MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13d15a978703a0b442f9385a72232b0471e46ab6f586f90d682396fe90c6258e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13d15a978703a0b442f9385a72232b0471e46ab6f586f90d682396fe90c6258e
SHA3-384 hash: be27c80efd13bf7e7fc6ee49e25006f8103ccca3437388ff3561f0f1c9bfa4cfed194cfa3d8b23a9ad251d235b63f735
SHA1 hash: 193c57a90fa6b96ca723d4ebc5622aa704efeb93
MD5 hash: 68d32cb47499d25b3bdefd296de0c5ed
humanhash: november-oregon-solar-thirteen
File name:68d32cb47499d25b3bdefd296de0c5ed
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:333'824 bytes
First seen:2023-05-30 05:29:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0a261f793955a0334411687f62dd4035 (2 x RedLineStealer, 2 x Smoke Loader, 1 x CoinMiner)
ssdeep 3072:AlyKOMGYbCh6y0BOEon3K38nrP6DEXqJukQFWW0zZt2Jw6DnOSqofpT:eOTuJy1638naAVD0aNLO0
Threatray 58 similar samples on MalwareBazaar
TLSH T1F3643A0366E57C60F5264A718E2EC2E8771EF9615F5A77A722189A2F08713F3C272731
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 002060c0e4632100 (1 x Smoke Loader)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
259
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
68d32cb47499d25b3bdefd296de0c5ed
Verdict:
Malicious activity
Analysis date:
2023-05-30 05:33:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/77651502-11a2-4761-a7ca-c3eb34fb8a9a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/393263/
Detection(s):
SecuriteInfo.com.Variant.Zusy.470560.23611.30060.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/88614/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware mokes
Link:
https://www.filescan.io/uploads/647589dce464780675a77be7/reports/26c71a62-4208-40f1-af44-46e1a4908959/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/13d15a978703a0b442f9385a72232b0471e46ab6f586f90d682396fe90c6258e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4b4f7bd1-40fa-43c2-b554-6e8fee6fc45e
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1244863
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Gathers information about network shares
Gathers network related connection and port information
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 877873 Sample: XO23T7TP2H.exe Startdate: 30/05/2023 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic 2->52 54 Multi AV Scanner detection for domain / URL 2->54 56 Found malware configuration 2->56 58 7 other signatures 2->58 10 XO23T7TP2H.exe 2->10         started        13 atsssvf 2->13         started        15 msiexec.exe 2->15         started        process3 signatures4 82 Detected unpacking (changes PE section rights) 10->82 84 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 10->84 86 Maps a DLL or memory area into another process 10->86 88 Creates a thread in another existing process (thread injection) 10->88 17 explorer.exe 2 18 10->17 injected 90 Multi AV Scanner detection for dropped file 13->90 92 Machine Learning detection for dropped file 13->92 94 Checks if the current machine is a virtual machine (disk enumeration) 13->94 process5 dnsIp6 50 miami-golf-club.com 66.85.157.98, 443, 49719, 49720 SSASN2US United States 17->50 46 C:\Users\user\AppData\Roaming\atsssvf, PE32 17->46 dropped 48 C:\Users\user\...\atsssvf:Zone.Identifier, ASCII 17->48 dropped 60 System process connects to network (likely due to code injection or exploit) 17->60 62 Benign windows process drops PE files 17->62 64 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->64 66 7 other signatures 17->66 22 cmd.exe 1 17->22         started        file7 signatures8 process9 signatures10 68 Uses netstat to query active network connections and open ports 22->68 70 Uses netsh to modify the Windows network and firewall settings 22->70 72 Uses ipconfig to lookup or modify the Windows network settings 22->72 74 3 other signatures 22->74 25 WMIC.exe 1 22->25         started        28 systeminfo.exe 22->28         started        30 NETSTAT.EXE 22->30         started        32 25 other processes 22->32 process11 signatures12 76 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 25->76 78 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 25->78 80 Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes) 25->80 34 cmd.exe 30->34         started        36 net1.exe 32->36         started        38 net1.exe 32->38         started        40 net1.exe 32->40         started        42 3 other processes 32->42 process13 process14 44 ROUTE.EXE 34->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13d15a978703a0b442f9385a72232b0471e46ab6f586f90d682396fe90c6258e/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-05-30 05:30:09 UTC
File Type:
PE (Exe)
Extracted files:
60
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cpivvf4haoqliqxzhbnheizlary6i2vw6wdpsdlieolp5eggewha._file
Verdict:
malicious
Similar samples:
24dee27353810b40cc9ba92be44366d2d349c439eeec6bc05f52b5f439d31b79
Smoke Loader
2fee2c9f4a0644c7857db7c4a4122a59267dfb2b8cd2268727d85bcd6626ea5a
Smoke Loader
4b1a1ad26d581f4670cc0521f6c7fb4ef0370003b149d06f5f40ed637bbd16e4
Smoke Loader
54b959b9cc1a080f52f09595418a7753a67f1cf7884d2a836536ffb821b6fb0d
Smoke Loader
65640ae45f81e5a0367d374193b9a7958e7e2cba9b4f7e448cd2545a70c2880e
Smoke Loader
b61d731a27cdb669aed74e29ad0f2aec901cc3d09b65f7d0dd1582d4561c6a6e
Smoke Loader
c59f124751c86d7bc758592d7a38727b02a041a56928c2a523fddea2bf69c728
Smoke Loader
f1b14007a26d653067be8c62a58f74b016510a9319f397af6bc25563af031134
Smoke Loader
f3052878865704277dbbbc6d8e38a009468cb0fa5fc911b426d26fd13e75b337
Smoke Loader
fd84fb6d3f652320b03c3b4b63529d6d80967949f95613067c45d64b93de7be7
Smoke Loader
+ 48 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:0019 backdoor collection evasion trojan
Link:
https://tria.ge/reports/230530-f66agsfg5v/
Behaviour
Checks SCSI registry key(s)
Enumerates processes with tasklist
Gathers network information
Gathers system information
Modifies Internet Explorer settings
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Modifies Windows Firewall
SmokeLoader
Malware Config
C2 Extraction:
https://miami-golf-club.com/search.php
https://seattle-fishing-club.com/search.php
Unpacked files
SH256 hash:
927e577d9c189401b4385a1ffcf2b0d66e1aef5abd17642285e98e132ccb897d
MD5 hash:
53a382952a0795d38d69c40dcdbb6b47
SHA1 hash:
ab93941039cb969ae6f71b706e7a479489acfae7
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/42a348f5-32f7-4860-ae72-a6a04943022b/
SH256 hash:
13d15a978703a0b442f9385a72232b0471e46ab6f586f90d682396fe90c6258e
MD5 hash:
68d32cb47499d25b3bdefd296de0c5ed
SHA1 hash:
193c57a90fa6b96ca723d4ebc5622aa704efeb93
Link:
https://www.unpac.me/results/42a348f5-32f7-4860-ae72-a6a04943022b/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/13d15a978703/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13d15a978703a0b442f9385a72232b0471e46ab6f586f90d682396fe90c6258e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/393263/

Comments