MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4841be428d00d29ab878fda23850d948bc2d12eefb31621c0272e301d95bbc7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 13

Intelligence 13 IOCs YARA 8 File information Comments 1

SHA256 hash:	4841be428d00d29ab878fda23850d948bc2d12eefb31621c0272e301d95bbc7f
SHA3-384 hash:	80ab724088061df6d85e49690d7c2b274ec428cc26330609915dbee3968d9df31ad19db72d576493fb84f9e53b6f80de
SHA1 hash:	b718a320f4482e397719552f098a67b883c88b28
MD5 hash:	766801c28e2bba5d4587ee22941b6528
humanhash:	december-iowa-tango-stairway
File name:	ДОГОВIР_ПОСТАВКА_11224_Вiд_12_01_2024p.PDF.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	352'864 bytes
First seen:	2024-01-29 09:41:26 UTC
Last seen:	2024-01-29 11:35:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	cd132b2f89f79b212f0c4061c0a4f036 (2 x Smoke Loader, 1 x Glupteba, 1 x Stealc)
ssdeep	6144:Rg0i18FzH1EdOesCdFGSRacbvJNLW9Y3fXkAF:Op18FzH+dOevRaclNDfUAF
Threatray	1'837 similar samples on MalwareBazaar
TLSH	T1FC748D5037ECC4F1E2B719358935C7A50B3BB8726E31A68F7AD16A3A5E347C1862131B
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	ecce889ca698e8f0 (2 x Smoke Loader)
Reporter	angel11VR
Tags:	exe signed Smoke Loader SmokeLoader

Code Signing Certificate

Organisation:	Microsoft Windows Production PCA 2011
Issuer:	Microsoft Windows Production PCA 2011
Algorithm:	sha256WithRSAEncryption
Valid from:	2023-09-23T00:00:00Z
Valid to:	2028-09-23T00:00:00Z
Serial number:	08fe4deb33adccd2
Intelligence:	4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	60f9ae514684c36bd4a08861ebcb83c00073955ebe44ba25226fa878a68d2d8e
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

386

Origin country :

Vendor Threat Intelligence

Malware family:

smoke

ID:

File name:

4841be428d00d29ab878fda23850d948bc2d12eefb31621c0272e301d95bbc7f.exe

Verdict:

Malicious activity

Analysis date:

2024-01-29 10:10:48 UTC

Tags:

loader smoke smokeloader

Link:

https://app.any.run/tasks/533d3f36-8b35-49e5-9fa8-8c5dc8d4ada8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.Siggen24.13822.14292.27032.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Query of malicious DNS domain

Unauthorized injection to a system process

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/4841be428d00d29ab878fda23850d948bc2d12eefb31621c0272e301d95bbc7f

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/33963dd7-d469-4d98-9ab9-6c6856cd6c7b

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1381500

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/4841be428d00d29ab878fda23850d948bc2d12eefb31621c0272e301d95bbc7f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4841be428d00d29ab878fda23850d948bc2d12eefb31621c0272e301d95bbc7f/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2024-01-26 12:40:16 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 24 (95.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jba34qunadjjvody7wrdqugzjc6c2exo7mywehacolrqdwk3xr7q._file

Verdict:

malicious

Smoke Loader

1db54ba35abbe3cb1e178971085be979a8c62351630bd9c6e616a6391ab270bf

Smoke Loader

4841be428d00d29ab878fda23850d948bc2d12eefb31621c0272e301d95bbc7f

Smoke Loader

50ca2730d4feb93b8d6cf986a86b34912d83c10dd7d7259d3538d415c904af73

Smoke Loader

6a684f04b6dc6ed0ca2bc55dec214e78c664aa18ee412fd290e6d543866115a9

Smoke Loader

e629fcf41de2187cafd4c8c38b1e9408a5c521d29459971bb96fae5da26fa9d5

Smoke Loader

f518307808486c2718cd6b83e4e5f012e3531c8d352abd6d51b7311fcfa2c28c

Smoke Loader

f662b3ef913a9bfb62cb970e6f8f8e81ad75b21deaccffc01cbc1390f34e776e

Smoke Loader

+ 1'827 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor trojan

Link:

https://tria.ge/reports/240129-lpbx7sfba7/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Deletes itself

SmokeLoader

Malware Config

C2 Extraction:

http://kitfishstore.ru/index.php
http://homemademagazine.ru/index.php

Unpacked files

SH256 hash:

e07b4b4f01f3a1409719cb0ca30c2044d4fd74402e705b833a2459ef7b792680

MD5 hash:

f44ef52a8ea797501328986afb8df6b4

SHA1 hash:

866c53886b000834160b9fbcfc0f3005b51a678f

Detections:

SmokeLoaderStage2

win_smokeloader_a2

Link:

https://www.unpac.me/results/f13620f4-7c35-4f05-85e2-1721bdd94eb4/

Parent samples :

4841be428d00d29ab878fda23850d948bc2d12eefb31621c0272e301d95bbc7f
6a684f04b6dc6ed0ca2bc55dec214e78c664aa18ee412fd290e6d543866115a9
ac2cc11ee2957c90a9eaef38a7199e4b60f523127821da822504e72ccbfc2335

SH256 hash:

4841be428d00d29ab878fda23850d948bc2d12eefb31621c0272e301d95bbc7f

MD5 hash:

766801c28e2bba5d4587ee22941b6528

SHA1 hash:

b718a320f4482e397719552f098a67b883c88b28

Link:

https://www.unpac.me/results/f13620f4-7c35-4f05-85e2-1721bdd94eb4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4841be428d00d29ab878fda23850d948bc2d12eefb31621c0272e301d95bbc7f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Smoke Loader

exe 4841be428d00d29ab878fda23850d948bc2d12eefb31621c0272e301d95bbc7f

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

commented on 2024-01-29 10:00:23 UTC

#smokeloader #signed #7z #exe
email attach .7z (PWD) > exe1 and exe2 > C2
IOC`s
https://pastebin.com/WYsm7Jyk