MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56f120e6f63ff266c49b0851e68bcdb6a823c6834f486e6090318602dc61106a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56f120e6f63ff266c49b0851e68bcdb6a823c6834f486e6090318602dc61106a
SHA3-384 hash: 8d011bc1865689ca2808381d2a74769b48881bbf751ddf0135f857758737f846b5d3377449c5467bf50df97ac8884f3e
SHA1 hash: 8fb99e8c6db5d3ffb4e3685f962fc2b4f9f668c6
MD5 hash: d58078226c4066f05926c70be7cf64a7
humanhash: eighteen-bacon-sink-twelve
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:278'528 bytes
First seen:2022-10-05 20:34:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 88ae0b1b86ca75a326fa794c920a20b9 (9 x Smoke Loader, 5 x GCleaner, 2 x Nymaim)
ssdeep 6144:A/ERFLbNamokFUhsZzRuzbgwuZuwVfUU:A2UmBFUG1unn/U
Threatray 7'280 similar samples on MalwareBazaar
TLSH T1BB44BE31B6EAC4B3C5A3057044749BA06F7BB8336574858B3724D25D1EB2A9C8AF631F
TrID 39.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
29.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 38b078cccacccc43 (123 x Smoke Loader, 83 x Stop, 63 x RedLineStealer)
Reporter andretavare5
Tags:exe Smoke Loader


Avatar
andretavare5
Sample downloaded from https://asadjung.com/upload/ChromeSetup.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
330
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317027/
Detection(s):
Win.Packed.Zard-9972749-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/41390/overview
Behaviour
MalwareBazaar
CPUID_Instruction
SystemUptime
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/633dea770d3d21420cca9cc1/reports/c39bbafe-11ee-4a83-bf3e-3c41bbabd1a5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e485a306-7348-4013-8b89-f5ace255f3b3
Result
Threat name:
DanaBot, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1084467
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to infect the boot sector
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 717024 Sample: file.exe Startdate: 05/10/2022 Architecture: WINDOWS Score: 100 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 5 other signatures 2->50 9 file.exe 2->9         started        12 rwsjtgf 2->12         started        14 6B96.exe 2->14         started        process3 signatures4 68 Detected unpacking (changes PE section rights) 9->68 70 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->70 72 Maps a DLL or memory area into another process 9->72 74 Creates a thread in another existing process (thread injection) 9->74 16 explorer.exe 6 9->16 injected 76 Multi AV Scanner detection for dropped file 12->76 78 Machine Learning detection for dropped file 12->78 80 Checks if the current machine is a virtual machine (disk enumeration) 12->80 process5 dnsIp6 38 gayworld.at 186.182.55.44, 49712, 49727, 49732 TechtelLMDSComunicacionesInteractivasSAAR Argentina 16->38 40 thepokeway.nl 5.135.247.111, 443, 49733 OVHFR France 16->40 42 8 other IPs or domains 16->42 30 C:\Users\user\AppData\Roaming\rwsjtgf, PE32 16->30 dropped 32 C:\Users\user\AppData\Local\Temp\6B96.exe, PE32 16->32 dropped 34 C:\Users\user\AppData\Local\Temp\34E5.exe, PE32 16->34 dropped 36 C:\Users\user\...\rwsjtgf:Zone.Identifier, ASCII 16->36 dropped 52 System process connects to network (likely due to code injection or exploit) 16->52 54 Benign windows process drops PE files 16->54 56 Deletes itself after installation 16->56 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->58 21 6B96.exe 16->21         started        24 34E5.exe 16->24         started        file7 signatures8 process9 signatures10 60 Detected unpacking (changes PE section rights) 21->60 62 Detected unpacking (overwrites its own PE header) 21->62 64 Machine Learning detection for dropped file 21->64 66 Contains functionality to infect the boot sector 21->66 26 7za.exe 1 24->26         started        process11 process12 28 conhost.exe 26->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56f120e6f63ff266c49b0851e68bcdb6a823c6834f486e6090318602dc61106a/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-10-05 20:35:09 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k3ysbzxwh7zgnre3bbi6nc6nw2uchrudj5eg4yeqggdafxdbcbva._file
Verdict:
malicious
Similar samples:
35be65280e65cc6b44fb20b468cca606d518aad0cb448127df637e75231d86ec
Smoke Loader
42222d4215948ab44c3fa539feb56ce78612a7365e888b1834eec81592eacb75
Smoke Loader
458f3cbc8027068a53fa01e93c5e0f2415657f4bad8143c98d3cd4b6862fb189
Smoke Loader
67ac0d1dd4b73ea5d714efb1de0b18631950b1d2aae4a3c25f007eda9f7aa7d8
Smoke Loader
a6650e8e5968e516505133725bc634c8d524c925bed6de04b068f0f25d469d2b
Smoke Loader
a6944f5e05e82adbaa5a356d3c68d1220c5c5eafa59e63fb74a1ffd01fffb9cf
Smoke Loader
a749aafd3cf83fcfe2a763e09cca6521c3176b3c78af41fecbf5406af99bcfa2
Smoke Loader
d8ee6da314f62db1d1a960275f9f70a059d631f50360f4936501ea753bb68322
Smoke Loader
+ 7'270 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:danabot family:smokeloader backdoor banker trojan
Link:
https://tria.ge/reports/221005-zcz16afger/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Danabot
Detects Smokeloader packer
SmokeLoader
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5e52a6e6-2ae4-4e7f-b7d0-d8be8d3613c3
Unpacked files
SH256 hash:
56f120e6f63ff266c49b0851e68bcdb6a823c6834f486e6090318602dc61106a
MD5 hash:
d58078226c4066f05926c70be7cf64a7
SHA1 hash:
8fb99e8c6db5d3ffb4e3685f962fc2b4f9f668c6
Link:
https://www.unpac.me/results/af419243-c50a-4be6-9948-1cad5051b4e3/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/56f120e6f63f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56f120e6f63ff266c49b0851e68bcdb6a823c6834f486e6090318602dc61106a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/317027/
  
URLhaus
https://urlhaus.abuse.ch/url/2308767/

Comments