MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15e3a34b2bd7ad520d87fe902eee65f35049cc5bc3579bbb5182dfb91e3fd289. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15e3a34b2bd7ad520d87fe902eee65f35049cc5bc3579bbb5182dfb91e3fd289
SHA3-384 hash: e800b6ed99add8769aad1469791e51ea0e28e8b1a2cc3266b36868e04af1f6e39a624e1bed281192baa45124e58d3e4d
SHA1 hash: eb354b499420adfcc4cbdf4abaeeb6c1223b19f4
MD5 hash: 4db28116d59c1667b312039549196abb
humanhash: butter-potato-edward-south
File name:win.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:286'064 bytes
First seen:2023-07-11 09:34:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b78ecf47c0a3e24a6f4af114e2d1f5de (295 x GuLoader, 23 x Formbook, 21 x RemcosRAT)
ssdeep 6144:Pz2PITSQ38JVy9KD8rDW6N5uFrc7kmX1n3H1LJqK:CI+Q38nCKD8rDW/LmX131cK
Threatray 1'411 similar samples on MalwareBazaar
TLSH T18454125B49F264BFE9A3D13139E3EF49F3BAE60716A2064343701A762D6399DC70814D
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 120cfc9aa6b69ea6 (1 x Smoke Loader, 1 x GuLoader)
Reporter pr0xylife
Tags:exe signed Smoke Loader SmokeLoader

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-06-26T03:08:11Z
Valid to:2026-06-25T03:08:11Z
Serial number: 6fde347270c434da02b082a3037c0ea74f75efc4
Thumbprint Algorithm:SHA256
Thumbprint: d6e6254ba5cf426134b4891973a1e79035974a57b94f41161cf04b1ca559ec15
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
352
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
win.exe
Verdict:
Suspicious activity
Analysis date:
2023-07-11 09:36:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6ee8de71-5dc8-4ee8-81e7-ed420b5a526a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/415443/
Detection(s):
SecuriteInfo.com.Trojan.DownLoad4.12041.10.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/97120/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64ad22492f8c5654cdd9d87d/reports/5b88e5ee-1cfb-42fb-87d8-6de717b1e672/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/15e3a34b2bd7ad520d87fe902eee65f35049cc5bc3579bbb5182dfb91e3fd289
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6e7826ff-3c78-4317-a663-23967760bd87
Result
Threat name:
GuLoader, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1270720
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Deletes itself after installation
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected GuLoader
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1270720 Sample: win.exe Startdate: 11/07/2023 Architecture: WINDOWS Score: 100 63 cletonmy.com 2->63 65 alpatrik.com 2->65 67 3 other IPs or domains 2->67 85 Snort IDS alert for network traffic 2->85 87 Multi AV Scanner detection for domain / URL 2->87 89 Found malware configuration 2->89 91 9 other signatures 2->91 10 win.exe 34 2->10         started        14 btbdccg 28 2->14         started        signatures3 process4 file5 53 C:\Users\user\AppData\Local\...\osetupui.dll, PE32 10->53 dropped 55 C:\Users\user\AppData\Local\...\System.dll, PE32 10->55 dropped 109 Tries to detect Any.run 10->109 16 win.exe 6 10->16         started        57 C:\Users\user\AppData\Local\...\System.dll, PE32 14->57 dropped 20 btbdccg 14->20         started        signatures6 process7 dnsIp8 61 192.3.179.134, 49839, 49860, 80 AS-COLOCROSSINGUS United States 16->61 77 Tries to detect Any.run 16->77 79 Maps a DLL or memory area into another process 16->79 81 Checks if the current machine is a virtual machine (disk enumeration) 16->81 22 explorer.exe 16 7 16->22 injected 83 Creates a thread in another existing process (thread injection) 20->83 signatures9 process10 dnsIp11 69 cletonmy.com 172.105.103.207, 49850, 80 LINODE-APLinodeLLCUS United States 22->69 71 alpatrik.com 193.106.175.162, 49851, 49852, 49853 IQHOSTRU Russian Federation 22->71 45 C:\Users\user\AppData\Roaming\btbdccg, PE32 22->45 dropped 47 C:\Users\user\AppData\Local\Temp\3132.exe, PE32 22->47 dropped 49 C:\Users\user\...\btbdccg:Zone.Identifier, ASCII 22->49 dropped 93 System process connects to network (likely due to code injection or exploit) 22->93 95 Benign windows process drops PE files 22->95 97 Injects code into the Windows Explorer (explorer.exe) 22->97 99 3 other signatures 22->99 27 3132.exe 16 4 22->27         started        32 explorer.exe 16 22->32         started        34 Kyzyrmljljj.exe 22->34         started        36 8 other processes 22->36 file12 signatures13 process14 dnsIp15 75 files.catbox.moe 108.181.20.35, 443, 49854, 49863 ASN852CA Canada 27->75 59 C:\Users\user\AppData\...\Kyzyrmljljj.exe, PE32 27->59 dropped 111 Antivirus detection for dropped file 27->111 113 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 27->113 115 Machine Learning detection for dropped file 27->115 117 Creates multiple autostart registry keys 27->117 38 3132.exe 27->38         started        119 System process connects to network (likely due to code injection or exploit) 32->119 121 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 32->121 123 Tries to steal Mail credentials (via file / registry access) 32->123 125 Injects a PE file into a foreign processes 34->125 127 Tries to harvest and steal browser information (history, passwords, etc) 36->127 43 WerFault.exe 36->43         started        file16 signatures17 process18 dnsIp19 73 api4.ipify.org 64.185.227.156, 443, 49861, 49867 WEBNXUS United States 38->73 51 C:\Users\user\AppData\Roaming\...\WinHlp.exe, PE32 38->51 dropped 101 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 38->101 103 Tries to steal Mail credentials (via file / registry access) 38->103 105 Creates multiple autostart registry keys 38->105 107 3 other signatures 38->107 file20 signatures21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/15e3a34b2bd7ad520d87fe902eee65f35049cc5bc3579bbb5182dfb91e3fd289/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cxr2gszl26wvedmh72ic53tf6niettc3ynlzxo2rqlp3shr72keq._file
Verdict:
unknown
Similar samples:
192cc32d2b512627692171a834ddc243f4d2eb6402b301c6ce4f495c08720f98
Smoke Loader
2bcbb670647ed04d137cfb1d8a8fda4f7dbd1b3d668a99efc034539691e35514
Smoke Loader
38b1fa09afda5be40267c84dc88ed1291301a6f031b2de0185d40dd9372b2c45
Smoke Loader
4d6ae0a40fcc30fab170c3e70dd5076253ddf9fa6ec0886d39cffbd9df99ae52
Smoke Loader
7feb0133d36aafdd1b2ba2dbae6ea92c8cefee7b48b82cbcd736dc729196a3e5
Smoke Loader
c1e64e86dd89a5820bbb518ead2176741f91d3bf5c579e154533d44e816c1f76
Smoke Loader
e4b6f95557a2356d046da60a1ca4e52d302618108fae774b8128ffc0586366e0
Smoke Loader
+ 1'401 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/230711-lkb3eaga84/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Loads dropped DLL
SmokeLoader
Malware Config
C2 Extraction:
http://cletonmy.com/
http://alpatrik.com/
Unpacked files
SH256 hash:
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
MD5 hash:
2ae993a2ffec0c137eb51c8832691bcb
SHA1 hash:
98e0b37b7c14890f8a599f35678af5e9435906e1
Link:
https://www.unpac.me/results/e7f086c0-6184-47b8-81b7-f90c846fbe0b/
SH256 hash:
15e3a34b2bd7ad520d87fe902eee65f35049cc5bc3579bbb5182dfb91e3fd289
MD5 hash:
4db28116d59c1667b312039549196abb
SHA1 hash:
eb354b499420adfcc4cbdf4abaeeb6c1223b19f4
Link:
https://www.unpac.me/results/e7f086c0-6184-47b8-81b7-f90c846fbe0b/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/15e3a34b2bd7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 15e3a34b2bd7ad520d87fe902eee65f35049cc5bc3579bbb5182dfb91e3fd289

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/415443/
  
URLhaus
https://urlhaus.abuse.ch/url/2680673/
  
Delivery method
Distributed via web download

Comments