58->72         started        74 DigitalPulseService.exe 58->74         started        file15 signatures16 process17 dnsIp18 77 rundll32.exe 60->77         started        81 conhost.exe 62->81         started        83 cmd.exe 62->83         started        85 cacls.exe 62->85         started        95 4 other processes 62->95 87 conhost.exe 64->87         started        89 conhost.exe 68->89         started        91 conhost.exe 70->91         started        93 conhost.exe 72->93         started        139 3.98.219.138 AMAZON-02US United States 74->139 process19 dnsIp20 141 109.206.241.33 AWMLTNL Germany 77->141 177 System process connects to network (likely due to code injection or exploit) 77->177 179 Tries to steal Instant Messenger accounts or passwords 77->179 181 Tries to harvest and steal ftp login credentials 77->181 183 Tries to harvest and steal browser information (history, passwords, etc) 77->183 signatures21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0b67dfb73a9ef15956bc9e471c3376491967ec2bb5ebe70e5ef3ec52d24c210c/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-10-02 10:23:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bnt57nz2t3yvsvv4tzdrym3wjemwp3blwxv6ods66pwffusmeega._file
Verdict:
malicious
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:fabookie family:glupteba family:smokeloader family:xmrig botnet:pub1 backdoor dropper evasion loader miner persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/231002-md9wjagh31/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Uses the VBS compiler for execution
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Stops running service(s)
XMRig Miner payload
Amadey
Detect Fabookie payload
Fabookie
Glupteba
Glupteba payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
Windows security bypass
xmrig
Malware Config
C2 Extraction:
http://193.42.32.29/9bDc8sQ/index.php
http://app.nnnaajjjgc.com/check/safe
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
04238506d52600874d74966bdd38a8c9312a3dcf86583b8cf9f53f8468e8172f
MD5 hash:
30496652b3b2305823045b0f2fa513e0
SHA1 hash:
9a53984a34a92b3ce16131dd84e5fc254bb035a9
Link:
https://www.unpac.me/results/1d7a5ba2-d33c-4c1e-a316-17d3b586ba9c/
SH256 hash:
0b67dfb73a9ef15956bc9e471c3376491967ec2bb5ebe70e5ef3ec52d24c210c
MD5 hash:
c243e6ab205f545f83e86a3ef1061873
SHA1 hash:
a7542c1e1130bca74192fc55f8e8c2925ba74a13
Link:
https://www.unpac.me/results/1d7a5ba2-d33c-4c1e-a316-17d3b586ba9c/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0b67dfb73a9e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.68
Link:
https://yomi.yoroi.company/submissions/0b67dfb73a9ef15956bc9e471c3376491967ec2bb5ebe70e5ef3ec52d24c210c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:MSIL_TinyDownloader_Generic
Create hunting rule
Author:albertzsigovits
Description:Detects small-sized dotNET downloaders
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2715393/
Cape
Cape
https://www.capesandbox.com/analysis/452593/
  
URLhaus
https://urlhaus.abuse.ch/url/2715110/

Comments