MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41b4ef28bcb4fcca37c63f3c34d9a40236c49fd7a49b5f41952ece56cda836e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41b4ef28bcb4fcca37c63f3c34d9a40236c49fd7a49b5f41952ece56cda836e0
SHA3-384 hash: 37d22b6f1a0a8ca498cd9db239fd351e44f0c8b9bce674bd273e89e6f74f720b8ee24722210c5fdaa03eb444d540e60d
SHA1 hash: 3e93aafb3c6c72c34a2914cd37a151183e8d3d1c
MD5 hash: a5475b78bc6aa14bc316420943dd733d
humanhash: aspen-river-nine-mockingbird
File name:06767099.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:297'984 bytes
First seen:2023-05-27 13:30:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d683fcb523ac92743f5db043ced73806 (2 x Smoke Loader, 2 x Stealc, 1 x Stop)
ssdeep 3072:aEhxSl7OBQ5mqry09ZJ+o7wtJyWXb/AOz/5QSGvAbxEqF/:Nhxk7fmqm0jJT5WXbYSuq
Threatray 21 similar samples on MalwareBazaar
TLSH T1C4543B0396E2FC54FD66CA729E3FC6ED762EF5908F09776A21185A5F08702B2C163712
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 90a48884d0c0c080 (1 x Smoke Loader)
Reporter Neiki
Tags:Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
06767099.exe
Verdict:
Malicious activity
Analysis date:
2023-05-27 13:32:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8fc2dc01-51b1-4542-a1c1-4a0d1c01f456

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/392540/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for synchronization primitives
Creating a window
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Deleting a recently created file
Query of malicious DNS domain
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware mokes packed
Link:
https://www.filescan.io/uploads/6472061c01e5d4bb0b891ef6/reports/934702b8-8631-4fbc-bb7d-24bf9c55e0cf/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/41b4ef28bcb4fcca37c63f3c34d9a40236c49fd7a49b5f41952ece56cda836e0
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f64cd8f8-fa43-4ffc-a066-03845e3b002f
Result
Threat name:
Amadey, Babuk, Clipboard Hijacker, Djvu,
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1243806
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found ransom note / readme
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes a notice file (html or txt) to demand a ransom
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Babuk Ransomware
Yara detected Clipboard Hijacker
Yara detected Djvu Ransomware
Yara detected Fabookie
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 876816 Sample: 06767099.exe Startdate: 27/05/2023 Architecture: WINDOWS Score: 100 96 zexeq.com 2->96 98 star.facebook.com 2->98 100 4 other IPs or domains 2->100 132 Snort IDS alert for network traffic 2->132 134 Multi AV Scanner detection for domain / URL 2->134 136 Found malware configuration 2->136 138 18 other signatures 2->138 11 06767099.exe 2->11         started        14 jahfrie 2->14         started        16 C5AB.exe 2->16         started        signatures3 process4 signatures5 180 Detected unpacking (changes PE section rights) 11->180 182 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 11->182 184 Maps a DLL or memory area into another process 11->184 186 Creates a thread in another existing process (thread injection) 11->186 18 explorer.exe 9 41 11->18 injected 188 Multi AV Scanner detection for dropped file 14->188 190 Machine Learning detection for dropped file 14->190 192 Checks if the current machine is a virtual machine (disk enumeration) 14->192 194 Detected unpacking (overwrites its own PE header) 16->194 196 Injects a PE file into a foreign processes 16->196 23 C5AB.exe 12 16->23         started        process6 dnsIp7 102 187.209.146.8 UninetSAdeCVMX Mexico 18->102 104 201.124.33.177 UninetSAdeCVMX Mexico 18->104 108 12 other IPs or domains 18->108 78 C:\Users\user\AppData\Roaming\jahfrie, PE32 18->78 dropped 80 C:\Users\user\AppData\Roaming\bshfrie, PE32 18->80 dropped 82 C:\Users\user\AppData\Local\Temp56C.exe, PE32 18->82 dropped 84 12 other malicious files 18->84 dropped 140 System process connects to network (likely due to code injection or exploit) 18->140 142 Benign windows process drops PE files 18->142 144 Deletes itself after installation 18->144 146 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->146 25 CCEB.exe 18->25         started        28 E56C.exe 18->28         started        31 C5AB.exe 18->31         started        33 6 other processes 18->33 106 api.2ip.ua 23->106 file8 signatures9 process10 file11 158 Detected unpacking (changes PE section rights) 25->158 160 Detected unpacking (overwrites its own PE header) 25->160 162 Machine Learning detection for dropped file 25->162 164 Writes a notice file (html or txt) to demand a ransom 25->164 35 CCEB.exe 25->35         started        90 C:\Users\user\AppData\Local\Temp\aafg31.exe, PE32+ 28->90 dropped 92 C:\Users\user\AppData\Local\...\XandETC.exe, PE32+ 28->92 dropped 94 C:\Users\user\AppData\Local\...94ewPlayer.exe, PE32 28->94 dropped 166 Antivirus detection for dropped file 28->166 168 Multi AV Scanner detection for dropped file 28->168 38 NewPlayer.exe 28->38         started        42 aafg31.exe 28->42         started        44 XandETC.exe 28->44         started        170 Injects a PE file into a foreign processes 31->170 46 C5AB.exe 1 15 31->46         started        172 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 33->172 174 Maps a DLL or memory area into another process 33->174 176 Checks if the current machine is a virtual machine (disk enumeration) 33->176 178 Creates a thread in another existing process (thread injection) 33->178 48 CE6.exe 33->48         started        50 C5AB.exe 33->50         started        52 C5AB.exe 33->52         started        54 2 other processes 33->54 signatures12 process13 dnsIp14 110 192.168.2.1 unknown unknown 35->110 56 CCEB.exe 35->56         started        86 C:\Users\user\AppData\Local\...\mnolyk.exe, PE32 38->86 dropped 148 Antivirus detection for dropped file 38->148 150 Multi AV Scanner detection for dropped file 38->150 152 Machine Learning detection for dropped file 38->152 112 jp.imgjeoighw.com 103.100.211.218, 49740, 80 HKKFGL-AS-APHKKwaifongGroupLimitedHK Hong Kong 42->112 114 ss.apjeoighw.com 154.221.31.191 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 42->114 118 6 other IPs or domains 42->118 154 Tries to harvest and steal browser information (history, passwords, etc) 42->154 116 api.2ip.ua 162.0.217.254, 443, 49717, 49719 ACPCA Canada 46->116 88 C:\Users\user\AppData\Local\...\C5AB.exe, PE32 46->88 dropped 59 C5AB.exe 46->59         started        61 icacls.exe 46->61         started        file15 signatures16 process17 signatures18 156 Injects a PE file into a foreign processes 56->156 63 CCEB.exe 56->63         started        68 C5AB.exe 12 59->68         started        process19 dnsIp20 120 api.2ip.ua 63->120 122 211.171.233.129, 49738, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 63->122 126 2 other IPs or domains 63->126 70 C:\Users\user\AppData\Local\...\build3[1].exe, PE32 63->70 dropped 72 C:\Users\user\AppData\Local\...\build2[1].exe, PE32 63->72 dropped 74 C:\Users\user\AppData\Local\...\build3.exe, PE32 63->74 dropped 76 6 other malicious files 63->76 dropped 128 Modifies existing user documents (likely ransomware behavior) 63->128 124 api.2ip.ua 68->124 file21 130 System process connects to network (likely due to code injection or exploit) 120->130 signatures22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/41b4ef28bcb4fcca37c63f3c34d9a40236c49fd7a49b5f41952ece56cda836e0/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Suspicious
First seen:
2023-05-27 13:31:07 UTC
File Type:
PE (Exe)
Extracted files:
56
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ig2o6kf4wt6mun6gh46djwneai3mjh6xusnv6qmvf3hfntnig3qa._file
Verdict:
malicious
Similar samples:
398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3
Smoke Loader
50dd217a26eb36d8461c1e14de64e0de95893fb124fc6bab293643ca14896550
Smoke Loader
55c0e72b242e8204feeaba213da7234dc4155272c0b36b6c4369c41b9705d159
Smoke Loader
663c3fca0878472db0ecd4ec4fdc67690c1de08fa5c228e1911b6278cf83a0a6
Smoke Loader
6e4f0b64126f6cdf3740ab23575e0a5e24b455f31d53f1044151f7403733ea7d
Smoke Loader
a481d2ec299f9c0a2a4e2c26f72a4ab27714e8d83f5a79f42abd052557fe2f13
Smoke Loader
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855
Smoke Loader
c41dd271390aafacf8207e5c0cc41f98f24c785e33ab5adaa8df15a3f5e4218d
Smoke Loader
de7cb1f6c1ea24797218cb6f6ab5cdae3482a582bccb12b07365285ecfc8c167
Smoke Loader
+ 11 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:djvu family:smokeloader family:vidar botnet:e44c96dfdf315ccf17cdd4b93cfe6e48 botnet:pub1 botnet:summ backdoor discovery persistence ransomware stealer trojan
Link:
https://tria.ge/reports/230527-qsdcnacd6s/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Modifies file permissions
Downloads MZ/PE file
Amadey
Detected Djvu ransomware
Djvu Ransomware
SmokeLoader
Vidar
Malware Config
C2 Extraction:
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
http://toobussy.com/tmp/
http://wuc11.com/tmp/
http://ladogatur.ru/tmp/
http://kingpirate.ru/tmp/
http://zexeq.com/raud/get.php
http://zexeq.com/lancer/get.php
https://steamcommunity.com/profiles/76561199508624021
https://t.me/looking_glassbot
45.9.74.80/0bjdn2Z/index.php
Gathering data
Malware family:
STOP
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/41b4ef28bcb4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/41b4ef28bcb4fcca37c63f3c34d9a40236c49fd7a49b5f41952ece56cda836e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 41b4ef28bcb4fcca37c63f3c34d9a40236c49fd7a49b5f41952ece56cda836e0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2479364/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/392540/

Comments