MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b460be5f1a90e3646a9dd03e95752f824adcfe2e2e15a746aa8d4844398f454. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b460be5f1a90e3646a9dd03e95752f824adcfe2e2e15a746aa8d4844398f454
SHA3-384 hash: eed44ab842c522ee2272ca387540a2c4c59ee5c670bca3cc4dac9665b7344c2c2bdf636ecc0ba20faa35d76585f3ea8e
SHA1 hash: 21b76cbf267a5793148bfcf6ef9a4c85d0044c0b
MD5 hash: 21c581fc8290a9b48495c00a9b41c04a
humanhash: twenty-charlie-michigan-utah
File name:21c581fc8290a9b48495c00a9b41c04a.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:2'657'656 bytes
First seen:2022-04-20 09:32:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a2833106949ae6e20c40ed0128f9df4b (5 x RecordBreaker, 4 x SystemBC, 3 x RedLineStealer)
ssdeep 49152:xH/36fLVLxWCa6klgDPg2YptZ6XLgsHr8Z1qtMcKV8O2/VCQX7fwhp:SLVBXDPgxpb6brHr99wj
Threatray 128 similar samples on MalwareBazaar
TLSH T1DAC533C287872875EA7185B122A33A43642E9ED1CE91535710E5F274AFEE364CE33DB1
TrID 50.0% (.EXE) Generic Win/DOS Executable (2002/3)
49.9% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon f0c4969696c6f4f8 (1 x Smoke Loader)
Reporter abuse_ch
Tags:Dofoil exe signed Smoke Loader

Code Signing Certificate

Organisation:sandvik.coromant.com
Issuer:SwissSign Server Gold CA 2014 - G22
Algorithm:sha256WithRSAEncryption
Valid from:2021-08-20T06:43:54Z
Valid to:2022-08-20T06:43:54Z
Serial number: 714619dcfcd06cacd23b8a0f35d836304e4b4c58
Thumbprint Algorithm:SHA256
Thumbprint: edbb2db156b8722c6295f71aad3264b5fbd6111390f561eb89830a3bb0060fa6
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
457
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://bazaar.abuse.ch/download/2b460be5f1a90e3646a9dd03e95752f824adcfe2e2e15a746aa8d4844398f454/
Verdict:
Malicious activity
Analysis date:
2022-04-20 13:37:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7f4a4262-d4d5-444c-8f0a-b683589e60e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264942/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
DNS request
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed virus
Link:
https://www.filescan.io/uploads/625fd355eab80a7a6c496624/reports/c19139d8-7cfd-4489-b1ca-206515cdca5d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a2468d68-51fe-42c8-a90c-469c16b62e12
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/979441
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Performs DNS queries to domains with low reputation
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2b460be5f1a90e3646a9dd03e95752f824adcfe2e2e15a746aa8d4844398f454/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-04-20 00:30:53 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
062d46c5e1575cce5d4851bfdf3482843ed8fe129c3d5017b1581fd9e783a385
Smoke Loader
2c03b271f9f6870ba2d36e812d737d841b3fec61d0f1404271af57cfee4610a8
Smoke Loader
9c8314de1486634c7612198f144f80cba26a2f79a65b657b6f17af33491c0998
Smoke Loader
a2ed4456865129f69ed876a3262526d1193bc881708d46d86be1528f23c1b749
Smoke Loader
bcede46445b13b3def4d8363b1365903a72f3ed6c09ff078bd3a090f65ed0937
Smoke Loader
ee99ebb5242fcb97bf73e360b27a7cbc100483e46421b8af6676413fbda19a83
Smoke Loader
+ 118 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:redline family:smokeloader botnet:@chelnevreya botnet:default botnet:test run agilenet backdoor discovery evasion infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/220420-lh8ctsbgaj/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Arkei
RedLine
RedLine Payload
SmokeLoader
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA Environment Variable M4
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
Malware Config
C2 Extraction:
http://hydroxychl0roquine.xyz/
https://hydroxychl0roquine.xyz/
46.8.220.88:65531
193.106.191.253:4752
88.198.110.77:4160
http://92.119.160.244/Biasdmxit.php
2.58.56.219:39064
Unpacked files
SH256 hash:
9ee6a215d82c3418c4d252b74ef2e8c14dda119cd7ed7e67cb83bc7d8373d4a7
MD5 hash:
c3301fe73e43a75ef9c3c3b2dbdbd62d
SHA1 hash:
f5d6110f2075cfc50cbe6c7bc9bc8ec920ea0d64
Link:
https://www.unpac.me/results/51041ac5-ec5a-4d22-90bd-d6bbe551e1de/
SH256 hash:
06d50bb679afd76ede3ab7cd901ce14fcdf141d435f9b89e75396cf312f74bf9
MD5 hash:
799123e0c20d9b2ea3c0c5a4573c36de
SHA1 hash:
999ad1b5f7420cd7b3400da8b07334df230d0374
Link:
https://www.unpac.me/results/51041ac5-ec5a-4d22-90bd-d6bbe551e1de/
SH256 hash:
2b460be5f1a90e3646a9dd03e95752f824adcfe2e2e15a746aa8d4844398f454
MD5 hash:
21c581fc8290a9b48495c00a9b41c04a
SHA1 hash:
21b76cbf267a5793148bfcf6ef9a4c85d0044c0b
Link:
https://www.unpac.me/results/51041ac5-ec5a-4d22-90bd-d6bbe551e1de/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2b460be5f1a9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/2b460be5f1a90e3646a9dd03e95752f824adcfe2e2e15a746aa8d4844398f454

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:quakbot_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 2b460be5f1a90e3646a9dd03e95752f824adcfe2e2e15a746aa8d4844398f454

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2136856/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/264942/

Comments