MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 553dc4c06cd2a8a13eebb90e6c2a9e7fc09a81858d7233199f0f03d2051bfb5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 553dc4c06cd2a8a13eebb90e6c2a9e7fc09a81858d7233199f0f03d2051bfb5f
SHA3-384 hash: e6d0a79a437f99e014cf287cf4ec8f1629f253d76ee4d3de18edfbe11b3cec2cb71e95890d9cf8aa5776622a6d325cc0
SHA1 hash: 94fcad942bc030f7c8e0f7665ab995a47db7a06c
MD5 hash: 7456214bc55be7cc872f065ebe8af1b1
humanhash: tennessee-sierra-minnesota-xray
File name:7456214bc55be7cc872f065ebe8af1b1.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:162'304 bytes
First seen:2021-07-19 15:31:16 UTC
Last seen:2021-07-19 16:46:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1cdb58c3690bead970c88431e979e839 (2 x Smoke Loader, 1 x TeamBot)
ssdeep 3072:/xE5hLnu1pr2I1ILH7rXALJDwX7DRwbL1u:5E3b6N1ILbkLyXhOo
Threatray 2'009 similar samples on MalwareBazaar
TLSH T162F38D1075E1D472DDF24A3058F4C2A16E3FBC626D74810B7A953ADBAE712C27AAD313
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7456214bc55be7cc872f065ebe8af1b1.exe
Verdict:
No threats detected
Analysis date:
2021-07-19 15:39:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/83b47744-8aed-40f2-95fb-de144a15e9d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172580/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.16937.19706.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/413bfc19-d365-48cc-9277-0a4654669566
Result
Threat name:
Amadey SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/818348
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 450759 Sample: 1qhiDqXN13.exe Startdate: 19/07/2021 Architecture: WINDOWS Score: 100 62 amaad100.com 2->62 78 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->78 80 Multi AV Scanner detection for domain / URL 2->80 82 Found malware configuration 2->82 84 8 other signatures 2->84 11 1qhiDqXN13.exe 2->11         started        14 abwfvvg 2->14         started        16 rgbux.exe 2->16         started        signatures3 process4 signatures5 118 Detected unpacking (changes PE section rights) 11->118 120 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 11->120 122 Maps a DLL or memory area into another process 11->122 124 Creates a thread in another existing process (thread injection) 11->124 18 explorer.exe 5 11->18 injected 126 Multi AV Scanner detection for dropped file 14->126 128 Machine Learning detection for dropped file 14->128 130 Checks if the current machine is a virtual machine (disk enumeration) 14->130 process6 dnsIp7 64 custom100.ru 91.92.109.175, 49744, 49750, 80 NETERRA-ASBG Bulgaria 18->64 66 5.39.221.61, 49745, 49761, 80 HOSTKEY-ASNL Netherlands 18->66 50 C:\Users\user\AppData\Roaming\abwfvvg, PE32 18->50 dropped 52 C:\Users\user\AppData\Local\Temp\18A9.exe, PE32 18->52 dropped 54 C:\Users\user\...\abwfvvg:Zone.Identifier, ASCII 18->54 dropped 86 System process connects to network (likely due to code injection or exploit) 18->86 88 Benign windows process drops PE files 18->88 90 Injects code into the Windows Explorer (explorer.exe) 18->90 92 3 other signatures 18->92 23 18A9.exe 4 18->23         started        27 explorer.exe 8 18->27         started        30 explorer.exe 18->30         started        32 3 other processes 18->32 file8 signatures9 process10 dnsIp11 60 C:\Users\user\AppData\Local\...\rgbux.exe, PE32 23->60 dropped 102 Detected unpacking (changes PE section rights) 23->102 104 Detected unpacking (overwrites its own PE header) 23->104 106 Machine Learning detection for dropped file 23->106 108 Contains functionality to inject code into remote processes 23->108 34 rgbux.exe 1 18 23->34         started        74 custom100.ru 27->74 76 192.168.2.1 unknown unknown 27->76 110 System process connects to network (likely due to code injection or exploit) 27->110 112 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->112 114 Tries to steal Mail credentials (via file access) 27->114 116 Tries to harvest and steal browser information (history, passwords, etc) 30->116 file12 signatures13 process14 dnsIp15 68 900ama.com 87.120.37.96, 49757, 49758, 49759 NETERRA-ASBG Bulgaria 34->68 70 amaad100.com 34->70 72 ama529.ru 34->72 56 C:\Users\user\AppData\Local\Temp\a_upd.exe, PE32 34->56 dropped 58 C:\Users\user\AppData\Local\...\a_upd[1].exe, PE32 34->58 dropped 94 Detected unpacking (changes PE section rights) 34->94 96 Detected unpacking (overwrites its own PE header) 34->96 98 Machine Learning detection for dropped file 34->98 100 Uses schtasks.exe or at.exe to add and modify task schedules 34->100 39 cmd.exe 1 34->39         started        41 schtasks.exe 1 34->41         started        file16 signatures17 process18 process19 43 reg.exe 1 39->43         started        46 conhost.exe 39->46         started        48 conhost.exe 41->48         started        signatures20 132 Creates an undocumented autostart registry key 43->132
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/553dc4c06cd2a8a13eebb90e6c2a9e7fc09a81858d7233199f0f03d2051bfb5f/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-07-19 15:32:06 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ku64jqdm2kukcpxlxehgyku6p7ajvamfrvzdggm7b4b5ebi37npq._file
Verdict:
suspicious
Similar samples:
1a78aaf6aae3b9d9a32dc6c8cfe9182043f71a3d44e727464ab95a70fc24bbe8
Smoke Loader
1d1dbabc1c905c7153847c6bb5b88905942d414c4dbf39e3784dc9a62e1120db
Smoke Loader
2eafd204076978f8a4a3e39ab0b8dd4cbed9bec5a4ac39146e40d921c8af59ff
Smoke Loader
5e6932fbfebe00b2c44d7e74bb8409b55ad7abe92507c56887ded333684fcd92
Smoke Loader
7f40d0fe270f72aec76ec5348630f3b354ea4dd010d60edcdd865693824981de
Smoke Loader
82c5a4103769e5391fee93ead9d6509dd3eb8186f53ce450f14a22b4f82e968c
Smoke Loader
8f32a2bc4817137939fbd615fbcbab4c93dd0305e9d407ec6de706483c50556e
Smoke Loader
a99dfa4b60347edac3d2083c96df817bc3dfdc3c206be400723abb594cdb510b
Smoke Loader
ad5592929818b5ee09b99dddb8a652d84621e0b70efe51c2f2b6ca54aeaa3713
Smoke Loader
e934da8d0b455bcdf23e6e9c2fa5580982bf2f9b39a5d0246b2f462bbf1ae141
Smoke Loader
+ 1'999 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:smokeloader backdoor persistence trojan
Link:
https://tria.ge/reports/210719-apmnr26ln2/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Deletes itself
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Amadey
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://custom100.ru/
http://other191.com/
http://custom300.com/
http://600other.com/
ama529.ru/gBcskbwWs/index.php
amaad100.com/gBcskbwWs/index.php
900ama.com/gBcskbwWs/index.php
Unpacked files
SH256 hash:
59a8c31f25c2b35785dc416f8eeee5bb50e444914713b0d430199b90a13294ac
MD5 hash:
842c41d0f26b4014c78f1036d9bfc7ef
SHA1 hash:
d7aca102e15fd73cda121481f25c1e5c8fe8d2c1
Link:
https://www.unpac.me/results/ed93a2e6-eb26-4e9c-b270-7d558c0d3c2a/
SH256 hash:
553dc4c06cd2a8a13eebb90e6c2a9e7fc09a81858d7233199f0f03d2051bfb5f
MD5 hash:
7456214bc55be7cc872f065ebe8af1b1
SHA1 hash:
94fcad942bc030f7c8e0f7665ab995a47db7a06c
Link:
https://www.unpac.me/results/ed93a2e6-eb26-4e9c-b270-7d558c0d3c2a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/553dc4c06cd2a8a13eebb90e6c2a9e7fc09a81858d7233199f0f03d2051bfb5f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 553dc4c06cd2a8a13eebb90e6c2a9e7fc09a81858d7233199f0f03d2051bfb5f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1461955/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/172580/

Comments