MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49272c2faf2a46c091c8b266c5bcca756ff471878e544cd6a4c5fa3273842a97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49272c2faf2a46c091c8b266c5bcca756ff471878e544cd6a4c5fa3273842a97
SHA3-384 hash: 9205fe6677f004200f126f53a493028baddad1c2385f416d1466f815ffd565db75ca1d1aade4c392d1db8753bdc3ad2f
SHA1 hash: 9b185809fa3297ff2c311933b2108350488d098e
MD5 hash: 163776d17fbe428eba6edd9532dbb4e3
humanhash: jupiter-football-crazy-twenty
File name:163776d17fbe428eba6edd9532dbb4e3
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:556'544 bytes
First seen:2022-05-11 15:39:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 70 x LummaStealer, 61 x Rhadamanthys)
ssdeep 1536:9Vrae78zjORCDGwfdCSog01313gs5g8ApbpjEZ8nVSBpX:97ahKyd2n31Z5IplaSV8X
Threatray 979 similar samples on MalwareBazaar
TLSH T1A0C425C573949013EC575A304FA383CA9729FCD0BE34719B2265F36E0B3AAD26E65B05
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon f0e2fc66fcdccccc (4 x Smoke Loader)
Reporter zbetcheckin
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
49272c2faf2a46c091c8b266c5bcca756ff471878e544cd6a4c5fa3273842a97.zip
Verdict:
Malicious activity
Analysis date:
2022-05-11 17:11:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/58c49f15-e993-463c-a474-cb133236810c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269725/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17158/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack.dll control.exe explorer.exe overlay packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/627bd8de982f586844f1c029/reports/653929b0-aa74-413c-b1a7-1903889c09ed/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ebc8f2fe-5371-4bd7-b3e2-2dd028f841bf
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/992002
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 624494 Sample: jet21Wo2De Startdate: 11/05/2022 Architecture: WINDOWS Score: 100 93 Snort IDS alert for network traffic 2->93 95 Multi AV Scanner detection for domain / URL 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 9 other signatures 2->99 9 jet21Wo2De.exe 1 3 2->9         started        12 reubdft 2->12         started        15 rundll32.exe 2->15         started        process3 file4 59 C:\Users\user\AppData\Local\...\Setup_ovl.exe, PE32 9->59 dropped 17 Setup_ovl.exe 16 7 9->17         started        129 Antivirus detection for dropped file 12->129 131 Machine Learning detection for dropped file 12->131 133 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->133 135 3 other signatures 12->135 signatures5 process6 dnsIp7 63 agies.org 107.191.100.214, 49780, 49790, 49793 RAMNODEUS United States 17->63 65 tiny.one 188.114.97.10, 443, 49777, 49792 CLOUDFLARENETUS European Union 17->65 67 2 other IPs or domains 17->67 55 C:\Users\...\Illcnnpjtpknolltgosjipdj1125.exe, PE32 17->55 dropped 57 C:\Users\user\AppData\Roaming\...\Xbxizuj.exe, PE32 17->57 dropped 101 Multi AV Scanner detection for dropped file 17->101 103 Creates multiple autostart registry keys 17->103 105 Injects a PE file into a foreign processes 17->105 22 Illcnnpjtpknolltgosjipdj1125.exe 17->22         started        25 cmd.exe 1 17->25         started        27 Setup_ovl.exe 17->27         started        29 Setup_ovl.exe 17->29         started        file8 signatures9 process10 signatures11 107 Antivirus detection for dropped file 22->107 109 Machine Learning detection for dropped file 22->109 111 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 22->111 113 3 other signatures 22->113 31 explorer.exe 2 4 22->31 injected 36 conhost.exe 25->36         started        38 timeout.exe 1 25->38         started        process12 dnsIp13 83 ghahantellorb.com 5.101.65.162, 49791, 49794, 80 PINDC-ASRU Russian Federation 31->83 51 C:\Users\user\AppData\Roaming\reubdft, PE32 31->51 dropped 53 C:\Users\user\AppData\Local\Temp\4B47.exe, PE32+ 31->53 dropped 85 Benign windows process drops PE files 31->85 87 Injects code into the Windows Explorer (explorer.exe) 31->87 89 Writes to foreign memory regions 31->89 91 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->91 40 explorer.exe 31->40         started        44 4B47.exe 31->44         started        47 Xbxizuj.exe 14 3 31->47         started        49 Xbxizuj.exe 2 31->49         started        file14 signatures15 process16 dnsIp17 69 ghahantellorb.com 40->69 115 System process connects to network (likely due to code injection or exploit) 40->115 117 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 40->117 119 Tries to steal Mail credentials (via file / registry access) 40->119 121 Tries to harvest and steal browser information (history, passwords, etc) 40->121 61 C:\Users\user\AppData\Local\...\Setup_ovl.exe, PE32+ 44->61 dropped 123 Antivirus detection for dropped file 44->123 125 Multi AV Scanner detection for dropped file 44->125 127 Creates multiple autostart registry keys 44->127 71 188.114.96.10, 443, 49789 CLOUDFLARENETUS European Union 47->71 73 www.agies.org 47->73 81 2 other IPs or domains 47->81 75 www.agies.org 49->75 77 tiny.one 49->77 79 agies.org 49->79 file18 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49272c2faf2a46c091c8b266c5bcca756ff471878e544cd6a4c5fa3273842a97/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2022-05-06 21:48:52 UTC
AV detection:
10 of 26 (38.46%)
Threat level:
  3/5
Verdict:
malicious
Similar samples:
12943fc8f2a6c50269500379f4bd7c1e9eff514178699dcc90b0447f1bf4d75b
Smoke Loader
19a74b73bfbb078a9a9fe5c0789d7d011ea547dc2f6a8e17f44efe7c5dffcf57
Smoke Loader
393b5b9f449f53164245179499fcf478d97a900559dccaa1719ec3ace64e724d
Smoke Loader
6df1711427805cf33f297bd481fb8fdf3f04e92d25553b15060161bf972b334a
Smoke Loader
6e5a705271b3d5f53476410d8667d8a8b254595ea387737125f0af049596a2b8
Smoke Loader
791b2bf682699cf97e3925dee40ddd5c2cb728e80f798225a7fb0b713c1b1544
Smoke Loader
89135baf5191bcfa7b3f317fb12da0a30c2f3cdb320fe0c31b22e5dbbb2b472a
Smoke Loader
9213771d3c5189ae487f47c552a34856d2298ed22aac305bc5f29c03212312ea
Smoke Loader
aa99576f50fbf176a2d463fa84591fb651c1751a344949a01b93fb8afa297b2d
Smoke Loader
f366cb892570b264ce73bd7c818ee214f0e5f00dc008a4dac5fa5cdc095ddab7
Smoke Loader
+ 969 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220511-s37elaeedr/
Behaviour
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Executes dropped EXE
Unpacked files
SH256 hash:
49272c2faf2a46c091c8b266c5bcca756ff471878e544cd6a4c5fa3273842a97
MD5 hash:
163776d17fbe428eba6edd9532dbb4e3
SHA1 hash:
9b185809fa3297ff2c311933b2108350488d098e
Link:
https://www.unpac.me/results/976bbe02-0200-49a7-bae0-8ec5bce15f27/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.21
Link:
https://yomi.yoroi.company/submissions/49272c2faf2a46c091c8b266c5bcca756ff471878e544cd6a4c5fa3273842a97

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 49272c2faf2a46c091c8b266c5bcca756ff471878e544cd6a4c5fa3273842a97

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/269725/
  
URLhaus
https://urlhaus.abuse.ch/url/2190239/
  
URLhaus
https://urlhaus.abuse.ch/url/2190250/

Comments


Avatar
zbet commented on 2022-05-11 15:39:28 UTC

url : hxxps://kalmvet.gr/forum/chrome.exe