MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b7e2ddcacb26f4c02291ff2b977a1394e76f36d4d773e67d7af33a1eb74118d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b7e2ddcacb26f4c02291ff2b977a1394e76f36d4d773e67d7af33a1eb74118d
SHA3-384 hash: 20cf572f7c5e89902b56b75baa1fd955b85940812c3e71343add58c38e0e33c8cda68ba1e081f59d35d8ba170202db95
SHA1 hash: 4238324dbc9af56518cf22b9eefb46c49e070329
MD5 hash: 6b54a758faca53461548bba794e3c026
humanhash: oven-mockingbird-sierra-utah
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:641'754 bytes
First seen:2024-04-29 13:36:32 UTC
Last seen:2024-04-29 14:31:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f4639a0b3116c2cfc71144b88a929cfd (106 x GuLoader, 53 x Formbook, 40 x VIPKeylogger)
ssdeep 12288:oXJGlsluNcS0XIjLEQkU2ZXgRkGKJ28XxNZbLrJh/QgjzdhSaxejcvJ0QS:oXJBlzSkYLOUiXgrKo8jZbnwAqagyJ
Threatray 1'107 similar samples on MalwareBazaar
TLSH T10DD4235523D8D5F3CD2B963188BBA5234D75650421B0DB478FA47BACBC23A8CE01E7B6
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 30f0c4e4c4dd6088 (1 x Smoke Loader)
Reporter Bitsight
Tags:exe Smoke Loader


Avatar
Bitsight
url: http://pofix.red/upd/index.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
401
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1b7e2ddcacb26f4c02291ff2b977a1394e76f36d4d773e67d7af33a1eb74118d.exe
Verdict:
Malicious activity
Analysis date:
2024-04-29 13:38:08 UTC
Tags:
loader smokeloader
Link:
https://app.any.run/tasks/57dd609a-4da6-42f4-acb0-030c7a3364b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file
Сreating synchronization primitives
Launching cmd.exe command interpreter
Creating a process with a hidden window
Moving a recently created file
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Running batch commands
Creating a process from a recently created file
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/662fa282c5dabc22b20c43b3/reports/bb96ed75-5adb-41c2-b3d1-56f29bbbc4e7/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/1b7e2ddcacb26f4c02291ff2b977a1394e76f36d4d773e67d7af33a1eb74118d
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/74258fea-60e0-433f-b7cf-206e9572d52e
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1433392
Signature
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Drops PE files with a suspicious file extension
Found API chain indicative of debugger detection
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1433392 Sample: file.exe Startdate: 29/04/2024 Architecture: WINDOWS Score: 100 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 3 other signatures 2->75 10 file.exe 27 2->10         started        12 grrhfev 5 10 2->12         started        process3 signatures4 15 cmd.exe 2 10->15         started        91 Machine Learning detection for dropped file 12->91 process5 file6 55 C:\Users\user\AppData\Local\...\Jamaica.pif, PE32 15->55 dropped 63 Uses ping.exe to sleep 15->63 65 Drops PE files with a suspicious file extension 15->65 67 Uses ping.exe to check the status of other devices and networks 15->67 19 Jamaica.pif 15->19         started        22 PING.EXE 1 15->22         started        25 cmd.exe 2 15->25         started        27 7 other processes 15->27 signatures7 process8 dnsIp9 77 Machine Learning detection for dropped file 19->77 79 Found API chain indicative of debugger detection 19->79 81 Injects a PE file into a foreign processes 19->81 29 Jamaica.pif 19->29         started        32 Jamaica.pif 19->32         started        61 127.0.0.1 unknown unknown 22->61 signatures10 process11 signatures12 93 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 29->93 95 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 29->95 97 Maps a DLL or memory area into another process 29->97 99 2 other signatures 29->99 34 explorer.exe 7 5 29->34 injected process13 dnsIp14 57 95.86.30.3 INEL-AS-MK Macedonia 34->57 59 172.67.133.129 CLOUDFLARENETUS United States 34->59 43 C:\Users\user\AppData\Roaming\grrhfev, PE32 34->43 dropped 45 C:\Users\user\AppData\Local\Temp\D1B2.exe, PE32 34->45 dropped 83 System process connects to network (likely due to code injection or exploit) 34->83 85 Benign windows process drops PE files 34->85 87 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->87 39 D1B2.exe 34 34->39         started        file15 signatures16 process17 file18 47 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 39->47 dropped 49 C:\Users\user\AppData\Local\...\blowfish.dll, PE32 39->49 dropped 51 C:\Users\user\AppData\Local\...\huge[1].dat, PE32 39->51 dropped 53 2 other files (none is malicious) 39->53 dropped 89 Multi AV Scanner detection for dropped file 39->89 signatures19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1b7e2ddcacb26f4c02291ff2b977a1394e76f36d4d773e67d7af33a1eb74118d
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1b7e2ddcacb26f4c02291ff2b977a1394e76f36d4d773e67d7af33a1eb74118d/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-04-29 13:37:03 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
13 of 24 (54.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dn7c3xfmwjxuyarjd7zls55bhfhhn43njv3t4z6xv4z2d23ucggq._file
Verdict:
unknown
Similar samples:
1b7e2ddcacb26f4c02291ff2b977a1394e76f36d4d773e67d7af33a1eb74118d
Smoke Loader
297ef3b685519d8dd40a3726a382977bf1452ba9ff4dcd9e5d954f795a256aba
Smoke Loader
39f3698e7359c0a93122897138c050ecb0b71d71843f68ba8d05a9ed7e7cb67b
Smoke Loader
6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14
Smoke Loader
66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d
Smoke Loader
c91c0745dcd02dbffa34747dd26e85e3e124a62d0812c125b6bc67792b66c8dc
Smoke Loader
ccd4e348aa248d1d9153f8960d60c83b57c8f62a2bec7f874c8f39cbaedc5863
Smoke Loader
d477322f8d90be3d37d78ab73d97d59e0ae6ca7ac32e2fdefd5668f67cb1fb62
Smoke Loader
e1cad26aac03cce870bebd429bf63acecab4cc68ad54e0227f0fcd6031842f15
Smoke Loader
ec975154fabacbe2d626ab551470dec7500cfcc32507270ef1d0039c44e47d6d
Smoke Loader
+ 1'097 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:pub3 backdoor trojan
Link:
https://tria.ge/reports/240429-qwslracb9y/
Behaviour
Checks SCSI registry key(s)
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://cellc.org/tmp/index.php
http://h-c-v.ru/tmp/index.php
http://icebrasilpr.com/tmp/index.php
http://piratia-life.ru/tmp/index.php
http://piratia.su/tmp/index.php
Unpacked files
SH256 hash:
1db18cb8cfe01c366d662a3d212a9e37b03a506b9b5322bd1ea210b31b9b0db6
MD5 hash:
71d7d4961b4a18b72c4bcc575c9c3324
SHA1 hash:
5f106ee6c845d314369246d424c4fde638a6e59a
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/101b625f-1082-4a00-8952-459a752a599e/
Parent samples :
8733c0c0b2a40c48919a925d770ae3ef634f1878ee1e608313697269945f7eb3
0d124edbaa3ae482812d236f4ed05b094085949a794d69b0bebc679b4a011720
1b7e2ddcacb26f4c02291ff2b977a1394e76f36d4d773e67d7af33a1eb74118d
a56ab4c450a04a502b3be0b24f0b66b0f912015ab48ce10e7be764029e99b6a1
6b8848b38b3e239a0df83efc456ad22bf5e59e7145b59d1f8e154881ebb9f8e3
SH256 hash:
1b7e2ddcacb26f4c02291ff2b977a1394e76f36d4d773e67d7af33a1eb74118d
MD5 hash:
6b54a758faca53461548bba794e3c026
SHA1 hash:
4238324dbc9af56518cf22b9eefb46c49e070329
Link:
https://www.unpac.me/results/101b625f-1082-4a00-8952-459a752a599e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1b7e2ddcacb26f4c02291ff2b977a1394e76f36d4d773e67d7af33a1eb74118d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:NSIS_April_2024
Create hunting rule
Author:NDA0N
Description:Detects NSIS installers
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 1b7e2ddcacb26f4c02291ff2b977a1394e76f36d4d773e67d7af33a1eb74118d

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2831406/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments