MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d90e4d6aabf27b3e3babbb6846ed261f650f885858be57a2def6a5e361071b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d90e4d6aabf27b3e3babbb6846ed261f650f885858be57a2def6a5e361071b7
SHA3-384 hash: 2120d48eba16403770f260ed4de519b69dc8adf79093e9fd87ffc8f5da55dc52b1229a602eb1d70dae70f0ccb379016a
SHA1 hash: 60dad60b5c7302b4e3710178adc3e3733a969feb
MD5 hash: 4dc922beacbbd78690a084e451fe420e
humanhash: autumn-august-florida-black
File name:4dc922beacbbd78690a084e451fe420e
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:287'744 bytes
First seen:2023-09-03 04:59:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 86ad0e3d91ec35fd419d3de1888ddee4 (7 x Smoke Loader, 5 x Vidar, 2 x RedLineStealer)
ssdeep 3072:/aD8DiZ7URsbW4FC0iK/qEB21CgE8bNUT51RMPU5Lt0Fyeymx:yP7w3Xk0CgEcNU5fMc54yey
Threatray 1'561 similar samples on MalwareBazaar
TLSH T11B548B8361DDBC7AE52707718F1EC6EC371EB8608E296B962F445E1B1A31D72C69B301
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0008080806070600 (1 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
311
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
4dc922beacbbd78690a084e451fe420e
Verdict:
Malicious activity
Analysis date:
2023-09-03 05:01:30 UTC
Tags:
loader smoke
Link:
https://app.any.run/tasks/8087ddcd-96bb-4c0b-ac77-669b465c229f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/445769/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Gathering data
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/2d90e4d6aabf27b3e3babbb6846ed261f650f885858be57a2def6a5e361071b7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7ad94193-4e4d-40aa-b563-03c8ed9d406d
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1302243
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to infect the boot sector
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1302243 Sample: qV7eFBUW0y.exe Startdate: 03/09/2023 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic 2->42 44 Multi AV Scanner detection for domain / URL 2->44 46 Found malware configuration 2->46 48 7 other signatures 2->48 7 qV7eFBUW0y.exe 2->7         started        10 duhrcuh 2->10         started        12 C2CE.exe 2->12         started        process3 signatures4 58 Detected unpacking (changes PE section rights) 7->58 60 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->60 62 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 7->62 70 2 other signatures 7->70 14 explorer.exe 4 5 7->14 injected 64 Multi AV Scanner detection for dropped file 10->64 66 Machine Learning detection for dropped file 10->66 68 Maps a DLL or memory area into another process 10->68 process5 dnsIp6 28 shsplatform.co.uk 80.66.203.53, 443, 49776 UKFASTGB United Kingdom 14->28 30 taibi.at 190.139.250.133, 49766, 49768, 49770 TelecomArgentinaSAAR Argentina 14->30 32 3 other IPs or domains 14->32 22 C:\Users\user\AppData\Roaming\duhrcuh, PE32 14->22 dropped 24 C:\Users\user\AppData\Local\Temp\C2CE.exe, PE32 14->24 dropped 26 C:\Users\user\...\duhrcuh:Zone.Identifier, ASCII 14->26 dropped 34 System process connects to network (likely due to code injection or exploit) 14->34 36 Benign windows process drops PE files 14->36 38 Deletes itself after installation 14->38 40 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->40 19 C2CE.exe 14->19         started        file7 signatures8 process9 signatures10 50 Multi AV Scanner detection for dropped file 19->50 52 Detected unpacking (changes PE section rights) 19->52 54 Detected unpacking (overwrites its own PE header) 19->54 56 2 other signatures 19->56
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d90e4d6aabf27b3e3babbb6846ed261f650f885858be57a2def6a5e361071b7/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-09-02 23:54:32 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fwiojvvkx4t3hy52xo3ii3wsmh3fb6efqwf6k6rn55vf4nqqog3q._file
Verdict:
malicious
Similar samples:
02be50acb754a09f75b3b1b6b4b8dd8609c6d297ccd89a1705bd8446149f6712
Smoke Loader
188c586ed738a6e28416cf49bb17d5a66ac19f767e095b959ca84ef900d22735
Smoke Loader
3d6796860a796e3ed63efb6c4c1fb9c5eb6df481e63e40602feb24adbeabb179
Smoke Loader
4fce1d0099d746c09f6e7a8ae41882cbb95070ab24843b1516b8a74ce65d3701
Smoke Loader
59c3ef0b04f7f8f424ec18d68e886610f886467d9c814e2a3c10378588139967
Smoke Loader
70856a13672513d4828d2ca74d2f27d4c6239908e8aa303e1ef9536f6e113fcd
Smoke Loader
8113159e0ac7c44fb49f3231ea9541e2d9ce9fd06dee9887037349e3370e6e73
Smoke Loader
9e6ce673dc161fc54b110782f18ec9bb3690b9ccdde494196ccb5bb0381dfa94
Smoke Loader
b010a749d181fa2a1ad4bf78d84043a1fa334900029b86947a11990a6cb1db3e
Smoke Loader
d896e1c6f1124eb8cf19f29d2dec8d35203cfd4ea36636549e178a1a06de10db
Smoke Loader
+ 1'551 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:pub5 backdoor trojan
Link:
https://tria.ge/reports/230903-fmznlagc4x/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Deletes itself
SmokeLoader
Malware Config
C2 Extraction:
http://taibi.at/tmp/
http://01stroy.ru/tmp/
http://mal-net.com/tmp/
http://gromograd.ru/tmp/
http://kingpirate.ru/tmp/
Unpacked files
SH256 hash:
10404d8441ad542ad87e4c65273b85c363ff88eb1742a55761c266b03cba6239
MD5 hash:
093e62edc8ff597edff531323100aeee
SHA1 hash:
7248d21d5221aa613b5d4fb234fd794a6eb22e63
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/e5e208ed-2e5a-4b89-9c98-1c1cabb40b48/
Parent samples :
e1c417cdc500c29e12ee68d5bc4e52314d045031b5380b7854b4b34ec9ea0abe
08e61151199e31c2cf54f12f95c8ad95ee8467bb630166800114c0b912682a74
1e662d2a9bc77dc09ff39c21dbd8f11968da7c1dea6f4bbcfc5216c0d8f8c8fd
eef2be5347236331ecd365bdf33ef868b6518beb7ae94074be56f955d2a951d7
6531b801cc6cbf4139616803f9d43e9b886eed6c9ca82b86bb9c461c50f673a0
dc8ce8ab78c6cdddfd1ccd40a3b8d4d177a9ab9de871bbf9e81c54b97e29a342
2dea8cfcd31f4675d5462c385139b59528759bee88aec34ed9d0757d289e7a34
e3cc5f126472497826ad34d0e0348d3d0a0dea126d5ec73c5ed1a6eaf8f6272d
4d7a22a1f7d76310b2c8420cb2f02ef4633cb689e4b8eaaab165731b9341163f
2d90e4d6aabf27b3e3babbb6846ed261f650f885858be57a2def6a5e361071b7
SH256 hash:
2d90e4d6aabf27b3e3babbb6846ed261f650f885858be57a2def6a5e361071b7
MD5 hash:
4dc922beacbbd78690a084e451fe420e
SHA1 hash:
60dad60b5c7302b4e3710178adc3e3733a969feb
Link:
https://www.unpac.me/results/e5e208ed-2e5a-4b89-9c98-1c1cabb40b48/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2d90e4d6aabf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2d90e4d6aabf27b3e3babbb6846ed261f650f885858be57a2def6a5e361071b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 2d90e4d6aabf27b3e3babbb6846ed261f650f885858be57a2def6a5e361071b7

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/445769/
  
URLhaus
https://urlhaus.abuse.ch/url/2709175/

Comments


Avatar
zbet commented on 2023-09-03 04:59:40 UTC

url : hxxp://45.9.74.80/chrome.exe