MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c009fefcf337b8b5e4f0249aeb1627d3a39934097cf5fea75b16c5aa9a7f374. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c009fefcf337b8b5e4f0249aeb1627d3a39934097cf5fea75b16c5aa9a7f374
SHA3-384 hash: 63d9af25f822bdd5346c847e420aabdd40aef42933b46b354ee65e0e4b2ffbd371b1ebf104d8aee8c95b444144281383
SHA1 hash: 59ed889246126ea1b255b7bf391ef5198a4b6c7c
MD5 hash: 981fb98bb6fa845c67ed22349e91867d
humanhash: friend-harry-eleven-lithium
File name:Had.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:8'179'424 bytes
First seen:2024-01-06 18:49:38 UTC
Last seen:2024-01-07 10:14:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 98304:zI1V5yYHMXoJ141kYqgK0GLKhemxQbTmRJ5QhIylxox9XNrqp5VBu:EyQy2IkNOemxyePn
Threatray 1 similar samples on MalwareBazaar
TLSH T132863B00FEB0AF7CE4EA4175AD6013E551F267166762EB56CD00E5A9381E2F78FC3262
TrID 40.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
32.2% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
7.3% (.SCR) Windows screen saver (13097/50/3)
5.8% (.EXE) Win64 Executable (generic) (10523/12/4)
3.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter adm1n_usa32
Tags:exe signed Smoke Loader

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2024-01-03T17:31:16Z
Valid to:2025-01-03T17:31:16Z
Serial number: 2a6d9f1808a1e36d0666adc38da2ff95
Thumbprint Algorithm:SHA256
Thumbprint: 1e2e4c0ad1ef3c27ae2e177a249c09b1cf52313f025057638b1e8dd8ba669a55
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
502
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
bomb.exe
Verdict:
Malicious activity
Analysis date:
2024-01-07 15:21:14 UTC
Tags:
loader amadey botnet stealer redline opendir evasion phorpiex trojan stealc kelihos neoreklami adware socks5systemz proxy
Link:
https://app.any.run/tasks/b1cb9b07-5cb9-474b-be8f-896e7d76c06a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/469740/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.15575.921.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Creating a window
Launching the process to interact with network services
Blocking the User Account Control
Query of malicious DNS domain
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm evasive fingerprint lolbin msbuild msdeploy overlay packed remote replace
Link:
https://www.filescan.io/uploads/6599a0dc1bf798554aace9bb/reports/91601ced-d601-4292-ac0d-9590669f6a2d/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILMamut
Link:
https://www.hybrid-analysis.com/sample/2c009fefcf337b8b5e4f0249aeb1627d3a39934097cf5fea75b16c5aa9a7f374
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Threat 2
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d2c1f938-6b7c-4e06-8052-3b7e0e3671ed
Result
Threat name:
Petite Virus
Create hunting rule
Detection:
malicious
Classification:
rans.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1370796
Signature
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contain functionality to detect virtual machines
Contains functionality to hide user accounts
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found evasive API chain checking for user administrative privileges
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Petite Virus
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1370796 Sample: Had.exe Startdate: 06/01/2024 Architecture: WINDOWS Score: 100 128 Multi AV Scanner detection for domain / URL 2->128 130 Malicious sample detected (through community Yara rule) 2->130 132 Antivirus detection for URL or domain 2->132 134 10 other signatures 2->134 10 Had.exe 2 4 2->10         started        13 cmd.exe 2->13         started        process3 signatures4 138 Contains functionality to hide user accounts 10->138 140 Writes to foreign memory regions 10->140 142 Adds extensions / path to Windows Defender exclusion list (Registry) 10->142 144 3 other signatures 10->144 15 jsc.exe 15 375 10->15         started        20 powershell.exe 23 10->20         started        22 conhost.exe 13->22         started        process5 dnsIp6 116 194.104.136.64 SMEERBOEL-ASSMEERBOELBVNL Netherlands 15->116 118 107.167.110.211 OPERASOFTWAREUS United States 15->118 120 15 other IPs or domains 15->120 62 C:\Users\...\z955ud7HVmlCqVuA8qHQLWEH.exe, PE32 15->62 dropped 64 C:\Users\...\z8v8PaZwLIIb6Jd48OZojPzT.exe, PE32 15->64 dropped 66 C:\Users\...\ymdZjeuxKX3APiSCUXMjgdIV.exe, PE32 15->66 dropped 68 241 other malicious files 15->68 dropped 122 Drops script or batch files to the startup folder 15->122 124 Creates HTML files with .exe extension (expired dropper behavior) 15->124 126 Writes many files with high entropy 15->126 24 Z5McIaUAfu6fwmA9f8IsyyUR.exe 15->24         started        27 5IwcuiLJziWqF6rQvWPSUU2e.exe 15->27         started        29 dlViHiuvEJlX7lb71tixttTQ.exe 15->29         started        36 22 other processes 15->36 32 conhost.exe 20->32         started        34 WmiPrvSE.exe 20->34         started        file7 signatures8 process9 dnsIp10 92 C:\Users\...\Z5McIaUAfu6fwmA9f8IsyyUR.tmp, PE32 24->92 dropped 39 Z5McIaUAfu6fwmA9f8IsyyUR.tmp 24->39         started        94 C:\Users\...\5IwcuiLJziWqF6rQvWPSUU2e.tmp, PE32 27->94 dropped 43 5IwcuiLJziWqF6rQvWPSUU2e.tmp 27->43         started        96 C:\Users\user\AppData\Local\Temp\...\Zip.dll, PE32 29->96 dropped 98 C:\Users\user\AppData\Local\...\Checker.dll, PE32 29->98 dropped 106 8 other malicious files 29->106 dropped 146 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 29->146 148 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 29->148 150 Writes many files with high entropy 29->150 110 104.237.62.212 WEBNXUS United States 36->110 112 91.92.254.7 THEZONEBG Bulgaria 36->112 114 9 other IPs or domains 36->114 100 C:\Users\user\AppData\Local\Temp\...\Zip.dll, PE32 36->100 dropped 102 C:\Users\user\AppData\Local\...\Checker.dll, PE32 36->102 dropped 104 C:\Users\user\AppData\Local\...\INetC.dll, PE32 36->104 dropped 108 19 other malicious files 36->108 dropped 152 Query firmware table information (likely to detect VMs) 36->152 154 Creates an undocumented autostart registry key 36->154 156 Contain functionality to detect virtual machines 36->156 158 Found evasive API chain checking for user administrative privileges 36->158 45 JO5ssWqeI4DbQBXfv1LY0pHO.exe 36->45         started        47 JO5ssWqeI4DbQBXfv1LY0pHO.exe 36->47         started        49 JO5ssWqeI4DbQBXfv1LY0pHO.exe 36->49         started        51 2 other processes 36->51 file11 signatures12 process13 file14 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 39->74 dropped 76 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 39->76 dropped 78 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 39->78 dropped 88 80 other files (63 malicious) 39->88 dropped 136 Writes many files with high entropy 39->136 90 46 other files (37 malicious) 43->90 dropped 53 smartimagestorage.exe 43->53         started        56 net.exe 43->56         started        80 Opera_installer_2401061851162728028.dll, PE32 45->80 dropped 58 JO5ssWqeI4DbQBXfv1LY0pHO.exe 45->58         started        82 Opera_installer_2401061851064927636.dll, PE32 47->82 dropped 84 Opera_installer_2401061851080807756.dll, PE32 49->84 dropped 86 Opera_installer_2401061851421697952.dll, PE32 51->86 dropped signatures15 process16 file17 70 C:\...\High-quality math calculator 7.8.exe, PE32 53->70 dropped 60 conhost.exe 56->60         started        72 Opera_installer_2401061851190667352.dll, PE32 58->72 dropped process18
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2c009fefcf337b8b5e4f0249aeb1627d3a39934097cf5fea75b16c5aa9a7f374
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2c009fefcf337b8b5e4f0249aeb1627d3a39934097cf5fea75b16c5aa9a7f374/
Threat name:
ByteCode-MSIL.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2024-01-06 18:50:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fqaj736pgn5ywxspaje25mlcpu5dte2as7hv72tvwfwfvknh6n2a._file
Verdict:
malicious
Similar samples:
4329b1deaf46731c0e7a55e4ca9adaefa6daa9f8f6015c8ece22dee784898c18
Smoke Loader
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:smokeloader backdoor dropper evasion loader trojan
Link:
https://tria.ge/reports/240106-xgxqgsfbe2/
Behaviour
Creates scheduled task(s)
Runs net.exe
Runs regedit.exe
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Windows security modification
Downloads MZ/PE file
Modifies Windows Firewall
Glupteba
Glupteba payload
SmokeLoader
Windows security bypass
Malware Config
C2 Extraction:
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
2c009fefcf337b8b5e4f0249aeb1627d3a39934097cf5fea75b16c5aa9a7f374
MD5 hash:
981fb98bb6fa845c67ed22349e91867d
SHA1 hash:
59ed889246126ea1b255b7bf391ef5198a4b6c7c
Link:
https://www.unpac.me/results/f48e38ec-9fdb-48a3-9847-08bcf6db7466/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2c009fefcf33/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/2c009fefcf337b8b5e4f0249aeb1627d3a39934097cf5fea75b16c5aa9a7f374

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 2c009fefcf337b8b5e4f0249aeb1627d3a39934097cf5fea75b16c5aa9a7f374

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/469740/
  
URLhaus
https://urlhaus.abuse.ch/url/2747145/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2747147/

Comments