MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b27fd5c70588d922a25f658f35d5c5d3e0085ba88d9bb9b25746c52b2b58e59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b27fd5c70588d922a25f658f35d5c5d3e0085ba88d9bb9b25746c52b2b58e59
SHA3-384 hash: 86e122beb372138050d55aabd3bc0a9c06f7573570b59cb3e1386b78c1e33c4ee7e354caca9db8ca88de8875252fa20a
SHA1 hash: cea0bad5af7ab2ea03da693f3857b65a46dab466
MD5 hash: c10cc05f3b3d59c92b1ae9cd99246cb8
humanhash: wyoming-autumn-kentucky-salami
File name:c10cc05f3b3d59c92b1ae9cd99246cb8.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:998'912 bytes
First seen:2024-08-19 08:40:21 UTC
Last seen:2024-08-19 09:19:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:v+MGl+GaMWxv1rA69EqPo3La38yUhsGdxZ66ciFOFKXz9BUal9pU9b9JfyV0RSbq:JGaMsv1r7D6Lasya6pFyBUmU9nu1b9s
Threatray 2'482 similar samples on MalwareBazaar
TLSH T18E25224C6BD8DB77E11F0FB468A444645BF1E74AD212EB887CDCB4E608A3728139529F
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
449
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c10cc05f3b3d59c92b1ae9cd99246cb8.exe
Verdict:
Malicious activity
Analysis date:
2024-08-19 08:41:10 UTC
Tags:
loader smokeloader uac stealer purecrypter purelogs netreactor exfiltration
Link:
https://app.any.run/tasks/3b4e642d-57cf-4537-8723-48896a6799cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.7269.15609.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c30521aa5b40be0aa081f8
Tags:
Network Stealth
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/66c30522c164204d1eafa6a2/reports/52ae6777-0539-4af9-808d-c48f3511316e/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/4b27fd5c70588d922a25f658f35d5c5d3e0085ba88d9bb9b25746c52b2b58e59
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e02dc33c-0eb4-45ae-a44f-da7c243e1fce
Result
Threat name:
PureLog Stealer, SmokeLoader, TrojanRans
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1494829
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the startup folder
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May drop file containing decryption instructions (likely related to ransomware)
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
UAC bypass detected (Fodhelper)
Uses cmd line tools excessively to alter registry or file data
Writes many files with high entropy
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected PureLog Stealer
Yara detected SmokeLoader
Yara detected TrojanRansom
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1494829 Sample: uL6UtPbcrx.exe Startdate: 19/08/2024 Architecture: WINDOWS Score: 100 99 shopmanx7.cfd 2->99 101 bloglake7.cfd 2->101 103 2 other IPs or domains 2->103 163 Suricata IDS alerts for network traffic 2->163 165 Found malware configuration 2->165 167 Malicious sample detected (through community Yara rule) 2->167 169 13 other signatures 2->169 11 uL6UtPbcrx.exe 2 2->11         started        14 ejavjtj 2 2->14         started        signatures3 process4 signatures5 171 Suspicious powershell command line found 11->171 173 Found many strings related to Crypto-Wallets (likely being stolen) 11->173 175 Uses cmd line tools excessively to alter registry or file data 11->175 177 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->177 16 uL6UtPbcrx.exe 11->16         started        179 Multi AV Scanner detection for dropped file 14->179 181 Injects a PE file into a foreign processes 14->181 183 Switches to a custom stack to bypass stack traces 14->183 19 ejavjtj 14->19         started        21 cmd.exe 14->21         started        23 cmd.exe 14->23         started        25 15 other processes 14->25 process6 signatures7 113 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->113 115 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 16->115 117 Maps a DLL or memory area into another process 16->117 27 ComputerDefaults.exe 16->27         started        29 explorer.exe 67 28 16->29 injected 34 ComputerDefaults.exe 16->34         started        42 3 other processes 16->42 119 Checks if the current machine is a virtual machine (disk enumeration) 19->119 121 Creates a thread in another existing process (thread injection) 19->121 123 Uses cmd line tools excessively to alter registry or file data 21->123 36 reg.exe 21->36         started        38 conhost.exe 21->38         started        44 3 other processes 23->44 40 reg.exe 25->40         started        46 22 other processes 25->46 process8 dnsIp9 48 D74F.exe 27->48         started        107 bloglake7.cfd 5.101.179.214, 49737, 80 PAGM-ASEE Estonia 29->107 109 shopmanx7.cfd 5.101.179.26, 49736, 49740, 80 PAGM-ASEE Estonia 29->109 111 34.filelu.com 198.49.69.251, 49738, 80 DIMENOCUS United States 29->111 91 C:\Users\user\AppData\Roaming\ejavjtj, PE32 29->91 dropped 93 C:\Users\user\AppData\Local\Temp\FF8A.exe, PE32 29->93 dropped 95 C:\Users\user\AppData\Local\TempE34.exe, PE32 29->95 dropped 97 4 other malicious files 29->97 dropped 189 System process connects to network (likely due to code injection or exploit) 29->189 191 Benign windows process drops PE files 29->191 193 Injects code into the Windows Explorer (explorer.exe) 29->193 201 4 other signatures 29->201 50 D74F.exe 29->50         started        53 EE34.exe 29->53         started        55 C647.exe 2 29->55         started        63 9 other processes 29->63 195 Uses cmd line tools excessively to alter registry or file data 34->195 197 Disables Windows Defender (deletes autostart) 36->197 199 Disable Windows Defender real time protection (registry) 36->199 57 Conhost.exe 42->57         started        59 Conhost.exe 44->59         started        61 Conhost.exe 46->61         started        file10 signatures11 process12 signatures13 65 D74F.exe 48->65         started        125 Multi AV Scanner detection for dropped file 50->125 127 Drops PE files to the startup folder 50->127 129 Modifies Windows Defender protection settings 50->129 131 Writes many files with high entropy 50->131 69 D74F.exe 50->69         started        71 EE34.exe 53->71         started        133 Writes to foreign memory regions 55->133 135 Allocates memory in foreign processes 55->135 137 Injects a PE file into a foreign processes 55->137 74 RegAsm.exe 2 55->74         started        139 System process connects to network (likely due to code injection or exploit) 63->139 141 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 63->141 143 Tries to steal Mail credentials (via file / registry access) 63->143 145 Tries to harvest and steal browser information (history, passwords, etc) 63->145 76 FF8A.exe 63->76         started        process14 dnsIp15 81 C:\Windows\Fonts\85s1255.fon.vector, CLIPPER 65->81 dropped 83 C:\Windows\Fonts\8514syst.fon.vector, CLIPPER 65->83 dropped 85 C:\Windows\Fonts\8514sysr.fon.vector, CLIPPER 65->85 dropped 89 179 other files (176 malicious) 65->89 dropped 147 May drop file containing decryption instructions (likely related to ransomware) 65->147 149 Modifies Windows Defender protection settings 65->149 151 UAC bypass detected (Fodhelper) 69->151 153 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 69->153 78 cmd.exe 69->78         started        105 91.200.102.170, 4044, 49739 COMBAHTONcombahtonGmbHDE Germany 71->105 87 C:\Users\user\AppData\...\sqlite.interop.dll, PE32 71->87 dropped 155 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 71->155 157 Tries to steal Mail credentials (via file / registry access) 71->157 159 Found many strings related to Crypto-Wallets (likely being stolen) 71->159 161 2 other signatures 71->161 file16 signatures17 process18 signatures19 185 Suspicious powershell command line found 78->185 187 Uses cmd line tools excessively to alter registry or file data 78->187
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4b27fd5c70588d922a25f658f35d5c5d3e0085ba88d9bb9b25746c52b2b58e59
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4b27fd5c70588d922a25f658f35d5c5d3e0085ba88d9bb9b25746c52b2b58e59/
Threat name:
ByteCode-MSIL.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2024-08-19 08:41:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jmt72xdqlcgzekrf6zmpgxk4lu7abbn2rdm3xgzforwffmvvrzmq._file
Verdict:
malicious
Similar samples:
007f77e684f4a7e6e64a0a42dc4001b58295a376822f6da576af60c600503935
Smoke Loader
29a6ac337e0b4476eca64b4566d38dfb2a6cdcb4e98667aefbccef6bf103334e
Smoke Loader
4fe2c3ce085537c3e50dfab194e50e21eefd26bf8859175035191f4448924f0e
Smoke Loader
62261f31057f5a67f22ef2837b1750b9ac068825dc4e88b6cafa8fe65c8007e9
Smoke Loader
6a7ed8cfc785a7769552ee84bcb86a1d133a9e4ff005ae9635f3c2a93d06c74e
Smoke Loader
+ 2'472 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor discovery trojan
Link:
https://tria.ge/reports/240819-klez1sxeqn/
Behaviour
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
SmokeLoader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5a489d43-aaff-4d1c-9fb7-78a1de031806
Unpacked files
SH256 hash:
d5211d65b3f887263c881bcac02869e98999aed62af064020200082655b7815d
MD5 hash:
8fc59220248acc775d7f60e43ce983b6
SHA1 hash:
e32ef8620d6c87a4ce56be6422407a5f464bf478
Link:
https://www.unpac.me/results/2338fcdd-7e1b-4099-89ed-ee427a9fbc1c/
SH256 hash:
adb9b74b1d3653adc2c00c0c227b4bb37334bcf673d362d62a25e7dd431a7d29
MD5 hash:
730ee56124e16a88da6bf4eaf7e2c750
SHA1 hash:
2de814edfeca91e2d7d9c51dd7b8857f9d88a6ce
Link:
https://www.unpac.me/results/2338fcdd-7e1b-4099-89ed-ee427a9fbc1c/
SH256 hash:
73e3359b2a1fc92642b96a30d52044304621c8df619f7dcce8739f52beb97dce
MD5 hash:
e00b22b5af750dfc1934f513d67b7752
SHA1 hash:
277e8b8ee8c678dad4a3c19d2478d3d43d510e3f
Link:
https://www.unpac.me/results/2338fcdd-7e1b-4099-89ed-ee427a9fbc1c/
SH256 hash:
7be32abc2c17606b0a880dfeaae55ca0ee8f2bf191563aafba20311afeecbdd2
MD5 hash:
2854dee6c64d0b7dc669efe91df98662
SHA1 hash:
1c740233754a1402a88b0ccf440888778352a4ae
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/2338fcdd-7e1b-4099-89ed-ee427a9fbc1c/
SH256 hash:
c6aa4886a804700b4b72bb6086610a8d1f79777c00ebff0992a85407a0ae5b5e
MD5 hash:
8db282f534abb8b1eed93db4ce3b8f75
SHA1 hash:
4586ef3ac6a750032f706564e4553f8cb088cc85
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/2338fcdd-7e1b-4099-89ed-ee427a9fbc1c/
SH256 hash:
4b27fd5c70588d922a25f658f35d5c5d3e0085ba88d9bb9b25746c52b2b58e59
MD5 hash:
c10cc05f3b3d59c92b1ae9cd99246cb8
SHA1 hash:
cea0bad5af7ab2ea03da693f3857b65a46dab466
Link:
https://www.unpac.me/results/2338fcdd-7e1b-4099-89ed-ee427a9fbc1c/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4b27fd5c7058/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/4b27fd5c70588d922a25f658f35d5c5d3e0085ba88d9bb9b25746c52b2b58e59

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments