MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c5be2f35d60689656e2438187301fc2f8b592f21171f30738e1c5ce7c66ca23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c5be2f35d60689656e2438187301fc2f8b592f21171f30738e1c5ce7c66ca23
SHA3-384 hash: 6040c87e74e51a54fb105d4322fb616411f4e99f2077c43c62b4cb02bd8ccacae9d412b147588514e7bbf46e9e7b8f33
SHA1 hash: bfe42396688ed47477919b9a650cd48297706060
MD5 hash: 69dc45997c6daa9cb1a9db1cb147b24f
humanhash: maryland-burger-river-carolina
File name:SecuriteInfo.com.Win32.BotX-gen.27325.3504
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:274'432 bytes
First seen:2023-09-15 23:57:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be971270bdc2a8fd4ff1ab41bb993dd1 (7 x Stealc, 7 x Smoke Loader, 2 x NetSupport)
ssdeep 3072:KX4t8tk4IvqGRf30KLs8wIt2P5UrpC+r0eF4490lvNWc:c4t86vqGRf30KjtY5UM+Af2c
Threatray 37 similar samples on MalwareBazaar
TLSH T19D44AF12B3F0E871D6164A398E2ECAE4293DB9605F28679723185FEF19F16F085723D1
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 00000040c0400000 (1 x Smoke Loader)
Reporter SecuriteInfoCom
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
263
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.BotX-gen.27325.3504
Verdict:
Malicious activity
Analysis date:
2023-09-15 23:59:57 UTC
Tags:
loader smoke
Link:
https://app.any.run/tasks/b1f3620a-2863-4925-bb94-c18f1fc227b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/448953/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.27325.3504.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lolbin masquerade packed shell32 smokeloader
Link:
https://www.filescan.io/uploads/6504ef8e32ffdb7a7a07407b/reports/59535ee6-d4d7-4e56-ae05-dc48c53d1d0b/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/0c5be2f35d60689656e2438187301fc2f8b592f21171f30738e1c5ce7c66ca23
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f776a516-9c81-4007-9cf0-f4c322524dbd
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1309290
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1309290 Sample: SecuriteInfo.com.Win32.BotX... Startdate: 16/09/2023 Architecture: WINDOWS Score: 100 28 Multi AV Scanner detection for domain / URL 2->28 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 5 other signatures 2->34 6 SecuriteInfo.com.Win32.BotX-gen.27325.3504.exe 2->6         started        9 jjbbdwd 2->9         started        11 jjbbdwd 2->11         started        process3 signatures4 36 Detected unpacking (changes PE section rights) 6->36 38 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 6->38 40 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 6->40 13 explorer.exe 3 3 6->13 injected 42 Multi AV Scanner detection for dropped file 9->42 44 Machine Learning detection for dropped file 9->44 46 Maps a DLL or memory area into another process 9->46 48 Checks if the current machine is a virtual machine (disk enumeration) 11->48 50 Creates a thread in another existing process (thread injection) 11->50 process5 dnsIp6 22 taibi.at 187.170.26.222, 49732, 49767, 80 UninetSAdeCVMX Mexico 13->22 24 190.224.203.37, 49746, 49754, 49757 TelecomArgentinaSAAR Argentina 13->24 26 8 other IPs or domains 13->26 18 C:\Users\user\AppData\Roaming\jjbbdwd, PE32 13->18 dropped 20 C:\Users\user\...\jjbbdwd:Zone.Identifier, ASCII 13->20 dropped 52 System process connects to network (likely due to code injection or exploit) 13->52 54 Benign windows process drops PE files 13->54 56 Deletes itself after installation 13->56 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->58 file7 signatures8
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0c5be2f35d60689656e2438187301fc2f8b592f21171f30738e1c5ce7c66ca23/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-09-15 23:58:07 UTC
File Type:
PE (Exe)
Extracted files:
37
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=brn6f425mbujmvxcioayoma7yl4llexscfy7gbzy4hc447dgzirq._file
Verdict:
malicious
Similar samples:
28dc2e5876c22e3f65fcbcd09294720a8bfcb90e216bf5368789017d6bb3c35d
Smoke Loader
54c45269002b84d18f7c86809a608d13fe641a2a6c0e25a31b2e9fd49eac390c
Smoke Loader
561d0712bfdce76c6309a6d0cf1d53686077e01980952856299ceee81f880d02
Smoke Loader
7a3ed98aad8f0e6cc774200cdc7b35b86bffdb5f5ce23e8750acb0945d3c78fd
Smoke Loader
9e7c8aea93412acc8d8de3a956e8485a86caf40c626b2abd491bd5404df1bfbb
Smoke Loader
aa918d4dd7706951fc290b6a5d3ba0e48acc5443056894ee3aad1baa52f412ba
Smoke Loader
be6c808d95d56676eeb845ae082c950425a5048e99590ee3b888190e75cc8b8b
Smoke Loader
c08aef508443dfeaf5159feb6031fa5f5597f3cdb6e0e4d1fe5db9a7820682ec
Smoke Loader
c9ad6251e9f4afbbd9f4f6c614cd6c012fab67575eaa2a36cb83d3709fc4d4a7
Smoke Loader
dc7462bfef0b3d00d800f683b842eecc96c1839a12342f4decb0b88344297925
Smoke Loader
+ 27 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:stealc botnet:pub4 backdoor infostealer spyware stealer trojan
Link:
https://tria.ge/reports/230915-3z5rpsag39/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Deletes itself
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
RedLine
RedLine payload
SmokeLoader
Stealc
Malware Config
C2 Extraction:
http://taibi.at/tmp/
http://01stroy.ru/tmp/
http://mal-net.com/tmp/
http://gromograd.ru/tmp/
http://kingpirate.ru/tmp/
http://85.209.11.51
Unpacked files
SH256 hash:
a5c406b97933a8aa395b68221cdd20ddcd73cc1f95472d05a7d6b3bd50892743
MD5 hash:
59658350ff5f6470188ebc0fdd06f057
SHA1 hash:
ca75c22af01a5b64a2c73f50fa36c887a9818f5d
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/e1310734-163b-47af-96ea-04d4a763888a/
Parent samples :
092412b54fb0e9cb731ee75626bc53f0b141ecb5063d4b974a05f6b0ab63367d
4527341e7ba507c6034327633afdbe77481ab609f423ffd68a7ba2e00e35364e
7415704fd2e5ffbb53f5ef4eede832499e18888fc1b206e5263714e669ade596
d9687211c7a526b2eaedd63975a8a0deef343ec8a01a9480d3bf28316dc57107
8ca632e409a6918bf30005a9b2e561771f6427ed03e836c348143c8ef2afbc41
aaa4711bade536afb177325d7971df195bbd235238531c57adcd2c2a7d98c5c9
82ce4a02da068fd7f69b255e60055fbed0fbfaa9dfa15d7aab7185f8dc19f75c
b911c2c7924e997f1349395a95bd57bb211e7b4a67e9c98b01fb3a176b0f27a5
f3fad225386f7222566703f13a3df005b36736afe33c6b324cd18f0df70f973f
a3e06d811446215d4ccf92e136c20795d346f94c23f94caeab63d5727f35b866
dcca1131914f6c8a480e8e0ad87eabb4b85383f804815496cb4f2c2e1a111f39
0c744dfee7acbaa52ab1fc1c1dd11abe966ea1702585492bdfeefb64d8471412
59c3ef0b04f7f8f424ec18d68e886610f886467d9c814e2a3c10378588139967
70856a13672513d4828d2ca74d2f27d4c6239908e8aa303e1ef9536f6e113fcd
14e03b1aaa7c504927a139a2fcaba8976a7ba95a95d3aec4fb0db7f8dde4c45a
1bba9ae0ebee70298d3d5e5bb02a844e07449c945a3a6b0e744c184f1abbe6dd
e440eac7cb52cdaad64e9e46f641e291569789f59aeb2bfa4c6bbc607c2c64e8
c9bfdf471598a56a2c2f8e7ae923c4f05310c919ef4b808276e4a4d4c771dad9
e1fb8f0d455779ea3c3b03f0aa6b0e9377ae17cf421d0d4f8f762db09b8a37ab
cfa9f12a8d7f1970d274d25b7f7ef4512d8d9ea7fce7e22532e97802b55ce104
27628d10eb8210286d7a693bf717d054ded123a64e9983f74d9dd0cd0ff8b8bc
e46d27217c2f60a3deff490c6e70af2bdfbbc2c88389f4ecd2343cf12e36d9a2
f0808f9145505d15318b254701b45482f31fba67e0d0c0fb675122aeadd229ca
b5092c84227a07887205d93213947d670014112568ef15f0f61cf6745aa9eac4
4f2b50cdae8a54b9ea8c2fb0c9a4f90cb3deff3253312f8c2d0511101b210049
b126f012b066653b5005d397a0b184416dc067b2d590355dc6ef9c48166f627b
6dfe70c185debbff667e3683658782e430172a64982532fccf5b9f06f421ed91
4269fc14e1c05c8c10cc3452c1674f3a2cb5c670e1aac1e035d80404c98a3c2c
49626f7992df341d1cf60d497a346e8c5e6e1fc75617f7cc9de649e6c3175085
b07f239481c03cfb14e4ed10dd4e2ee4a5e0f552d10bfcac29980afb565fbde1
124ebe9548272122b27ab21e5b62f9e8e1b8bac6d45a4e3758b83112d3454dc1
e088c9001b5aa8aefb4adc1d2d330e329421cb38207ed632f50caad5309e1d5a
0ca89e45cb7326b579733ba6d787770fa2e1fb854d7cd95e40fc349a4f97b815
0a7e1a7c885b3a1b837b26b445f83a81c26f7b554b43d1496c04340c1cda89db
d272ac4ee1a54facbda171b2c6f82b87c364ed7eff8867466702691a558fb515
61ca2c4e8ca06e00a4e3c81ac8dc195d278cafb2fa3c19b9106db56be7d13f4f
33c9ec83393cb9ae73efdeab84c2c7119e40208e31d10f574e75c2dfff268497
1123332daf11ea61f44deeac5e9955382b8a364a1aee522248841f1096a3e0fb
d8dd8d1a44769db109550352ce1e06fb5487a1024b00a1a041f93e4db81360d6
e83a8cc0363a22af758c588e3562812d025ad8daf4ce5d02b964c4fe556f2243
95461232f730a07e93fde45678f2adc66e41625712073b6a61abd59575d20889
c0ad33866c7e012cbdde8d4b3d7fd05bca3070db5fb1f04efb5d1cb0b853e7c7
62f0f64c7dfc3eee27326734d48b50dd15c668f8109390391f61fe888dd834dc
c32d1a85c36bbd64710315de0eaa5a1cba81e0c2cabc9066dcc9d6abedfae432
fdc7c0972a56c0b78a72b900e1f0c8ddfe2982256870083144ef601e0098e5a7
6a227a344c0b3b87d918eb85404ddec5b578f48452acc6493eca6ca806388954
802ba7207a318efc8155756a171efee5d6f9432d7297c985e3bf63e87dabd0fe
488d08c6b34c661e3b43aa73f5404986ae390ef3fa6a3489b4bdedbd8b5466c3
5611063a14e894694083c4c54a516ded327abb81ccdcc949906a110677aabcbe
cde192b77c6ce93394a5f59b592127da02c7366401c6ed2b249a1a8bb947908c
8c17d5b20427304dc69fe6c8b4e203fa8077ccb1a252caec921c1586132758cd
67d2677beac2c88c2170da3f1a40010c8ea41430f3d34e2a56052b9f1228c054
063363c1b2f576e7ce22154903cbad7770b8b63ec17b0b9eee051638ce40479b
a59a55716baa83c1ead452011fcb236787398c4c5d0c978aa9ad0b9b1bf15057
dfd36cc557c5cfa9ca6c36ebf1640f927e9cbe7383b4aaa87d78c66eda26994c
7bc01f90e9b2c6003233657e4be5c56c8bb70d4bae118998bf75f7f1ed6b7b8f
a8f85fd5c1cfe90bcfcf933d0d76144a1e045321943a6124e1edabe4e10b3635
005ba27d5a25aa46bceba8305caa692e81dcf9df5d015c6814e37b5715e9b4d7
a50e6c7bc177babf2093a4e57daa95e1cd3478e605b3126a82be68b3e36e29f1
590f9c87f7f09b72e8642fa0c3c0cd18d0fd55ac1a20449e6c4b5c20f566499c
07d5358243683de2c27952bfca010d87b5a09b7bdb20235d6f546454c6f47f2b
d008020e569e8a79799d7d5433e208316d41a80bd106852b396948f5b09b4710
c08aef508443dfeaf5159feb6031fa5f5597f3cdb6e0e4d1fe5db9a7820682ec
c9ad6251e9f4afbbd9f4f6c614cd6c012fab67575eaa2a36cb83d3709fc4d4a7
0c5be2f35d60689656e2438187301fc2f8b592f21171f30738e1c5ce7c66ca23
b89197aeed2150dc1faf66186d824c261f41124a17c531297181d7d744c10e0f
6d94bbb53f9465a50c0b26f66a65719a9b643e6946f1543c47e278551e21ee2e
0bf5934811056a692ccadd8c86355bfb1818063ad978982483d4f5b92807ee66
b2843f650b2dad5ef0013b57f06cd51763f62365cf2c8db59fc2cad126dad682
66be9c888095cf0e79854879085490772ff443b7f13f654de2cea26b293dbd27
a93c61d7bd1e389896a858835e1b035a12759086ddb4a25b77b772ee2854d7b9
2cdd69c31af8dbe568ae6233c67b3ef96f32dadb024212f05f96d412c44cd124
9a3c17bc99d69c0ff856d84e9425ab3ed1e95ca1f7c48abfef2842b0a1917473
f913ccf328361219c48c881da151670a2999401ecdf36d2e18f97d441ba381b5
3d590dced909090620ef7c09e5bac071e45ed9e814a6bc6e1038648929ee1474
69a871ba7d2670d162b2feffd9665fcebc4101a47d7892be98c3abbd602573d9
da56e58fab731a84a632df79098f9de55742f30526059fe581e71aef46abef81
006eeeaf0491717f1021983f1ebbfc8ff71d854730229818fc45f432014d63f3
523e52fcaf97bbdefa328efa095228b509fe56d833eb269c85667fdf34588c1b
SH256 hash:
0c5be2f35d60689656e2438187301fc2f8b592f21171f30738e1c5ce7c66ca23
MD5 hash:
69dc45997c6daa9cb1a9db1cb147b24f
SHA1 hash:
bfe42396688ed47477919b9a650cd48297706060
Link:
https://www.unpac.me/results/e1310734-163b-47af-96ea-04d4a763888a/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0c5be2f35d60/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0c5be2f35d60689656e2438187301fc2f8b592f21171f30738e1c5ce7c66ca23

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 0c5be2f35d60689656e2438187301fc2f8b592f21171f30738e1c5ce7c66ca23

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2711885/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/448953/

Comments