MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b890e0ee85a46b14571aeb42e6229ce658b7b49ddae84af4c41017fb07ba286. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b890e0ee85a46b14571aeb42e6229ce658b7b49ddae84af4c41017fb07ba286
SHA3-384 hash: d5ace8375ecdda5ee4a6e50ff8321313726b0fa8f00e206a8fb84f2df0c18b66cd50a8277cc7d3c4ea66a3fdd647e734
SHA1 hash: 583862bc96c0f61c904969dfc41a47117f598ab7
MD5 hash: d708c56db2bc85bf2ee28cd7cfa50054
humanhash: may-maryland-mars-nineteen
File name:d708c56db2bc85bf2ee28cd7cfa50054.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:173'056 bytes
First seen:2021-11-12 10:14:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fff777f42c1e485850e1fdc0085a1692 (4 x RedLineStealer, 4 x Smoke Loader, 1 x DanaBot)
ssdeep 3072:g7zwzn6Vkl6EMSUfaWpQlcLK8T9KTcpZa9uD6Vdyhkf:Fn6VkAEYQeK8pKTcwVf
TLSH T15604AE10B7E1C875E1A2263C14A5ABB00B3AFDF2E578954B3B94263E1EB32D04A75357
File icon (PE):PE icon
dhash icon fcfcb4d4d4d4d8c8 (18 x RedLineStealer, 10 x RaccoonStealer, 5 x Smoke Loader)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205241/
Detection(s):
Win.Malware.Generic-9908035-0
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/618e3eaedec3347825a2ad2b/reports/10491485-33a9-473a-b5f6-7fb418d07d52/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0bfe6ac1-cb22-4795-8b44-1c06ddc6221c
Result
Threat name:
Clipboard Hijacker RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888031
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Delayed program exit found
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Clipboard Hijacker
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 520502 Sample: lZmCS86vdM.exe Startdate: 12/11/2021 Architecture: WINDOWS Score: 100 59 Found malware configuration 2->59 61 Antivirus detection for URL or domain 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 10 other signatures 2->65 8 lZmCS86vdM.exe 2->8         started        11 rchtshb 2->11         started        13 SmartClock.exe 2->13         started        process3 signatures4 79 Detected unpacking (changes PE section rights) 8->79 81 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->81 83 Maps a DLL or memory area into another process 8->83 85 Creates a thread in another existing process (thread injection) 8->85 15 explorer.exe 6 8->15 injected 87 Multi AV Scanner detection for dropped file 11->87 89 Machine Learning detection for dropped file 11->89 91 Checks if the current machine is a virtual machine (disk enumeration) 11->91 process5 dnsIp6 45 nutriescapa.com 195.133.74.88, 49773, 49786, 80 MTW-ASRU Russian Federation 15->45 47 misha.at 91.203.174.38, 49761, 80 LITTEL-ASRU Uzbekistan 15->47 49 9 other IPs or domains 15->49 33 C:\Users\user\AppData\Roaming\rchtshb, PE32 15->33 dropped 35 C:\Users\user\AppData\Local\Temp\53D.exe, PE32 15->35 dropped 37 C:\Users\user\AppData\Local\Temp\3BEF.exe, PE32 15->37 dropped 39 2 other malicious files 15->39 dropped 51 System process connects to network (likely due to code injection or exploit) 15->51 53 Benign windows process drops PE files 15->53 55 Deletes itself after installation 15->55 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->57 20 3BEF.exe 5 15->20         started        24 53D.exe 4 15->24         started        27 22E7.exe 15->27         started        29 SmartClock.exe 15->29         started        file7 signatures8 process9 dnsIp10 43 185.215.113.29, 1102, 49840 WHOLESALECONNECTIONSNL Portugal 20->43 67 Detected unpacking (overwrites its own PE header) 20->67 69 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->69 71 Machine Learning detection for dropped file 20->71 77 2 other signatures 20->77 41 C:\Users\user\AppData\...\SmartClock.exe, PE32 24->41 dropped 73 Detected unpacking (changes PE section rights) 24->73 75 Delayed program exit found 24->75 31 SmartClock.exe 24->31         started        file11 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b890e0ee85a46b14571aeb42e6229ce658b7b49ddae84af4c41017fb07ba286/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-11-12 10:15:08 UTC
AV detection:
16 of 44 (36.36%)
Threat level:
  5/5
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor persistence trojan upx
Link:
https://tria.ge/reports/211112-l98gxadbc3/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Runs net.exe
Script User-Agent
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Deletes itself
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Modifies RDP port number used by Windows
Sets DLL path for service in the registry
UPX packed file
Grants admin privileges
SmokeLoader
Malware Config
C2 Extraction:
http://misha.at/upload/
http://roohaniinfra.com/upload/
http://0axqpcc.cn/upload/
http://mayak-lombard.ru/upload/
http://mebel-lass.ru/upload/
http://dishakhan.com/upload/
Dropper Extraction:
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Unpacked files
SH256 hash:
2d42354cb59833a247375928187032beead3c641520e36824fce6f48b126d8a6
MD5 hash:
38fa5abed729083474ad8e1084b03b6d
SHA1 hash:
707a3feb91f1242f57bdd9fb6b3852462b64a985
Link:
https://www.unpac.me/results/1c097bdf-32ef-41ae-8c8d-13db8e0432d9/
SH256 hash:
4b890e0ee85a46b14571aeb42e6229ce658b7b49ddae84af4c41017fb07ba286
MD5 hash:
d708c56db2bc85bf2ee28cd7cfa50054
SHA1 hash:
583862bc96c0f61c904969dfc41a47117f598ab7
Link:
https://www.unpac.me/results/1c097bdf-32ef-41ae-8c8d-13db8e0432d9/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4b890e0ee85a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4b890e0ee85a46b14571aeb42e6229ce658b7b49ddae84af4c41017fb07ba286

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 4b890e0ee85a46b14571aeb42e6229ce658b7b49ddae84af4c41017fb07ba286

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/205241/
  
URLhaus
https://urlhaus.abuse.ch/url/1766412/
  
Delivery method
Distributed via web download

Comments