MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5543fd0c115a8af9e627936be64a3f0fafc187665d000954ef32da675ec76a2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5543fd0c115a8af9e627936be64a3f0fafc187665d000954ef32da675ec76a2c
SHA3-384 hash: 650452f666cdc276a139832f6362436a20d87223f9db418442cbd475f334069960af66323389ac5614f191dff3e484a3
SHA1 hash: 6c47b0c8f54bf7539db8c0e9c4cd29fd3c212dcc
MD5 hash: 90a81fd4dc1a472ee7f818f5b9b7355e
humanhash: three-orange-mobile-salami
File name:90a81fd4dc1a472ee7f818f5b9b7355e.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:220'672 bytes
First seen:2023-09-18 06:19:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d96186b037e8e986f105cf4c4b9c7fbe (2 x Tofsee, 2 x Stealc, 2 x Smoke Loader)
ssdeep 3072:tcAX1zdZsnLOIG9/H1pH55ooJMswYm20Iw+u7giarddzB5bfbTDKc:f1zjsnLE9/H1pHdMswxrarnfbTf
Threatray 4'811 similar samples on MalwareBazaar
TLSH T1DE24DF2175A2D4F2D56B41304820DAF46AFBB8375678498B33683F6F7D313929B6E312
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 020405060a182000 (1 x Smoke Loader)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
291
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
90a81fd4dc1a472ee7f818f5b9b7355e.exe
Verdict:
Malicious activity
Analysis date:
2023-09-18 10:55:59 UTC
Tags:
loader smoke
Link:
https://app.any.run/tasks/9ef60b45-1aae-4d8e-85ee-9e536e426d3d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/449251/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6507ec1549c6a4ce497c1057/reports/dad383b5-8df1-4f9b-a405-618a2797ddc5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5543fd0c115a8af9e627936be64a3f0fafc187665d000954ef32da675ec76a2c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/80eecd91-76bf-423c-82be-3420f6301820
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1309788
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes memory attributes in foreign processes to executable or writable
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hijacks the control flow in another process
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes or reads registry keys via WMI
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1309788 Sample: ADPIhqn4mw.exe Startdate: 18/09/2023 Architecture: WINDOWS Score: 100 56 Snort IDS alert for network traffic 2->56 58 Multi AV Scanner detection for domain / URL 2->58 60 Found malware configuration 2->60 62 8 other signatures 2->62 9 ADPIhqn4mw.exe 2->9         started        12 gvsghja 2->12         started        14 vtsghja 2->14         started        16 msiexec.exe 2->16         started        process3 signatures4 98 Detected unpacking (changes PE section rights) 9->98 100 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->100 102 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->102 104 Creates a thread in another existing process (thread injection) 9->104 18 explorer.exe 4 16 9->18 injected 106 Antivirus detection for dropped file 12->106 108 Multi AV Scanner detection for dropped file 12->108 110 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->110 112 Writes or reads registry keys via WMI 12->112 114 Machine Learning detection for dropped file 14->114 116 Maps a DLL or memory area into another process 14->116 118 Checks if the current machine is a virtual machine (disk enumeration) 14->118 process5 dnsIp6 50 95.158.162.200, 49720, 49761, 49762 VIDEOSATBG Bulgaria 18->50 52 gudintas.at 187.134.40.51, 49705, 49717, 49721 UninetSAdeCVMX Mexico 18->52 54 12 other IPs or domains 18->54 42 C:\Users\user\AppData\Roaming\vtsghja, PE32 18->42 dropped 44 C:\Users\user\AppData\Roaming\gvsghja, PE32 18->44 dropped 46 C:\Users\user\AppData\Local\Temp\D6F5.exe, PE32 18->46 dropped 48 3 other malicious files 18->48 dropped 64 System process connects to network (likely due to code injection or exploit) 18->64 66 Benign windows process drops PE files 18->66 68 Injects code into the Windows Explorer (explorer.exe) 18->68 70 3 other signatures 18->70 23 D6F5.exe 18->23         started        26 4F04.exe 1 14 18->26         started        28 explorer.exe 6 18->28         started        30 7 other processes 18->30 file7 signatures8 process9 signatures10 72 Antivirus detection for dropped file 23->72 74 Detected unpacking (changes PE section rights) 23->74 76 Machine Learning detection for dropped file 23->76 90 5 other signatures 23->90 78 Multi AV Scanner detection for dropped file 26->78 80 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 26->80 92 3 other signatures 26->92 32 cmd.exe 26->32         started        82 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->82 84 Tries to steal Mail credentials (via file / registry access) 28->84 94 2 other signatures 28->94 86 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 30->86 88 Hijacks the control flow in another process 30->88 96 2 other signatures 30->96 process11 process12 34 conhost.exe 32->34         started        36 WMIC.exe 32->36         started        38 WMIC.exe 32->38         started        40 3 other processes 32->40
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5543fd0c115a8af9e627936be64a3f0fafc187665d000954ef32da675ec76a2c/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-09-18 06:03:28 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
13 of 23 (56.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kvb72darlkfptzrhsnv6msr7b6x4db3gluaasvhpglngoxwhniwa._file
Verdict:
malicious
Similar samples:
478bd4b9c09586ef6c80ff69bec832acec92bcc6050b300973bc33537bd8ed76
Smoke Loader
523e52fcaf97bbdefa328efa095228b509fe56d833eb269c85667fdf34588c1b
Smoke Loader
5a10fc6e925d3287a5563af184ae1e2ea32fc20206febdea5b4e386262873a6b
Smoke Loader
7593e722094d6125d1d73b15eb1093c645b9436a98d04eba10a49c39807f6e83
Smoke Loader
83ae51213d394416faf63b7bcf557504d3840d66119ab79549e6bf24ae94a57e
Smoke Loader
9907277fe987b2f615f3841860ce90b1ed8de5ffc450a30e89b20d3fcbf6716b
Smoke Loader
a214f32ddf5faff1a241365cd23186698ffc3c91042b12584e4bcbb324c2a069
Smoke Loader
d46fec4abba46efe6663f19c2d9963a612f4ff25023c0dc6fc5bb559f106859d
Smoke Loader
+ 4'801 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:pub1 backdoor trojan
Link:
https://tria.ge/reports/230918-g3rhlahh73/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Uses Task Scheduler COM API
Deletes itself
SmokeLoader
Malware Config
C2 Extraction:
http://gudintas.at/tmp/
http://pik96.ru/tmp/
http://rosatiauto.com/tmp/
http://kingpirate.ru/tmp/
Unpacked files
SH256 hash:
f8e33fe12c8d4ea39089e504e4071cee057a69cd4f7198b1b96d6841d73037c5
MD5 hash:
369bfea70013cbf36679b6e8edb298a5
SHA1 hash:
575e3646997d3ffa0267ac4dd989e97436ea31cf
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/6b89d865-b074-4318-b1f7-8ce1fdca1adc/
Parent samples :
cf006190a75a8fa6faf74c6200d7d56d0bb4ed0cd140a328537d3096ecd07a32
a2260ac65c2814e6a0e7b839474a298333f2a4a7ac60af12861dcc9edf5a6019
fefa50ffd7c9e19b4c4d84e664b894c6377196942024b71ee371c466d194ee9c
581407074ab82ef32bfaaa4bd7a6bc4da38ca7c4ad8f91166c2be4325ae000f9
947fb340a672bd684a18ab7aeb7fe28cd9f2eee3c0de99c205f3a4a39aad12c0
f5b5c89e8d4e216a731c5fa57e53ebd9012c41f2d65c0c48eb45ccac021b4311
77fcb3294002ee5ecfbd36825e19d038a4d7d213734758dae1fa731bfa2b1058
4201248030180127dc4299a4dbcc6cde35beaafbefd9a25ffb3093d3e35f5dc2
2a8bad21145b4d758332588fb79ef6bcb2aa95bd7de7a2d8c0777e6f7146b115
8c8545f91021086b21437241273005f51f0d05c46a434e9dd4076d6b98aa5c76
c55c92457d03edbc7ec6f2c1ed55ca5e79d66d5ee568beab370229cd278649b1
57023d355566b1bff7490a5bc5c4380e013b2b4fb68152c8118be21718e53329
9efbde4de467c8a82b270b40c014c4243284b016bd2788164d85012f36aed0ad
8bbbf51d4c5404915d1b306121e0226d1f23e88acf635c8cb4f4461dbe142838
06f3c31343921c5f63bc0803569db1a31f0ecdf6029f167dcc234754eabacc9b
9e7c8aea93412acc8d8de3a956e8485a86caf40c626b2abd491bd5404df1bfbb
56be912ce754d75f3385dab925ee34d9a0a1e07fe841c6a2e9adafa8021c99bc
aa918d4dd7706951fc290b6a5d3ba0e48acc5443056894ee3aad1baa52f412ba
5543fd0c115a8af9e627936be64a3f0fafc187665d000954ef32da675ec76a2c
306c89756cc1899b6f76dd3e7b68dcb0b4581a152f14df79ff167f0627c85424
6ea8ce3dab88347218d50dd6b92433f9849086080ad2d31a08aad73a3fd35ff7
aa38ec70b85a9e070536db5b73e65f116023b1d414bbc517c06aae7d6a3aa942
3cbbbd55fe8f11d140207ab210179a8a783b1d6975b82107ccd9344d5454194e
02f6651a25fefd7f952cd2b2dc74c4b2155b8a96e0caf6127f0eb966b5cd9426
cd07ecda2eefa380e4145bc61de665e4685634cf155ee8e2221a01765d2a8378
83f3f206fe4cc3ce88d84364f970ed0ced22d05f418b7760eae1e6fb2178a33c
f28743ef69738184972b65c6b04cae600f1d01ace14a9c1cd1eab7224274812e
a9f3066845f3f00c34bd13812d9b2db561ec77824aa0ece2fca57f0071847d38
739c8d45ca4059f0b591bd553bdab486519b663fb092ad11868a8c6c3d9ec022
a76ac34a9fc8146224d737ebb15bdbf2e35acd67e274ad328fcab5b99f8a99c1
31e54f46b20976c9779d4fde6282ec9fc581b50646a802a517e827c5e7a6aebb
84a2a39c8624e70794650b0ce2c465edb00d4008e4676216e601e062ff982c08
e31e7dac8306f497a88a1c6c51677a08e5b772f38a903abf7029dc907773ccec
a9c5516972bc66b765e441a967eb97ec21c8b0b0b6d0c44180d0317d45fe378a
13f0797738f385a0330c1790cbdf50b0b245aae08345827936582b9369485b15
8a3258d8e2ddf101c043d08960fcab0dacddf2cbd49a5da71156ed2c74a7987b
875263c84abb9b3e5fbdf864f5389b7f863afe454c03f6c0d8bda8fe29db705d
SH256 hash:
5543fd0c115a8af9e627936be64a3f0fafc187665d000954ef32da675ec76a2c
MD5 hash:
90a81fd4dc1a472ee7f818f5b9b7355e
SHA1 hash:
6c47b0c8f54bf7539db8c0e9c4cd29fd3c212dcc
Link:
https://www.unpac.me/results/6b89d865-b074-4318-b1f7-8ce1fdca1adc/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5543fd0c115a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5543fd0c115a8af9e627936be64a3f0fafc187665d000954ef32da675ec76a2c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 5543fd0c115a8af9e627936be64a3f0fafc187665d000954ef32da675ec76a2c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2712226/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/449251/

Comments