MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 314410dacd8226075671d108c091e8dcf6f24156b10b430e81e25891d750d68d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 314410dacd8226075671d108c091e8dcf6f24156b10b430e81e25891d750d68d
SHA3-384 hash: 6fd7401ec9073e481760ee7082a977889a2988117da32764a95d8c3f88df207e1b45257e7f1808e4df2808434957c5fb
SHA1 hash: e5b869841b26fbb54b9e94668b3017face715581
MD5 hash: 2ad4efa6bd88630d2a3a61b1898cd62f
humanhash: speaker-nine-two-lamp
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:1'162'784 bytes
First seen:2022-11-24 08:03:25 UTC
Last seen:2022-11-24 17:14:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2339ac77bf9371500ebbf86df3a10d43 (8 x njrat, 4 x LgoogLoader, 3 x RedLineStealer)
ssdeep 24576:X9ERWaeW0rxk6fIAkiWOurxoETjpoLIrDoS:X9EwW8xkVQvuloETjGLIrDoS
TLSH T131356BC27446005BF56369F55C1E899031562EA9A139E30D32D3FE2F95F336700ABBEA
TrID 34.2% (.EXE) InstallShield setup (43053/19/16)
24.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
13.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
8.3% (.EXE) Win64 Executable (generic) (10523/12/4)
5.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f096b2a2aab296cc (1 x Smoke Loader)
Reporter andretavare5
Tags:exe Smoke Loader


Avatar
andretavare5
Sample downloaded from http://185.246.221.114/files/ADS.exe

Intelligence

File Origin
# of uploads :
18
# of downloads :
341
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-24 08:04:12 UTC
Tags:
installer
Link:
https://app.any.run/tasks/b7666d8e-177e-41c5-96c3-c1777adc4490

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/337969/
Detection(s):
SecuriteInfo.com.TrojanDownloader.Lgoog.11539.17940.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% subdirectories
Searching for the window
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
DNS request
Creating a file
Moving a file to the %temp% subdirectory
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
advpack.dll overlay packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/637f25795be128ac718e9ec5/reports/a97cb81c-a5d3-4a7a-a88a-60b1aeaed37b/overview
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/41f16267-c838-489b-8697-5aa85237820c
Result
Threat name:
Fabookie, ManusCrypt, SmokeLoader, Socel
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.bank.spyw.expl.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1120356
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected VMProtect packer
Drops PE files with a suspicious file extension
Found API chain indicative of debugger detection
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites Mozilla Firefox settings
Query firmware table information (likely to detect VMs)
Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Powershell Download and Execute IEX
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ipconfig to lookup or modify the Windows network settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Fabookie
Yara detected ManusCrypt
Yara detected SmokeLoader
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 753067 Sample: file.exe Startdate: 24/11/2022 Architecture: WINDOWS Score: 100 210 Malicious sample detected (through community Yara rule) 2->210 212 Antivirus detection for URL or domain 2->212 214 Antivirus detection for dropped file 2->214 216 15 other signatures 2->216 14 file.exe 1 5 2->14         started        16 WmiPrvSE.exe 2->16         started        18 svchost.exe 2->18         started        20 rundll32.exe 2->20         started        process3 process4 22 cmd.exe 1 14->22         started        25 waitfor.exe 1 14->25         started        27 rundll32.exe 16->27         started        29 WerFault.exe 18->29         started        signatures5 238 Obfuscated command line found 22->238 240 Uses ping.exe to sleep 22->240 242 Drops PE files with a suspicious file extension 22->242 244 Uses ping.exe to check the status of other devices and networks 22->244 31 cmd.exe 2 22->31         started        35 conhost.exe 22->35         started        37 PING.EXE 1 22->37         started        39 conhost.exe 25->39         started        41 rundll32.exe 27->41         started        process6 file7 142 C:\Users\user\AppData\Local\...142p.exe.pif, PE32 31->142 dropped 188 Obfuscated command line found 31->188 190 Uses ping.exe to sleep 31->190 43 Np.exe.pif 31->43         started        46 powershell.exe 11 31->46         started        48 powershell.exe 11 31->48         started        56 2 other processes 31->56 192 Writes to foreign memory regions 41->192 194 Allocates memory in foreign processes 41->194 196 Creates a thread in another existing process (thread injection) 41->196 50 svchost.exe 41->50 injected 52 svchost.exe 41->52 injected 54 svchost.exe 41->54 injected 58 5 other processes 41->58 signatures8 process9 signatures10 246 Found API chain indicative of debugger detection 43->246 248 Uses ipconfig to lookup or modify the Windows network settings 43->248 250 Writes to foreign memory regions 43->250 252 Injects a PE file into a foreign processes 43->252 60 ipconfig.exe 66 43->60         started        254 Sets debug register (to hijack the execution of another thread) 50->254 256 Modifies the context of a thread in another process (thread injection) 50->256 64 svchost.exe 50->64         started        process11 dnsIp12 168 185.79.156.69 TCIIR Iran (ISLAMIC Republic Of) 60->168 170 169.50.173.3 SOFTLAYERUS United States 60->170 178 13 other IPs or domains 60->178 122 C:\Users\user\AppData\Local\Temp\...\vaZtNK, PE32 60->122 dropped 124 C:\Users\user\AppData\Local\Temp\...\FPOAGk, PE32 60->124 dropped 126 C:\Users\user\AppData\Local\Temp\...\UqZrLa, PE32 60->126 dropped 136 19 other malicious files 60->136 dropped 67 vaZtNK 60->67         started        71 oqdhjg 60->71         started        73 yzQicl 60->73         started        76 4 other processes 60->76 172 208.95.112.1 TUT-ASUS United States 64->172 174 172.67.161.69 CLOUDFLARENETUS United States 64->174 176 34.142.181.181 ATGS-MMD-ASUS United States 64->176 128 C:\Users\user\AppData\...\cookies.sqlite.db, SQLite 64->128 dropped 130 C:\Users\user\AppData\Local\...\Login Data.db, SQLite 64->130 dropped 132 C:\Users\user\AppData\Local\...\Login Data.db, SQLite 64->132 dropped 134 C:\Users\user\AppData\Local\...\Cookies.db, SQLite 64->134 dropped 198 Query firmware table information (likely to detect VMs) 64->198 200 Installs new ROOT certificates 64->200 202 Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically) 64->202 204 2 other signatures 64->204 file13 signatures14 process15 dnsIp16 114 C:\Users\user\AppData\Local\...\vaZtNK.tmp, PE32 67->114 dropped 226 Multi AV Scanner detection for dropped file 67->226 228 Obfuscated command line found 67->228 78 vaZtNK.tmp 67->78         started        230 Contains functionality to inject code into remote processes 71->230 232 Injects a PE file into a foreign processes 71->232 82 oqdhjg 71->82         started        160 188.114.97.3 CLOUDFLARENETUS European Union 73->160 116 C:\Users\user\AppData\Local\Temp\db.dll, PE32 73->116 dropped 234 Creates processes via WMI 73->234 85 conhost.exe 73->85         started        162 148.251.234.83 HETZNER-ASDE Germany 76->162 164 157.240.20.35 FACEBOOKUS United States 76->164 166 3 other IPs or domains 76->166 236 Contains functionality to compare user and computer (likely to detect sandboxes) 76->236 87 cmd.exe 1 76->87         started        89 cmd.exe 76->89         started        91 WerFault.exe 76->91         started        file17 signatures18 process19 dnsIp20 180 68.232.34.200 EDGECASTUS United States 78->180 182 13.225.78.5 AMAZON-02US United States 78->182 186 2 other IPs or domains 78->186 144 C:\Users\user\...\unins000.exe (copy), PE32 78->144 dropped 146 C:\Users\user\...\packetcrypt.dll (copy), PE32+ 78->146 dropped 148 C:\Users\user\...\nvrtc64_100_0.dll (copy), PE32+ 78->148 dropped 150 37 other files (36 malicious) 78->150 dropped 93 vc_redist.x64.exe 78->93         started        218 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 82->218 220 Maps a DLL or memory area into another process 82->220 222 Checks if the current machine is a virtual machine (disk enumeration) 82->222 224 Creates a thread in another existing process (thread injection) 82->224 96 explorer.exe 82->96 injected 99 powershell.exe 16 87->99         started        102 conhost.exe 87->102         started        104 PING.EXE 89->104         started        106 conhost.exe 89->106         started        184 13.89.179.12 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 91->184 file21 signatures22 process23 dnsIp24 138 C:\Windows\Temp\...\vc_redist.x64.exe, PE32 93->138 dropped 108 vc_redist.x64.exe 93->108         started        140 C:\Users\user\AppData\Roaming\ibefgwu, PE32 96->140 dropped 206 Benign windows process drops PE files 96->206 208 Hides that the sample has been downloaded from the Internet (zone.identifier) 96->208 154 217.12.206.79 GREENFLOID-ASUA Ukraine 99->154 156 127.0.0.1 unknown unknown 104->156 158 192.168.11.1 unknown unknown 104->158 file25 signatures26 process27 file28 118 C:\Windows\Temp\...\VC_redist.x64.exe, PE32 108->118 dropped 120 C:\Windows\Temp\...\wixstdba.dll, PE32 108->120 dropped 111 VC_redist.x64.exe 108->111         started        process29 file30 152 C:\ProgramData\...\VC_redist.x64.exe, PE32 111->152 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/314410dacd8226075671d108c091e8dcf6f24156b10b430e81e25891d750d68d/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Suspicious
First seen:
2022-11-24 08:11:14 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
7 of 26 (26.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gfcbbwwnqitaovtr2eembepi3t3peqkwwefugdub4jmjdv2q22gq._file
Verdict:
malicious
Result
Malware family:
lgoogloader
Create hunting rule
Score:
  10/10
Tags:
family:lgoogloader downloader persistence
Link:
https://tria.ge/reports/221124-jybbxsdc7z/
Behaviour
Gathers network information
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Detects LgoogLoader payload
LgoogLoader
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8b637811-a732-4cac-8748-715e688bf318
Unpacked files
SH256 hash:
b7e2010c0ef92c8949d9c2efefd1e69712ec6af249185054cdbc3aec21daf719
MD5 hash:
32c5e1863b2224c551b5d1873b680b15
SHA1 hash:
15df8f6d5d39b3c78c2f9061a04b7b8c134862b1
Link:
https://www.unpac.me/results/c4815988-d69c-400e-a367-38ec2b28c767/
SH256 hash:
314410dacd8226075671d108c091e8dcf6f24156b10b430e81e25891d750d68d
MD5 hash:
2ad4efa6bd88630d2a3a61b1898cd62f
SHA1 hash:
e5b869841b26fbb54b9e94668b3017face715581
Link:
https://www.unpac.me/results/c4815988-d69c-400e-a367-38ec2b28c767/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/314410dacd8226075671d108c091e8dcf6f24156b10b430e81e25891d750d68d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2431067/
Cape
Cape
https://www.capesandbox.com/analysis/337969/

Comments