MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19119a6c77015d4648fb38250614b86fd3f6ffd5e1b4ebc457eef2f90db46e6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19119a6c77015d4648fb38250614b86fd3f6ffd5e1b4ebc457eef2f90db46e6a
SHA3-384 hash: 823a89438c6a5ab8daba211ff9316e6f5c7d240f0d45dc6f016b9424a68aff25ec9c5790c8782bfc99b4604e974dafaa
SHA1 hash: 968e30f7aa75a6a2f46be9c75601e43d99be7d3a
MD5 hash: b57e2fa677ff88cf9b350a43f1330847
humanhash: moon-johnny-lake-avocado
File name:b57e2fa677ff88cf9b350a43f1330847.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:229'888 bytes
First seen:2023-10-11 19:31:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1779cddf5976b55ff16f4e4d4c8ed385 (2 x Tofsee, 2 x RecordBreaker, 2 x Smoke Loader)
ssdeep 3072:8Xpp80LY/zfYaPZa1ObZtlYvwjm8nk4Ae15WdTyh:4TNLQfYaPZAObZoQ64hedT
Threatray 47 similar samples on MalwareBazaar
TLSH T11B24CF117A52D871C84641308837C6F47ABABC76DA5C998337A83FBF7D31392A36B254
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 000808080a060400 (1 x Smoke Loader, 1 x Stealc)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
280
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b57e2fa677ff88cf9b350a43f1330847.exe
Verdict:
Malicious activity
Analysis date:
2023-10-11 19:56:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/89cd045e-dfa2-4203-b5e8-f729d603f52e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/453487/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6526f833bdacde97996a45cd/reports/d9e62267-3ee0-4bd1-907a-99212586dce5/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/19119a6c77015d4648fb38250614b86fd3f6ffd5e1b4ebc457eef2f90db46e6a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e01da7a6-23d0-481a-9b18-2749dfde57f9
Result
Threat name:
DanaBot, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1324096
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Found API chain indicative of debugger detection
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May use the Tor software to hide its network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1324096 Sample: 5tjegfy08Y.exe Startdate: 11/10/2023 Architecture: WINDOWS Score: 100 43 wirtshauspost.at 2->43 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for URL or domain 2->63 65 5 other signatures 2->65 9 5tjegfy08Y.exe 2->9         started        12 wsifjjh 2->12         started        14 wsifjjh 2->14         started        signatures3 process4 signatures5 73 Detected unpacking (changes PE section rights) 9->73 75 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->75 77 Maps a DLL or memory area into another process 9->77 79 Creates a thread in another existing process (thread injection) 9->79 16 explorer.exe 12 5 9->16 injected 81 Antivirus detection for dropped file 12->81 83 Machine Learning detection for dropped file 12->83 85 Checks if the current machine is a virtual machine (disk enumeration) 12->85 process6 dnsIp7 37 115.88.24.200, 49847, 49864, 49885 LGDACOMLGDACOMCorporationKR Korea Republic of 16->37 39 wirtshauspost.at 123.140.161.243, 49710, 49711, 49712 LGDACOMLGDACOMCorporationKR Korea Republic of 16->39 41 5.226.141.207, 49728, 80 BANDWIDTH-ASGB United Kingdom 16->41 29 C:\Users\user\AppData\Roaming\wsifjjh, PE32 16->29 dropped 31 C:\Users\user\AppData\Local\Temp\1195.exe, PE32 16->31 dropped 33 C:\Users\user\...\wsifjjh:Zone.Identifier, ASCII 16->33 dropped 51 System process connects to network (likely due to code injection or exploit) 16->51 53 Benign windows process drops PE files 16->53 55 Deletes itself after installation 16->55 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->57 21 1195.exe 6 16->21         started        file8 signatures9 process10 file11 35 C:\ProgramData\Qdsypeqeoasuop.tmp, DOS 21->35 dropped 67 Detected unpacking (creates a PE file in dynamic memory) 21->67 69 Found API chain indicative of debugger detection 21->69 71 May use the Tor software to hide its network traffic 21->71 25 rundll32.exe 1 4 21->25         started        signatures12 process13 dnsIp14 45 185.4.65.42, 443, 49731, 49738 RECONNRU United Kingdom 25->45 47 45.136.49.68, 443, 49732, 49739 PELUCHE-ASES Estonia 25->47 49 37.59.205.1, 443, 49730, 49733 OVHFR France 25->49 87 System process connects to network (likely due to code injection or exploit) 25->87 signatures15
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/19119a6c77015d4648fb38250614b86fd3f6ffd5e1b4ebc457eef2f90db46e6a/
Threat name:
Win32.Trojan.BotX
Create hunting rule
Status:
Malicious
First seen:
2023-10-11 11:01:25 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=deizu3dxafoumsh3hasqmffyn7j7n76v4g2oxrcx53zpsdnunzva._file
Verdict:
malicious
Similar samples:
14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2
Smoke Loader
201fb0901529270bdf56cb9d8d432a28040be664d49e041f4a7c88b8ec5150b6
Smoke Loader
46ac0ab158fc001e4dca1d72667b8302470526bb97c0832f7ce2c0814943a667
Smoke Loader
4fde35f203cdacb88a85df5622b3b0b4e3f572c616b124c007d6158534d36896
Smoke Loader
661619bee5d7b2c990720d645d7def09c3de41a964acc6ddc77866b8e283a37b
Smoke Loader
8282c76d3fbe900b90d4cc171b116191362effd2ca851d3552742aabbf77ecf9
Smoke Loader
91c73aedcbfa2a3726a63259aafea1f73a89b54ad5ba5c2a1747d3927713449a
Smoke Loader
99063294db6384dbe30caa07b0dccca9a8c62276f2987d0c643d0ea7bb8b4ff2
Smoke Loader
9a528b2b31d9d59018878fdf3b9d8db235df606500c67a4b8be3075701b014fc
Smoke Loader
a675a625f52a13b54c0e28dcccbd6a4004ab262c841f42f9099d7e1b2d8091ff
Smoke Loader
+ 37 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:pub4 backdoor trojan
Link:
https://tria.ge/reports/231011-x8ghksaf49/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Uses Task Scheduler COM API
Deletes itself
Executes dropped EXE
SmokeLoader
Malware Config
C2 Extraction:
http://wirtshauspost.at/tmp/
http://msktk.ru/tmp/
http://soetegem.com/tmp/
http://gromograd.ru/tmp/
http://talesofpirates.net/tmp/
Unpacked files
SH256 hash:
1841ba0efee1c1739a985c5ce8ba50499b1d9a3998179f8c60cad37de06e94cf
MD5 hash:
e160632d3059af565697d32002485b5a
SHA1 hash:
b3a5839301c9cd4fefec03d8468bf84cb61451a3
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/06583915-4c65-4ad0-81d3-3f8aed48d7e8/
Parent samples :
ed3d3c7ea2def6256c7c068239abf27ad41589859675386a391dbb30b07eb57c
6a302e65ae3cd7ceb6a94b2753f1a3223b189355eecbe443b0fd45722a495f48
661619bee5d7b2c990720d645d7def09c3de41a964acc6ddc77866b8e283a37b
f3690441d255e923934221ee1e394f3536a11ce793d34c6466ce7a29e2577857
19119a6c77015d4648fb38250614b86fd3f6ffd5e1b4ebc457eef2f90db46e6a
99063294db6384dbe30caa07b0dccca9a8c62276f2987d0c643d0ea7bb8b4ff2
ed5858af8476036c1914ff346745b794c74a98bbb2fa8edba77bfc497a6471a8
35416fc3b1be5d63574fab368830e544a73a1dd15a6b68f0859f85f2097d7355
212f3f74cd96e2e08855fabc350bd0e96af86c025eebfcec8a9b78d153b70985
359c7a9295f5c54a78cde6981f6637e134fc7a23819e80f928ea805bcf98430f
898a57544bdfbaac62372f1b7bc63610750c0f377c66c372e34909e6c5f474c5
SH256 hash:
19119a6c77015d4648fb38250614b86fd3f6ffd5e1b4ebc457eef2f90db46e6a
MD5 hash:
b57e2fa677ff88cf9b350a43f1330847
SHA1 hash:
968e30f7aa75a6a2f46be9c75601e43d99be7d3a
Link:
https://www.unpac.me/results/06583915-4c65-4ad0-81d3-3f8aed48d7e8/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/19119a6c7701/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/19119a6c77015d4648fb38250614b86fd3f6ffd5e1b4ebc457eef2f90db46e6a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 19119a6c77015d4648fb38250614b86fd3f6ffd5e1b4ebc457eef2f90db46e6a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2712503/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/453487/

Comments