MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26ee5ecb55714d302e8adcc345fc373abf5eb3189c854922cfca7c3c5c7018fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26ee5ecb55714d302e8adcc345fc373abf5eb3189c854922cfca7c3c5c7018fe
SHA3-384 hash: b5947f50213cbd263d029fcd1bdef98378fea5e3117ef9e87c2ee66725fe49aaf46a2302b1a4a2f35a5c715c59d4f928
SHA1 hash: 2150a746f78c9648d61a5e6861817408d80296cb
MD5 hash: 7ff07ccc087a7d29c89cfd7fd5eb9f5d
humanhash: alpha-avocado-east-mobile
File name:7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:167'424 bytes
First seen:2023-07-16 07:40:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 40bc36fa70f0816a5b8a662a7b97a051 (3 x RedLineStealer, 1 x Fabookie, 1 x Smoke Loader)
ssdeep 3072:rri0LnjzU9CSXlwRglQttweek/bOn3fekTBO95wYW:60LnjAxX8WQfY2OvesnYW
Threatray 4'780 similar samples on MalwareBazaar
TLSH T19EF3DF1138D1C072D54B86351836DBA4AF2E78229BB8CA8F375C0B7E1FB15D19B7A346
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0c0c110248400000 (1 x Smoke Loader)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
270
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe
Verdict:
Malicious activity
Analysis date:
2023-07-16 08:31:08 UTC
Tags:
loader smoke trojan banker dridex opendir
Link:
https://app.any.run/tasks/84b78d96-acb0-4004-9f87-bd54f23079b2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/420985/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed xpack
Link:
https://www.filescan.io/uploads/64b39f11fd9e198dc1148918/reports/dd2150c2-18cc-491d-9718-5387ec4a9f20/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/26ee5ecb55714d302e8adcc345fc373abf5eb3189c854922cfca7c3c5c7018fe
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bd186f9f-20b5-4f7f-a0a1-709088aa5a26
Result
Threat name:
LummaC Stealer, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1273880
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected LummaC Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1273880 Sample: 8EuhvtSNIN.exe Startdate: 16/07/2023 Architecture: WINDOWS Score: 100 66 Snort IDS alert for network traffic 2->66 68 Multi AV Scanner detection for domain / URL 2->68 70 Found malware configuration 2->70 72 12 other signatures 2->72 8 8EuhvtSNIN.exe 2->8         started        11 fsehiwb 2->11         started        process3 signatures4 96 Detected unpacking (changes PE section rights) 8->96 98 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->98 100 Maps a DLL or memory area into another process 8->100 102 Creates a thread in another existing process (thread injection) 8->102 13 explorer.exe 7 13 8->13 injected 104 Multi AV Scanner detection for dropped file 11->104 106 Machine Learning detection for dropped file 11->106 108 Checks if the current machine is a virtual machine (disk enumeration) 11->108 process5 dnsIp6 60 stalagmijesarl.com 13->60 62 stalagmijesarl.com 194.50.153.31, 49698, 49699, 49700 GAZ-IS-ASRU United Kingdom 13->62 64 4 other IPs or domains 13->64 42 C:\Users\user\AppData\Roaming\fsehiwb, PE32 13->42 dropped 44 C:\Users\user\AppData\Local\Temp\F758.exe, PE32 13->44 dropped 46 C:\Users\user\AppData\Local\Temp040.exe, PE32 13->46 dropped 48 3 other malicious files 13->48 dropped 118 System process connects to network (likely due to code injection or exploit) 13->118 120 Benign windows process drops PE files 13->120 122 Performs DNS queries to domains with low reputation 13->122 124 4 other signatures 13->124 18 E040.exe 1 13->18         started        21 2FDE.exe 3 13->21         started        24 F758.exe 13->24         started        26 10 other processes 13->26 file7 signatures8 process9 dnsIp10 74 Multi AV Scanner detection for dropped file 18->74 76 Writes to foreign memory regions 18->76 78 Allocates memory in foreign processes 18->78 28 AppLaunch.exe 4 18->28         started        32 WerFault.exe 10 18->32         started        34 conhost.exe 18->34         started        50 45.15.156.21, 15863, 49788 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 21->50 80 Detected unpacking (changes PE section rights) 21->80 82 Detected unpacking (overwrites its own PE header) 21->82 84 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->84 94 2 other signatures 21->94 52 104.21.37.53, 49741, 49753, 49758 CLOUDFLARENETUS United States 24->52 54 188.114.96.7, 49742, 49743, 49744 CLOUDFLARENETUS European Union 24->54 56 2 other IPs or domains 24->56 86 Query firmware table information (likely to detect VMs) 24->86 88 Machine Learning detection for dropped file 24->88 90 Tries to harvest and steal browser information (history, passwords, etc) 24->90 92 Injects a PE file into a foreign processes 26->92 36 AppLaunch.exe 26->36         started        38 conhost.exe 26->38         started        40 WerFault.exe 26->40         started        signatures11 process12 dnsIp13 58 94.228.169.160, 43800, 49738, 49739 SSERVICE-ASRU Russian Federation 28->58 110 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->110 112 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 28->112 114 Tries to steal Crypto Currency Wallets 28->114 116 Tries to harvest and steal browser information (history, passwords, etc) 36->116 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26ee5ecb55714d302e8adcc345fc373abf5eb3189c854922cfca7c3c5c7018fe/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-07-14 20:42:13 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e3xf5s2vofgtaluk3tbul7bxhk7v5myytscusiwpzj6dyxdqdd7a._file
Verdict:
malicious
Similar samples:
31125dd90470955ca70e23ae2c3fd372db8b991a7c92bfb49d442b67539602c3
Smoke Loader
3598d3cd6e1913196d9b2f024585a560d6854a5dc19cd55d4796a1e9dcd5448c
Smoke Loader
51d2456ed49b7b235750aab87f9bd7d6528e842a284b9b2cec81a58bf8cc37f8
Smoke Loader
6fae76c5a5b11cf96e9f4577b8e3355807696e9462226f4826da83c0107be114
Smoke Loader
acd063c502b1957bdb4e19c2f677128ff3ba956940a702aa1760e1d2362ff0eb
Smoke Loader
bcabf922d0a9e5c729c6968b214202f2fa7c369198c09c9cb3bff57150a99aeb
Smoke Loader
e3f7ed5592973622f15cd7bde4d5f5444414f453e96674f3ec083fadcd8791d1
Smoke Loader
+ 4'770 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:laplas family:redline family:smokeloader botnet:cc botnet:summ backdoor clipper discovery infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/230716-jh57csea6v/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Laplas Clipper
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
http://stalagmijesarl.com/
http://ukdantist-sarl.com/
http://cpcorprotationltd.com/
94.228.169.160:43800
http://clipper.guru
Unpacked files
SH256 hash:
48b6a4785f1dc9f33c51c2e588c7f9edf76e551cff8759ac5622cf995330ff14
MD5 hash:
d9cde58139fef6bf75141230f9662d97
SHA1 hash:
68ac6ee1b78dfa15bfe49229640a0929438029af
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/373d541f-cb8d-406f-bff3-cf7e86f6c7a9/
Parent samples :
dfa65f33e16205d8c072ba1fb3d0f419f0af2e25f1c251d2b1ef83dd822dc476
aa4938085915798a5b6a03db3a04f6b2927d108db0bfac32ca66462f6a406c36
e4ff3d138daf42cc71613a0b2b9131e672ab42e3fc8f12779efa2f882985c40c
240e33c28d618ba23fc7489c03dcc40e3e3d2c84ef959db800321d1946d3dbcf
65640ae45f81e5a0367d374193b9a7958e7e2cba9b4f7e448cd2545a70c2880e
b78d66de4f94fd68a2fa5181f8b2a865d43f44fba0efbff7dd3a8215ce153891
b2c3517bb90933390df4eb01c6ba36f2a519a69b5bcee703f4889b8336cb7027
5ecd711693f12b243e84e97975eaf2f981016a7cf004841dceb7b9d720bc1f6d
a6e56a741e9aa67f861b574964a4999eb77ca586abf079c1891ca09c7900c713
2f526d3756e8f59616b5f69c9527d4751594ea82464c971eaadfc04216d0b27a
14a81d39c1a2260f7dde336245ab276a3416319e8bea2740107f8da6b5baecc2
57058dda63d287fb506d12c043fe1eb07abcaacb703fb2f8120edefb815bd1a8
9e4e8a3c08c71e24a113731d9b3c6221c79a0d82e9ab0b510e4240257b4d0eee
954a8d78e97e2bb65568d4c5d692a2a9975a330eaa7fae20e4620d18ccbb5881
bfe83b5436233b54ba7808d535042708313d5ec62aece600d943798f5c62efda
fc5c1ed9df3db079ed9b1714c11b5fd8edd6f69498fe6150303ae160884d3c04
e59ad322f3178a7905a9a3c623e7b5d8132080ddc9d2d3797d64939a23611a00
e93e6d9ed58c2476607f4352c2fb03b5247276f5be99840b0db4d546457f20e5
c862c9ce5cc849f7e292a61984c11b3a61a137f71ce19b3e72b653932602a0fc
8c3f095428d5283ec57391611e24689e88aa93e0a6868d6994d2e26761740ce3
455cd1baccbf9b3abc59454a6d80ee72c2db5cb6ffb73a5102b5a1e6eb78599e
45395f6fad7289cb0f9599ed1f578140d5280f1769957c4bba4fb5f6798a41bf
d347eea452c0cd8f233db473bc2889ef05049a6bffef49184120c9d302fa74e6
cb5834ff88fd8e818ddd26ae5e6a080be8b5e17ee4238df66080175a5cf802eb
2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5
eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771
26ee5ecb55714d302e8adcc345fc373abf5eb3189c854922cfca7c3c5c7018fe
ef04fe325737cad04ca603cf3a72a71b86bc51786b696972e243cbd0612538b1
e58ebdf4702cc16c7b5626d7e5a169fda32ecb3df251c9f087c8ad7ad6897672
799c6f0780b063a98ca67e217ac920733e5ed59742300658a747457ef30a3ed8
a5cb5558a1fb53b177fd0a683da3e93c4c0149588c7b06b5b8f5570896bd79bc
5b6d6c1bf6cfc3f0c4b792a2416d52588c22701fc9484c7c0a40bfb75ced4c4e
fc70465d07b9f3eb64e7f5ada2c047cd54b1a10b2790264456c0f76a798b50fc
fd831bc88d1c08c8b8a2e3756569b8fc3c143d516f4a72ec6fbf3c456c6209bb
2cc7483f686c00278ce3dcda694baca322bfbe70e8cf4ec5dd8ec0f31a955625
c17336d7c543eef6427833e8a3f419dd02c7cd2fd7665725732c35e61a354f2c
2c43ca2ea57631cdd00d46b6d292ca82922c239c1ad400a4714134fed8f2a50e
4f2680a213e3345c83f3f0adc9bcf75af76e50eed035b2c54f54b071e115f694
b2f12a3ef735f92b67cf807fb8be7df8400c065318ad3b0f8cd144738db7b96b
SH256 hash:
26ee5ecb55714d302e8adcc345fc373abf5eb3189c854922cfca7c3c5c7018fe
MD5 hash:
7ff07ccc087a7d29c89cfd7fd5eb9f5d
SHA1 hash:
2150a746f78c9648d61a5e6861817408d80296cb
Link:
https://www.unpac.me/results/373d541f-cb8d-406f-bff3-cf7e86f6c7a9/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/26ee5ecb5571/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/26ee5ecb55714d302e8adcc345fc373abf5eb3189c854922cfca7c3c5c7018fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/420985/

Comments