MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c6be58c5b91dba2a4528cfbc9364a497128f2102ed062251be0153e3a3a10ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c6be58c5b91dba2a4528cfbc9364a497128f2102ed062251be0153e3a3a10ef
SHA3-384 hash: 6e96268f85acfd947ded2b01a728eacd32bab6218d2b4bd6e2d6f04d4d7f7e252e75a4b0219a3fa590091e408a28e03a
SHA1 hash: 0782d2dcbc4313ae7e38565068cc3af19a183506
MD5 hash: 993a725b7bfebdf6ef321594358a766c
humanhash: nitrogen-louisiana-alanine-dakota
File name:993a725b7bfebdf6ef321594358a766c.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:281'600 bytes
First seen:2022-10-11 07:07:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 335f6a3bc923ae5bc86b0cc6c8226b4c (7 x Smoke Loader, 4 x GCleaner, 1 x Nymaim)
ssdeep 3072:8RXdvZ+pesl1DJErMIjM5fpxUQ8gio42JkDqUmLjiZ3l/80FgxyRtNFM/h3qpZag:81RZ+pVl8Jj+D8Ie80FlFrwVfquS
Threatray 11'288 similar samples on MalwareBazaar
TLSH T11F54CF25F682C8B1C4062170CD56DFA06BBEEC31197489873B6D3A6E6EB7280567731F
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 38b078cccacccc43 (123 x Smoke Loader, 83 x Stop, 63 x RedLineStealer)
Reporter abuse_ch
Tags:exe Smoke Loader


Avatar
abuse_ch
Smoke Loader C2:
167.235.71.14:20469

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
167.235.71.14:20469 https://threatfox.abuse.ch/ioc/872735/

Intelligence

File Origin
# of uploads :
1
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318784/
Detection(s):
Win.Malware.Azorult-9949206-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for synchronization primitives
Searching for the window
Launching a process
Setting browser functions hooks
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42441/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult greyware
Link:
https://www.filescan.io/uploads/634516537a6f3f03619db4ae/reports/d326efbe-d795-4b99-b965-3866404dd706/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5ca87fb7-98cc-48d7-9df4-b178e46d282d
Result
Threat name:
Amadey, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1087712
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 720290 Sample: n5V5HhS9Es.exe Startdate: 11/10/2022 Architecture: WINDOWS Score: 100 52 jamesmillion.xyz 2->52 54 en.xml-post.xyz 2->54 56 2 other IPs or domains 2->56 72 Snort IDS alert for network traffic 2->72 74 Multi AV Scanner detection for domain / URL 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 9 other signatures 2->78 9 n5V5HhS9Es.exe 2->9         started        12 rjtsjfc 2->12         started        signatures3 process4 signatures5 94 Detected unpacking (changes PE section rights) 9->94 96 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->96 98 Maps a DLL or memory area into another process 9->98 100 Creates a thread in another existing process (thread injection) 9->100 14 explorer.exe 13 9->14 injected 102 Multi AV Scanner detection for dropped file 12->102 104 Machine Learning detection for dropped file 12->104 106 Checks if the current machine is a virtual machine (disk enumeration) 12->106 process6 dnsIp7 58 il-designs.com 67.222.38.76, 443, 49759, 49764 UNIFIEDLAYER-AS-1US United States 14->58 60 rukangiralawchambers.org 198.23.58.153, 443, 49716 STEADFASTUS United States 14->60 62 8 other IPs or domains 14->62 44 C:\Users\user\AppData\Roaming\rjtsjfc, PE32 14->44 dropped 46 C:\Users\user\AppData\Local\Temp1F5.exe, PE32 14->46 dropped 48 C:\Users\user\AppData\Local\Temp\DB0E.exe, PE32 14->48 dropped 50 4 other malicious files 14->50 dropped 64 System process connects to network (likely due to code injection or exploit) 14->64 66 Benign windows process drops PE files 14->66 68 Injects code into the Windows Explorer (explorer.exe) 14->68 70 3 other signatures 14->70 19 114E.exe 3 14->19         started        23 DB0E.exe 1 14->23         started        25 925A.exe 1 14->25         started        27 8 other processes 14->27 file8 signatures9 process10 file11 42 C:\Users\user\AppData\Local\...\wfyoot.exe, PE32 19->42 dropped 80 Multi AV Scanner detection for dropped file 19->80 82 Detected unpacking (changes PE section rights) 19->82 84 Detected unpacking (overwrites its own PE header) 19->84 29 wfyoot.exe 19->29         started        86 Machine Learning detection for dropped file 23->86 88 Writes to foreign memory regions 23->88 90 Allocates memory in foreign processes 23->90 92 Injects a PE file into a foreign processes 23->92 32 conhost.exe 23->32         started        34 RegSvcs.exe 23->34         started        36 conhost.exe 25->36         started        38 conhost.exe 27->38         started        40 conhost.exe 27->40         started        signatures12 process13 signatures14 108 Multi AV Scanner detection for dropped file 29->108 110 Detected unpacking (changes PE section rights) 29->110 112 Detected unpacking (overwrites its own PE header) 29->112 114 Machine Learning detection for dropped file 29->114
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2c6be58c5b91dba2a4528cfbc9364a497128f2102ed062251be0153e3a3a10ef/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-10-11 00:56:37 UTC
File Type:
PE (Exe)
Extracted files:
46
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=frv6ldc3shn2fjcsrt54snskjfysr4qqf3igeji34akt4or2cdxq._file
Verdict:
malicious
Similar samples:
177fbd109bb143efcbddb2ff8fe7cc5d4af6931b5e98b23266e4e9031ef750f0
Smoke Loader
2b245c5368c98cbb247d56f37230a21287e02db2d306ab88f89119f3e685cc15
Smoke Loader
3e12feacf2c7f28a71ade378c01afb4ff35c137e43840d3570cf1e820414f0c1
Smoke Loader
5e912d0af4bb2029e01d676a0289b41f5f592558772f3ee624cac4eeb15848ac
Smoke Loader
6069d1c32fc6a41904891daaba7ccc980fc18ea2e58701f94d0e2de77464eb9b
Smoke Loader
729d914a609b49dfda26f3d1603bcd870da1977e2fc85e837dfab546b8257ee1
Smoke Loader
814701cde629498ac86253e7295c5ba8b83cb5bc02963033a13c8861cc5e0579
Smoke Loader
f09caf2bf7a9009e8a4bf041bae3787422796854f015e576e756e365d369a406
Smoke Loader
f617acc25d941b8c7525e7e0828a955e84f5ae073eb2adde687ffe5c45895742
Smoke Loader
+ 11'278 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/221011-hx74tsbfeq/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Downloads MZ/PE file
Executes dropped EXE
Detects Smokeloader packer
SmokeLoader
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/aeb01fce-032e-448c-861e-a28c5358ce3f
Unpacked files
SH256 hash:
351798115be240e01309033aeef4660747e40b7b7d869567ec8d378b08071d7a
MD5 hash:
f82f1ed679d88f6ee38c0fd58961b94e
SHA1 hash:
e876dd914a375ba1d4d0ff721126323530ac3829
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/d5dee03f-c51d-460f-807a-405c7dc1daa3/
Parent samples :
ec95bea63c3311e4b83f37fe2d189c6e06cd258c247faf00f3937c6283607afa
f47777f008e5396d338bfc50dd17851ec40ee342c98d052e410344316b8037fb
be7a56309175609baadeef53fc65c6c7301c961fa9568a4e99c000e19ca3ce25
b006e9cf89fb86c0eabfea83cd003564e001bc01cdb5749d94197e8ac3a70929
feb0fc85621d4836351bb05671ba2c8aa93564aec65c94a6cc7e83f4dbd7d774
d654da41efe42b81af4b230b841203465281672f9721028cb5f78fa01d3c7e67
0aae81097ced637ea1154e678d97e240c383ecba268d215146032e35154723c9
53e91aa8e47dc26f0289b1800aa76bafe0b8274e99585d91e2da679d8353d6a3
8fd0bd1fead5cf4c02cdc2c7789aaac0fb2a92014fcb0e0d5f60e9b21f1fb0e1
1c8edce4a868257106013cc2c20f469efe7687f1d30476da7b74ceaa4122bd2f
5e912d0af4bb2029e01d676a0289b41f5f592558772f3ee624cac4eeb15848ac
2b245c5368c98cbb247d56f37230a21287e02db2d306ab88f89119f3e685cc15
7e5006d509630d610db58ca5f415f07c68c947fc3a4151f0b6118d9e7429c19e
f397ed34de579b8fe727507d13811cda060819c50f094578ba65a4717ef5f084
3e12feacf2c7f28a71ade378c01afb4ff35c137e43840d3570cf1e820414f0c1
79b2c383aa7f47ab2dc0e43f8a81cc0beb0587afa528c28d30450f7a3750dd8f
729d914a609b49dfda26f3d1603bcd870da1977e2fc85e837dfab546b8257ee1
261fb304bbbd9c1501bd76529bbe7affe77c12b802598fa2bc365626346d20ff
f617acc25d941b8c7525e7e0828a955e84f5ae073eb2adde687ffe5c45895742
f09caf2bf7a9009e8a4bf041bae3787422796854f015e576e756e365d369a406
dcdd0cd8d4a274600c01db970c804976b8d56911111250786be99d8aa7dd094c
c310bb35c0f20588737406c3611e3cf117081bc1c43f8e8ca92c9b54da539d3e
3a90b8dcfe41655dd7a6c050e123b114a008ffb2a49c127e0e4d8f300bbaa2d1
d29ea07500b6f42ed5338251ef782ed33433ae72bbac8e7f32b21bd58733cd66
814701cde629498ac86253e7295c5ba8b83cb5bc02963033a13c8861cc5e0579
d8df1cc6889413247f6687f6e4d855c16ea50ccbfe033d570197af08a89f9415
25a2ad72aef6a19565b293099b3c2458c458f2f043aeaa9865a69ea447803d10
177fbd109bb143efcbddb2ff8fe7cc5d4af6931b5e98b23266e4e9031ef750f0
6069d1c32fc6a41904891daaba7ccc980fc18ea2e58701f94d0e2de77464eb9b
5dba6740925a51b25d10945bbae71a255cadad43be6aff83fec170677d1b2244
187d17124e094fe0e9f2115d7c538c8a98d33242cd0f14c475ead520d08c1eb0
bf6087bc146bd80f4e2a4fc73b1af870e4603737909423b00f68ccee8fb16288
b625361a15c00ad25adfa2130dfa1033108cebad9705db647b64f4e43e3d8b46
309eb392d695e19db5082ac85139b33f0f2d40a7bb8c0bceab357876d800daf6
a6fc491d6d097332f35d3ffaa4a31ecafd1b114cdccee11f627e3bde36a7bfd3
f0a1ea06a9322753edd46ee1448a889c6e8fa9304a8feb2d0bddc7cac78bc0d2
4b7af02af4ab2601c9006b3734bce41adf72f4f212765c65a3b11e7a76434326
2c6be58c5b91dba2a4528cfbc9364a497128f2102ed062251be0153e3a3a10ef
4f6c62edaefbf759cdb1c848ecac90ed248501be5876d0a62c90a86322ff14b4
9a7820f2d1ed7044c6f2892f2a1e6ce377f3bce1837601c8f9f499c7cde4670d
928377073c45f7fb59591af49620d5afc581ce27c4727f7aa77fd23af85b0145
a22469a7bfe3025561eed67e7d1516987227dfaa191351fc5a7076dd1a9788e5
99208edd8107914693c2c75142f523d3f1136ae31db1493b1cbb1ee9537e00a2
28dce51acca5eb25e201be4d118f94b5bd92364096c5b64fed5e990804a6c013
6bb61d448e121cb404455ff2ea979779f917c7aa046ba490738acfd072035981
77967d3da13a9aba5b5a793e5c34476969a15a04955d0db1a070aaad05d72bf9
35bdc93e29835dbb41e7dde08468be6ff4cf73328b6d421a0076ff591e7c80a1
b2eb828ed5bfd1b630b46cb1282e760ff366d2bc52686b036c95c392d7e9d5c6
ca1230de5c5b8eddbe33c021a2a3537730962b7aae5d8622ce4d0a53dd98ba30
b8eed569badd754db5b73747fe93667e6a5dc05c8a089eddcc8fdb63fa62e91d
cbe2946dea885c2b7cbfa40dd2575c7620004a9a261082e0bd691922cdca2050
1bc77d71c5c8030ff0a59f02a18cbe036682f100490106bd78b6fe4a470076e1
279b50a0ca696efea461a18afb4b4e0bba3dafb305644d0e8d9fc411d3d6891c
b3dc8fc2812791c02c86fbdb5edc55c1af147744df62af5b334f9a58fb8e9752
535963abdc42887378988042fcea77dd9aec415c3fd45e91a8447a81dcc0957a
ffd2dd34c696d7c8ee4385523a64fe4921aed62e24f30ca4cfdb4026bf5cdbe1
4fe1874524aa0c13b9abae2388ae2cbc25cfd859c75a9f9e75c4352d913c7d2f
60e165eddaeaa87718f4055c9f1e28650bd34231d9a03757733916a5ffe25ecc
85314f3bf5de2c5fb4f398b59eded3a03bb53248c863de70c4eb38a67327dc0a
9ba4b52657ad323b8e8f34d3dee927f7a3f7c89e24958226bde84e3d9923055c
c9031f11ac8175e631f1f96065f871ee48f317ee0bd5d0952094f3e5ae3d5ed9
3666c1bcde39a60f8d53a21826f6f23785e003881e3303d641119a4c29d3c87d
2282518f0f5859a19db2590a38dbc7fda4d000ca33fe8ab9d884bd54df4db023
a8eef52899156ba9b06d95ddabd25b6c3761272f81b6dbb2a8279e7d92ad0a5a
1079070885191777a325129858e5d3e4dbd879bcf127aa870b7a95a54e12960c
d7cea373b69215c6576f351769e7f133f4483d76678c929b45450b4530e52bfe
911ea4281470ad31d2a31fffa55c781fe08b5ea01209274c5b6f78495051f24e
358e5f139516ed0a696e20a91297dc8aed867a480cb6dd09605efed7e57e6a91
23b1a48686678266c68a8e0193a2a57e2a0b23374ef19e7979173ebdd4d7350c
4697f605b8177d2f8902b0049df76e20787ec9bf32e74dce7a61947ba6b528c5
b508176114c8149c1201120deeb7e6a7d92f6996addfd19986b31686259fcd98
3085f86d7a6c54110da02ccf60aa87ed2813c00145484a0849e871f61766bcbb
7f1162b133373aeaa422b0356992ffecbc1c9c4fa07afdc389fb8d62e040e152
cd3a2b42f2d770f1f870b2e3be9d0a5262b8038d65e6f95a1e63bed333150db5
2123f46b435c2e8765a882624a35060d86226424c97a2b2a9edad4b75bd0ba3f
fa70e3395c0bb1483961dbd9787c19948fa76a99939072e6e12d2b66958f093c
21f2e03efe9a589eef619efc13bc07a1e81136a1db833ce5510bb562612fad5c
1c9c788fc1d26d313ce2a82d971fda55adb9cc70f7fe84cd6d743d68009d945c
7c55cbb0ab86127a4547f9175c013c111d0177010742de896c15a20c16e3c3ac
cf175d8958a489c6dc094b812c528c406a415c3cfac3ea58f69b8f15b9a1ba61
bcefdf8c2cbc735ff46edae5f02fee6767833f520805ffbbfd36f42bd7eb5218
b2f68f4bc4b9e4928c1563c0cce8f0551060ea1e301194b1f27689d8fcd62f61
8f098d3db473a169c44697130f8af8d54d2cef231d17fb384fe5a2b2ccff6715
e16575b60724ec8e60f5737b21fd203c840827824e5381ccd59bba3a73382815
8ac18534e46b93c2cfa2b9b35cffdb3b5cce368ca9aec59b5533c32c5fdc037a
68e7adfdab8152a9d1fec7475090e3cc5531d7e3413195a925d9d20648111c71
c64651ed20efd6af48a099aa9c27ac74dfb848bbac2ff1fc7a14711a94e0f16a
88728adfa648a9020c5aaa7147589a247c5ec262419355cfe3e5655c17927d05
b6433f49d2d37c58ca132fd5bbca5ac07530969636d6af7c9db223bef32d5d7c
47ac3d18dc7010640808ab90a5a83881593a6ab8a5bc178ff72f983e26c3476f
1424887a14e1bbf4c1c1ea1aaea4e71661c51ed417678972ac4ed5f6a3c66ae5
5c963d9299ed5c2de48b7c1ffe51c2ea491799dc692b2a45860bd7190167df83
2dde2cc8ac37a2f9750674975e4117414aaee2e1fa62b6cb28c9b4a6b7d2e458
704e56f31923a2aa98588a1825a9b3f076a0d8e0e16ba1b1e54dd692200d21e1
3c9400c0d8648ff4c9e626369a9db2e8f05a838e746cef7e93f60530ad12f305
b6c777dd482e7e0c082000c21a54bed959607574d85b53a6dcbdcd771426bdc9
9b7bb25d4fda674eaee9a15edf3f55dd1629c970553a4b34c0a5117ba355acba
48e449e1f4675e90d8459e34b94af13b110c9fc361e3c75ae3bc4c736bda223f
2235c9539d402b1ae7c8d6636094ed6c6dca56279149f47e26e828fa16253bfd
357f09c849f041c3794a30a12e90a8aaf3a19532f461a12d9ddb749662b5529c
80c13f76051a4426e06c7581bdcaba65b79e497761d7329e306745d2150d1f43
0a2432e226c62f193d4d5a51426966999574c875268e081813c9622bd4f3644b
815247256c583149bf9cd8c4aba7f627e686065a076d12733d3d6fbba5e00cf5
SH256 hash:
2c6be58c5b91dba2a4528cfbc9364a497128f2102ed062251be0153e3a3a10ef
MD5 hash:
993a725b7bfebdf6ef321594358a766c
SHA1 hash:
0782d2dcbc4313ae7e38565068cc3af19a183506
Link:
https://www.unpac.me/results/d5dee03f-c51d-460f-807a-405c7dc1daa3/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2c6be58c5b91/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2c6be58c5b91dba2a4528cfbc9364a497128f2102ed062251be0153e3a3a10ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 2c6be58c5b91dba2a4528cfbc9364a497128f2102ed062251be0153e3a3a10ef

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2350804/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/318784/

Comments