MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e2375353e49f18d6679c5372a688fc5c9a2ae3994830e6fe19e1cd20bc5ea6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e2375353e49f18d6679c5372a688fc5c9a2ae3994830e6fe19e1cd20bc5ea6d
SHA3-384 hash: f23cc710716c91aef0f53cf9d9d30af32810df48b53ca13a88568d7ddc1240fd9479ea6ebb00a800f510aa04bbee7494
SHA1 hash: 0db593cebd066ce9abac5ad2c6b9468d31db5d3c
MD5 hash: e0bc2140d5a10035fb6d3b4e1b46cdfe
humanhash: chicken-uncle-mike-wisconsin
File name:SecuriteInfo.com.Win64.PWSX-gen.2315.32186
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:818'400 bytes
First seen:2023-12-23 05:13:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b12336fa8cbb9bd1c3e11ad0d8477f71 (2 x Smoke Loader, 2 x Stealc, 1 x RemcosRAT)
ssdeep 24576:aAlTCq3CQGpn2B5ziaj5n9798/dvDwP81d:tT5T6q5jjX798/dvDwP81d
Threatray 9 similar samples on MalwareBazaar
TLSH T1B90533E7BA7A20C8FA62A5F2065FD109CE3076F7F0DA173001C46D9C9A5DB497E1A1A1
TrID 64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12)
25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
1.8% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 009286868686f800 (4 x Stealc, 4 x AgentTesla, 3 x Smoke Loader)
Reporter SecuriteInfoCom
Tags:exe signed Smoke Loader

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2023-12-23T02:15:31Z
Valid to:2024-12-23T02:15:31Z
Serial number: 03daa4f412254f73190cf6631a09ba28
Thumbprint Algorithm:SHA256
Thumbprint: 1972b6a559e655d1ee13f16fcfe9e773077f9c2ccda7e9d31252329b5a945e8b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
481
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
4363463463464363463463463.exe
Verdict:
Malicious activity
Analysis date:
2023-12-23 19:22:37 UTC
Tags:
opendir loader keylogger amadey botnet stealer hausbomber lumma vidar rat backdoor dcrat remote metasploit redline phorpiex trojan arechclient2 rhadamanthys evasion originbotnet nanocore remcos asyncrat hijackloader stealc agenttesla kelihos doina gcleaner systembc proxy purplefox risepro
Link:
https://app.any.run/tasks/82e726cd-3f11-4dbb-8961-e7ebd26557cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/469105/
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.2315.32186.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
hacktool lolbin monero overlay packed packed packed shell32 upx
Link:
https://www.filescan.io/uploads/65866c9bf4b6e5e1635563d0/reports/6bb7348d-e778-4d28-8b7c-a814c72ecfbf/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/4e2375353e49f18d6679c5372a688fc5c9a2ae3994830e6fe19e1cd20bc5ea6d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7e338756-62c8-4c9d-b22e-3a4a1069a41d
Result
Threat name:
SmokeLoader, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1366465
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL side loading technique detected
Drops script or batch files to the startup folder
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected SmokeLoader
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1366465 Sample: SecuriteInfo.com.Win64.PWSX... Startdate: 23/12/2023 Architecture: WINDOWS Score: 100 155 Multi AV Scanner detection for domain / URL 2->155 157 Found malware configuration 2->157 159 Malicious sample detected (through community Yara rule) 2->159 161 12 other signatures 2->161 10 SecuriteInfo.com.Win64.PWSX-gen.2315.32186.exe 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 5 other processes 2->17 process3 signatures4 189 Writes to foreign memory regions 10->189 191 Allocates memory in foreign processes 10->191 193 Injects a PE file into a foreign processes 10->193 19 CasPol.exe 15 128 10->19         started        24 IWioicAU2Rihi1BtWx7zYmf0.exe 13->24         started        26 IWioicAU2Rihi1BtWx7zYmf0.exe 13->26         started        28 conhost.exe 13->28         started        30 IWioicAU2Rihi1BtWx7zYmf0.exe 13->30         started        32 conhost.exe 15->32         started        34 conhost.exe 17->34         started        36 conhost.exe 17->36         started        38 2 other processes 17->38 process5 dnsIp6 129 158.160.130.138 DNIC-ASBLK-00721-00726US Venezuela 19->129 131 5.42.64.35 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 19->131 133 14 other IPs or domains 19->133 87 C:\Users\...\zol0DZ3dZF9f101pbr5JgMQE.exe, PE32 19->87 dropped 89 C:\Users\...\sY2XKxFkUfPu9B5ScU7eHorS.exe, PE32 19->89 dropped 91 C:\Users\...\l2T1cFMthlNDd4KTYOtpjpza.exe, PE32 19->91 dropped 99 76 other malicious files 19->99 dropped 163 Drops script or batch files to the startup folder 19->163 165 Creates HTML files with .exe extension (expired dropper behavior) 19->165 167 Writes many files with high entropy 19->167 40 dsUSzXvf0stEl8GEBhFibn3d.exe 1 42 19->40         started        44 JOuXiySxFkd2G9vpEc0OsDSE.exe 19->44         started        47 Q3WCCSZD2IAbCPf5LK2R1EA0.exe 19->47         started        53 6 other processes 19->53 93 C:\Users\user\AppData\Local\...\INetC.dll, PE32 24->93 dropped 95 C:\Users\user\AppData\...\nspC25C.tmp.exe, PE32 24->95 dropped 97 C:\Users\user\AppData\...\syncUpd[1].exe, PE32 24->97 dropped 49 nspC25C.tmp.exe 24->49         started        51 BroomSetup.exe 24->51         started        169 Multi AV Scanner detection for dropped file 26->169 file7 signatures8 process9 dnsIp10 139 209.87.209.205 ZONEALARM-COMUS United States 40->139 141 104.237.62.212 WEBNXUS United States 40->141 143 4 other IPs or domains 40->143 109 C:\Users\user\AppData\Local\...\INetC.dll, PE32 40->109 dropped 121 3 other malicious files 40->121 dropped 55 nsm6D57.tmp.exe 40->55         started        60 BroomSetup.exe 2 6 40->60         started        195 Detected unpacking (changes PE section rights) 44->195 197 Contains functionality to inject code into remote processes 44->197 199 Injects a PE file into a foreign processes 44->199 62 JOuXiySxFkd2G9vpEc0OsDSE.exe 44->62         started        111 C:\Users\user\AppData\Local\Temp\...\Zip.dll, PE32 47->111 dropped 113 C:\Users\user\AppData\Local\...\Checker.dll, PE32 47->113 dropped 123 11 other malicious files 47->123 dropped 201 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 47->201 203 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 47->203 205 Writes many files with high entropy 47->205 207 Detected unpacking (overwrites its own PE header) 49->207 209 Found evasive API chain (may stop execution after checking locale) 49->209 64 WerFault.exe 49->64         started        115 C:\Users\user\AppData\...\nsz7FD0.tmp.exe, PE32 53->115 dropped 117 C:\Users\user\AppData\...\nsy7C75.tmp.exe, PE32 53->117 dropped 119 C:\Users\user\AppData\...\nsy70FB.tmp.exe, PE32 53->119 dropped 125 7 other malicious files 53->125 dropped 66 nsg5D35.tmp.exe 53->66         started        68 BroomSetup.exe 53->68         started        70 l2T1cFMthlNDd4KTYOtpjpza.exe 53->70         started        72 2 other processes 53->72 file11 signatures12 process13 dnsIp14 135 77.91.76.36 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 55->135 101 C:\Users\user\AppData\...\softokn3[1].dll, PE32 55->101 dropped 103 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 55->103 dropped 105 C:\Users\user\AppData\...\mozglue[1].dll, PE32 55->105 dropped 107 9 other files (5 malicious) 55->107 dropped 171 Detected unpacking (changes PE section rights) 55->171 173 Detected unpacking (overwrites its own PE header) 55->173 175 Tries to steal Mail credentials (via file / registry access) 55->175 185 5 other signatures 55->185 74 cmd.exe 55->74         started        76 WerFault.exe 55->76         started        177 Multi AV Scanner detection for dropped file 60->177 179 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 62->179 181 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 62->181 183 Maps a DLL or memory area into another process 62->183 187 2 other signatures 62->187 79 explorer.exe 62->79 injected 137 20.42.73.29 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 64->137 file15 signatures16 process17 dnsIp18 83 conhost.exe 74->83         started        85 timeout.exe 74->85         started        145 52.168.117.173 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 76->145 127 C:\Users\user\AppData\Roaming\estcgjw, PE32 79->127 dropped 147 System process connects to network (likely due to code injection or exploit) 79->147 149 Benign windows process drops PE files 79->149 151 DLL side loading technique detected 79->151 153 Hides that the sample has been downloaded from the Internet (zone.identifier) 79->153 file19 signatures20 process21
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4e2375353e49f18d6679c5372a688fc5c9a2ae3994830e6fe19e1cd20bc5ea6d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e2375353e49f18d6679c5372a688fc5c9a2ae3994830e6fe19e1cd20bc5ea6d/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-12-23 05:14:05 UTC
File Type:
PE+ (Exe)
Extracted files:
5
AV detection:
15 of 23 (65.22%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jyrxknj6jhyy2ztzyu3su2epyxe2flrzssbq437btyonec6f5jwq._file
Verdict:
malicious
Similar samples:
04d9740d54a1a12deb1a8cb0a5c1892474db2389bdd4044bafc540451bb2b6d5
Smoke Loader
3869f42deb7d3c0937324b64d2ee0ef4b684f780845a1fb5324f9e498076c594
Smoke Loader
402118a1fe9e2e3c12ba4e931e9e3afeeb464e0bd5cf075e926062c7a7255d87
Smoke Loader
85c7ebf244cb05f624baea0b1526c57ba3ecaa05583c27fe814217f9ffbf020c
Smoke Loader
ab9a4f2751495094eb7f380d00c52e9a549eb8aaf2cc1c3280f5c3935ae57d08
Smoke Loader
c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32
Smoke Loader
e08d8afc5e83a54fa0fb6c84de49af3e864ec3f362ed4e3c09459bbafba7983c
Smoke Loader
e89d8af6209b99543fd2dcc8a37842d40e4d54ab8f52ce635665c432a152d8d6
Smoke Loader
ed451ab9bc98df781e851bc59415edb980f7f74f940900d91cb710f22b37d27e
Smoke Loader
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:glupteba family:smokeloader family:stealc botnet:pub4 backdoor discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/231223-fwzd7aggf8/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
NSIS installer
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Manipulates WinMonFS driver.
Modifies boot configuration data using bcdedit
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Registers COM server for autorun
UPX packed file
Windows security modification
Downloads MZ/PE file
Modifies Windows Firewall
DcRat
Glupteba
Glupteba payload
SmokeLoader
Stealc
Windows security bypass
Malware Config
C2 Extraction:
http://77.91.76.36
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
a9f0c5a08710601701b639c7e2ba63963c47e2ea2ddb4428c7b823ee2376fb7b
MD5 hash:
00fac4329d1350593caafa2fd8cfeca1
SHA1 hash:
af6f77faf513eedb617b6536d6ce29727cfe0741
Link:
https://www.unpac.me/results/546d64a0-6566-47e8-a0e4-680a8ad9ec6f/
SH256 hash:
4e2375353e49f18d6679c5372a688fc5c9a2ae3994830e6fe19e1cd20bc5ea6d
MD5 hash:
e0bc2140d5a10035fb6d3b4e1b46cdfe
SHA1 hash:
0db593cebd066ce9abac5ad2c6b9468d31db5d3c
Link:
https://www.unpac.me/results/546d64a0-6566-47e8-a0e4-680a8ad9ec6f/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4e2375353e49/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/4e2375353e49f18d6679c5372a688fc5c9a2ae3994830e6fe19e1cd20bc5ea6d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 4e2375353e49f18d6679c5372a688fc5c9a2ae3994830e6fe19e1cd20bc5ea6d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2743765/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/469105/

Comments