MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44e3a5d07ad41e0c1e023eeb97798f0822d706abb3406b61466d32a7d29c8726. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44e3a5d07ad41e0c1e023eeb97798f0822d706abb3406b61466d32a7d29c8726
SHA3-384 hash: f79d7dec670ffa1ab2cc5ded1f37d4da2f246cae2f458de40aeb8ecf18f9b9d8dc3d651c10fa8265ce6149fad510cc47
SHA1 hash: d73f6178f510a5eedc1a67008d767c47405ab139
MD5 hash: 950f966f12a83d04f4293ada9a3d6c9d
humanhash: jupiter-nuts-october-fruit
File name:950f966f12a83d04f4293ada9a3d6c9d
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:846'848 bytes
First seen:2021-08-16 14:13:30 UTC
Last seen:2021-08-16 14:50:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1abe4551dd4f8ef04deab38d0027e326 (4 x RemcosRAT, 1 x Smoke Loader, 1 x NetWire)
ssdeep 12288:WhxUck0fyI/Xv94r0umLKC+pvbIAsrxPD+o8wcp:WhGdkF4r0uvnDIF5P
Threatray 676 similar samples on MalwareBazaar
TLSH T11A058C26E26184BAD1D64F799D1AB968E8037E115B39244D7AFF3F896F3C250383C067
dhash icon b0b0303a34363034 (4 x RemcosRAT, 1 x Smoke Loader, 1 x NetWire)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
950f966f12a83d04f4293ada9a3d6c9d
Verdict:
Malicious activity
Analysis date:
2021-08-16 14:16:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/aae627fa-6785-4969-8dc9-62fc3292de6c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179560/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Banker1.36771.2007.22821.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Launching a process
Launching cmd.exe command interpreter
Sending a UDP request
Deleting a recently created file
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d30ca0ed-345d-4cbe-bfda-11aeb7a524af
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/833570
Signature
Contains functionality to compare user and computer (likely to detect sandboxes)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 466001 Sample: ikiYfWmLJJ Startdate: 16/08/2021 Architecture: WINDOWS Score: 100 64 Found malware configuration 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 Yara detected Clipboard Hijacker 2->68 70 2 other signatures 2->70 8 ikiYfWmLJJ.exe 1 24 2->8         started        13 sqlcmd.exe 13 2->13         started        15 Psbwtbb.exe 13 2->15         started        17 3 other processes 2->17 process3 dnsIp4 60 cdn.discordapp.com 162.159.130.233, 443, 49724, 49725 CLOUDFLARENETUS United States 8->60 58 C:\Users\Public\Libraries\...\Psbwtbb.exe, PE32 8->58 dropped 72 Detected unpacking (changes PE section rights) 8->72 74 Detected unpacking (overwrites its own PE header) 8->74 76 Uses schtasks.exe or at.exe to add and modify task schedules 8->76 78 Contains functionality to compare user and computer (likely to detect sandboxes) 8->78 19 ikiYfWmLJJ.exe 2 8->19         started        22 cmd.exe 1 8->22         started        24 cmd.exe 1 8->24         started        80 Multi AV Scanner detection for dropped file 13->80 82 Machine Learning detection for dropped file 13->82 84 Injects a PE file into a foreign processes 13->84 26 sqlcmd.exe 13->26         started        62 162.159.134.233, 443, 49731 CLOUDFLARENETUS United States 15->62 28 Psbwtbb.exe 15->28         started        30 Psbwtbb.exe 17->30         started        32 sqlcmd.exe 17->32         started        file5 signatures6 process7 file8 54 C:\Users\user\AppData\Roaming\...\sqlcmd.exe, PE32 19->54 dropped 56 C:\Users\user\...\sqlcmd.exe:Zone.Identifier, ASCII 19->56 dropped 34 schtasks.exe 1 19->34         started        36 reg.exe 1 22->36         started        38 conhost.exe 22->38         started        40 cmd.exe 1 24->40         started        42 conhost.exe 24->42         started        44 schtasks.exe 1 26->44         started        process9 process10 46 conhost.exe 34->46         started        48 conhost.exe 36->48         started        50 conhost.exe 40->50         started        52 conhost.exe 44->52         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44e3a5d07ad41e0c1e023eeb97798f0822d706abb3406b61466d32a7d29c8726/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-08-16 14:14:05 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=itr2lud22qpayhqch3vzo6mpbarnobvlwnagwykgnuzkpuu4q4ta._file
Verdict:
malicious
Similar samples:
03659dfd8c9a7f8b300972af15621b9d67b8854cfbf66ecab15f63b1686afa2c
Smoke Loader
0fa70b582aa0b10107a3fdfd5e70a6e9c225ac0db07c9787c745d2ebfc75fb5d
Smoke Loader
2884051cd64be98b26224c6cd9ba46bc6802242fdb2aabbb3dd4aa6b1eb16a78
Smoke Loader
45269d3d0fbf13c80d6c496d3ee36e13808e36063bc82e3247cfc291e0f9223c
Smoke Loader
4960918e52dd7f7db806c36c9393ef8329e173c60d9f59de66474af874ba1e46
Smoke Loader
4a8de772cb047939cbac796b1461b5276e418fb33249cb4d41785ef37fa91a35
Smoke Loader
9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa6b5925f2b22d1d
Smoke Loader
9d98cf2a209bc4ccc92b7dc792c6f3b21c0ce1c2f7eb72498823e7a593145fea
Smoke Loader
a08a7177db0107d81bfe600111224a280635177a05a8040ec50037a4c0805605
Smoke Loader
aa703fb814c6e09c409060654ea9b5798b6a99cb0ceb25bd31bf894dc60702f5
Smoke Loader
+ 666 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210816-nyrxh2rale/
Behaviour
Creates scheduled task(s)
Modifies registry key
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Unpacked files
SH256 hash:
795b2b5d6668147d7924ac96f90741ddc2a2b5003f455fb842b613a286fbf8fc
MD5 hash:
53011b69a7231aea23d66805a681144b
SHA1 hash:
e3d0d157e763c865e79ccc5bedc2fd5fd90413f7
Link:
https://www.unpac.me/results/bd082c60-773c-47e3-abb4-b646e0a1265b/
SH256 hash:
44e3a5d07ad41e0c1e023eeb97798f0822d706abb3406b61466d32a7d29c8726
MD5 hash:
950f966f12a83d04f4293ada9a3d6c9d
SHA1 hash:
d73f6178f510a5eedc1a67008d767c47405ab139
Link:
https://www.unpac.me/results/bd082c60-773c-47e3-abb4-b646e0a1265b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/44e3a5d07ad41e0c1e023eeb97798f0822d706abb3406b61466d32a7d29c8726

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks
Rule name:MALWARE_Win_SmokeLoader
Create hunting rule
Author:ditekSHen
Description:Detects SmokeLoader variants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 44e3a5d07ad41e0c1e023eeb97798f0822d706abb3406b61466d32a7d29c8726

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1475907/
  
URLhaus
https://urlhaus.abuse.ch/url/1323338/
Cape
Cape
https://www.capesandbox.com/analysis/179560/

Comments


Avatar
zbet commented on 2021-08-16 14:13:31 UTC

url : hxxp://185.215.113.77/cc.exe