MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 172c25ce4a5916f38026250b5799b318751216eb858a6b1230b039527115af52. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 172c25ce4a5916f38026250b5799b318751216eb858a6b1230b039527115af52
SHA3-384 hash: 3ec4be186bf0348fb70280ff9f442e3563a36c2f714f227f5095c6d52c92f7dbb09d1a693080c4eee995392868f410ee
SHA1 hash: 0fbf309148ef7fc9b3a9e7958fe87192a91b531b
MD5 hash: 36f2bf0573bedc2ba4c8902c3095a867
humanhash: chicken-victor-vermont-king
File name:36f2bf0573bedc2ba4c8902c3095a867
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:9'596'416 bytes
First seen:2023-11-24 10:16:25 UTC
Last seen:2023-11-24 12:38:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a5081b1176ce07a5e6ebc3dbd7a5ce3 (1 x Smoke Loader, 1 x Stop)
ssdeep 196608:xMKc4viXqtzu6KRcQXIQMEMMT6pnBR/r7cTTuXdAO5AjZqdx:vc4KozubR9XxMQ6pnX/rAC014
Threatray 2 similar samples on MalwareBazaar
TLSH T1FBA623E65BCDB6B9C082563451038397B483A44F84BE599A3FC67D019A28FFB054FFA1
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon bcf4d888c8d4c4e4 (1 x Smoke Loader, 1 x LummaStealer)
Reporter zbetcheckin
Tags:64 exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
370
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/459991/
Detection(s):
SecuriteInfo.com.Win64.DropperX-gen.7288.32087.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Modifying a system file
Replacing files
Launching a service
Launching a process
Sending a UDP request
Connecting to a non-recommended domain
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Reading critical registry keys
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Changing a file
Blocking the Windows Defender launch
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed packed vmprotect
Link:
https://www.filescan.io/uploads/6560781f6d4756846dc1263a/reports/523c7daa-3f3d-45cc-804f-509779eae955/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/172c25ce4a5916f38026250b5799b318751216eb858a6b1230b039527115af52
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dc69707c-df2e-44ae-a2b9-a863d62f474c
Result
Threat name:
Phonk Miner, RedLine, SmokeLoader, zgRAT
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1347348
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables UAC (registry)
Disables Windows Defender (deletes autostart)
Drops script or batch files to the startup folder
Exclude list of file types from scheduled, custom, and real-time scanning
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Drops script at startup location
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes many files with high entropy
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Phonk Miner
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1347348 Sample: djY5EQkDAl.exe Startdate: 24/11/2023 Architecture: WINDOWS Score: 100 188 Found malware configuration 2->188 190 Malicious sample detected (through community Yara rule) 2->190 192 Antivirus detection for URL or domain 2->192 194 22 other signatures 2->194 11 djY5EQkDAl.exe 11 39 2->11         started        16 svchost.exe 2->16         started        18 svchost.exe 2->18         started        20 6 other processes 2->20 process3 dnsIp4 178 87.240.132.67 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 11->178 180 87.240.137.140 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 11->180 186 15 other IPs or domains 11->186 140 C:\Users\...\vMkpOB5EVGbjNaaj_8T70io9.exe, PE32+ 11->140 dropped 142 C:\Users\...\tQIoPwP_Rhz1C5ZY2R0gxU5u.exe, PE32 11->142 dropped 144 C:\Users\...\lMcYq_hbTDO200O4xa3i4AzR.exe, PE32 11->144 dropped 146 15 other malicious files 11->146 dropped 236 Creates HTML files with .exe extension (expired dropper behavior) 11->236 238 Found many strings related to Crypto-Wallets (likely being stolen) 11->238 240 Disables Windows Defender (deletes autostart) 11->240 242 5 other signatures 11->242 22 tQIoPwP_Rhz1C5ZY2R0gxU5u.exe 2 4 11->22         started        25 6qAHtQo9YRh0C4IOlqMfr2ip.exe 10 18 11->25         started        29 e8RILwkqDCl5XDc1edVMyAko.exe 11->29         started        35 7 other processes 11->35 182 23.62.164.112 GTT-BACKBONEGTTDE United States 16->182 184 127.0.0.1 unknown unknown 16->184 31 WerFault.exe 18->31         started        33 conhost.exe 20->33         started        file5 signatures6 process7 dnsIp8 196 Writes to foreign memory regions 22->196 198 Allocates memory in foreign processes 22->198 200 Adds extensions / path to Windows Defender exclusion list (Registry) 22->200 216 3 other signatures 22->216 37 CasPol.exe 22->37         started        42 powershell.exe 22->42         started        44 WerFault.exe 22->44         started        156 95.142.206.3 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 25->156 158 45.15.156.229 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 25->158 160 185.172.128.69 NADYMSS-ASRU Russian Federation 25->160 128 C:\Users\...\zaM25JMzgAQD36toBFr90tmY.exe, PE32 25->128 dropped 130 C:\Users\...\HIKv1FJqhwofo08_kZ0xI4WA.exe, PE32+ 25->130 dropped 132 C:\Users\user\AppData\...\allnewumm[1].exe, PE32 25->132 dropped 202 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 25->202 204 Disables Windows Defender (deletes autostart) 25->204 206 Exclude list of file types from scheduled, custom, and real-time scanning 25->206 208 Disable Windows Defender real time protection (registry) 25->208 46 zaM25JMzgAQD36toBFr90tmY.exe 25->46         started        48 HIKv1FJqhwofo08_kZ0xI4WA.exe 25->48         started        134 C:\Users\user\AppData\Local\...\Install.exe, PE32 29->134 dropped 136 C:\Users\user\AppData\Local\...\config.txt, data 29->136 dropped 50 Install.exe 29->50         started        162 194.169.175.220 CLOUDCOMPUTINGDE Germany 35->162 164 194.169.175.128 CLOUDCOMPUTINGDE Germany 35->164 166 194.33.191.60 AQUA-ASRO unknown 35->166 138 C:\Users\user\AppData\Local\...\3RQaDq.cpL, PE32 35->138 dropped 210 Query firmware table information (likely to detect VMs) 35->210 212 Found many strings related to Crypto-Wallets (likely being stolen) 35->212 214 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 35->214 218 8 other signatures 35->218 52 cmd.exe 35->52         started        file9 signatures10 process11 dnsIp12 148 107.167.110.211 OPERASOFTWAREUS United States 37->148 150 107.167.110.216 OPERASOFTWAREUS United States 37->150 154 14 other IPs or domains 37->154 84 C:\Users\...\yWRMxmbWyY26F1UXFNbQ0aWA.exe, PE32 37->84 dropped 86 C:\Users\...\yPxVjb3ZmlXhVC7NTB1aQp3V.exe, PE32 37->86 dropped 88 C:\Users\...\xxzihaVJkjp8ihVB8dsfmjmb.exe, PE32 37->88 dropped 98 238 other malicious files 37->98 dropped 220 Drops script or batch files to the startup folder 37->220 222 Creates HTML files with .exe extension (expired dropper behavior) 37->222 224 Writes many files with high entropy 37->224 54 ob8Iwg8Ho1U43N2vopzIKp5X.exe 37->54         started        57 POIc6xihAVrAgbLZ7kkb351P.exe 37->57         started        61 cnfe6nTsI9OiQWgrgsbUJp4p.exe 37->61         started        71 3 other processes 37->71 63 conhost.exe 42->63         started        152 20.189.173.22 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 44->152 90 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 46->90 dropped 92 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 46->92 dropped 100 2 other malicious files 46->100 dropped 94 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 48->94 dropped 226 Adds a directory exclusion to Windows Defender 48->226 96 C:\Users\user\AppData\Local\...\Install.exe, PE32 50->96 dropped 228 Multi AV Scanner detection for dropped file 50->228 65 Install.exe 50->65         started        67 control.exe 52->67         started        69 conhost.exe 52->69         started        file13 signatures14 process15 dnsIp16 102 C:\Users\...\ob8Iwg8Ho1U43N2vopzIKp5X.tmp, PE32 54->102 dropped 73 ob8Iwg8Ho1U43N2vopzIKp5X.tmp 54->73         started        168 149.154.167.99 TELEGRAMRU United Kingdom 57->168 170 195.201.255.35 HETZNER-ASDE Germany 57->170 116 13 other files (9 malicious) 57->116 dropped 230 Tries to harvest and steal browser information (history, passwords, etc) 57->230 172 107.167.110.217 OPERASOFTWAREUS United States 61->172 174 107.167.125.189 OPERASOFTWAREUS United States 61->174 176 2 other IPs or domains 61->176 104 Opera_installer_2311241019078121088.dll, PE32 61->104 dropped 106 C:\Users\user\AppData\Local\...\opera_package, PE32 61->106 dropped 118 4 other malicious files 61->118 dropped 232 Writes many files with high entropy 61->232 108 C:\Users\user\AppData\Local\...\SpaTIwe.exe, PE32 65->108 dropped 234 Multi AV Scanner detection for dropped file 65->234 76 rundll32.exe 67->76         started        110 C:\Users\user\AppData\Local\Temp\Broom.exe, PE32 71->110 dropped 112 C:\Users\user\AppData\Local\...\Install.exe, PE32 71->112 dropped 114 C:\Users\user\AppData\Local\...\config.txt, data 71->114 dropped 78 Broom.exe 71->78         started        file17 signatures18 process19 file20 120 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 73->120 dropped 122 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 73->122 dropped 124 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 73->124 dropped 126 13 other files (12 malicious) 73->126 dropped 80 rundll32.exe 76->80         started        process21 process22 82 rundll32.exe 80->82         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/172c25ce4a5916f38026250b5799b318751216eb858a6b1230b039527115af52
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/172c25ce4a5916f38026250b5799b318751216eb858a6b1230b039527115af52/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-11-24 10:17:06 UTC
File Type:
PE+ (Exe)
Extracted files:
10
AV detection:
12 of 23 (52.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c4wcltsklelphabgeufvpgntdb2refxlqwfgwerqwa4ve4ivv5ja._file
Verdict:
malicious
Similar samples:
4a5df0d4b15783038ab017abf7a6233ee1d0d0843ca4e641d5170d29d0b46529
Smoke Loader
f40601bf9a0a2c75535148015009cc959be5729f736a0d08cecb74305a5b7af3
Smoke Loader
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader loader spyware stealer
Link:
https://tria.ge/reports/231124-mbcs1shg22/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
PrivateLoader
Unpacked files
SH256 hash:
172c25ce4a5916f38026250b5799b318751216eb858a6b1230b039527115af52
MD5 hash:
36f2bf0573bedc2ba4c8902c3095a867
SHA1 hash:
0fbf309148ef7fc9b3a9e7958fe87192a91b531b
Link:
https://www.unpac.me/results/4bf53583-5ad5-4eaa-8777-aab243b9b8ff/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/172c25ce4a59/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/172c25ce4a5916f38026250b5799b318751216eb858a6b1230b039527115af52

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 172c25ce4a5916f38026250b5799b318751216eb858a6b1230b039527115af52

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2728742/
Cape
Cape
https://www.capesandbox.com/analysis/459991/

Comments


Avatar
zbet commented on 2023-11-24 10:16:26 UTC

url : hxxp://194.49.94.97/download/WWW14_64.exe