MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57023d355566b1bff7490a5bc5c4380e013b2b4fb68152c8118be21718e53329. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57023d355566b1bff7490a5bc5c4380e013b2b4fb68152c8118be21718e53329
SHA3-384 hash: 04e9aa84a8a1e0825fef0b475eb681ef9a47d85e8cbb4720638e869f02afce878c1d35eb1a7078f426900b69b6440635
SHA1 hash: 2a7159b0a2efd5f912886bc6bc2e0d29cee577b6
MD5 hash: f4d73b7bcfcdc85f236054d09e6ad097
humanhash: hydrogen-table-whiskey-mexico
File name:SecuriteInfo.com.Win32.DropperX-gen.3148.24898
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:305'664 bytes
First seen:2023-09-14 05:38:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3c565fbe4eaafad8572e17176ac3eb42 (2 x Stealc, 2 x Smoke Loader, 1 x RedLineStealer)
ssdeep 3072:n2ufjT/ih9nQU/HGZg2fB8Ik5ueI7DwLRc9P2OIC/IM+FURL3:xfvih9nd/H7221udnwdclP/I0
Threatray 4'768 similar samples on MalwareBazaar
TLSH T18E545A03AF907D60D5254B7A8E1EC6EC3A5DB961FE59377A221BEA1FC8700B3C162711
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0020609084632100 (1 x Smoke Loader)
Reporter SecuriteInfoCom
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.DropperX-gen.3148.24898
Verdict:
Malicious activity
Analysis date:
2023-09-14 05:41:05 UTC
Tags:
loader smoke
Link:
https://app.any.run/tasks/b35f37aa-d9f4-4a04-bdc1-ff4ba344708e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/448539/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.3148.24898.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Unauthorized injection to a system process
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed smokeloader
Link:
https://www.filescan.io/uploads/65029c78482c0b85d557150e/reports/5eead140-54df-4892-bcdb-5ab0a168893d/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/57023d355566b1bff7490a5bc5c4380e013b2b4fb68152c8118be21718e53329
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d9f4415b-c7ed-4426-b64b-8a9cd8898b65
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1307726
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1307726 Sample: SecuriteInfo.com.Win32.Drop... Startdate: 14/09/2023 Architecture: WINDOWS Score: 100 28 Multi AV Scanner detection for domain / URL 2->28 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 6 other signatures 2->34 6 SecuriteInfo.com.Win32.DropperX-gen.3148.24898.exe 2->6         started        9 efhtbfu 2->9         started        11 efhtbfu 2->11         started        process3 signatures4 36 Detected unpacking (changes PE section rights) 6->36 38 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 6->38 40 Maps a DLL or memory area into another process 6->40 13 explorer.exe 4 3 6->13 injected 42 Antivirus detection for dropped file 9->42 44 Multi AV Scanner detection for dropped file 9->44 46 Machine Learning detection for dropped file 9->46 48 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->48 50 Checks if the current machine is a virtual machine (disk enumeration) 11->50 52 Creates a thread in another existing process (thread injection) 11->52 process5 dnsIp6 22 189.232.123.108, 49725, 49731, 49737 UninetSAdeCVMX Mexico 13->22 24 gudintas.at 189.245.1.33, 49716, 49718, 49722 UninetSAdeCVMX Mexico 13->24 26 8 other IPs or domains 13->26 18 C:\Users\user\AppData\Roaming\efhtbfu, PE32 13->18 dropped 20 C:\Users\user\...\efhtbfu:Zone.Identifier, ASCII 13->20 dropped 54 System process connects to network (likely due to code injection or exploit) 13->54 56 Benign windows process drops PE files 13->56 58 Deletes itself after installation 13->58 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->60 file7 signatures8
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/57023d355566b1bff7490a5bc5c4380e013b2b4fb68152c8118be21718e53329/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-09-14 05:39:06 UTC
File Type:
PE (Exe)
Extracted files:
55
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=k4bd2nkvm2y3752jbjn4lrbybyatwk2pw2avfsarrprboghfgmuq._file
Verdict:
malicious
Similar samples:
3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b
Smoke Loader
478bd4b9c09586ef6c80ff69bec832acec92bcc6050b300973bc33537bd8ed76
Smoke Loader
605429c1e7a616f73d74f5e2859d49119829b46671488e006a3058a0c7726775
Smoke Loader
73b060c506f0149021cca3177672112d651bc63fa29e5067bc2a67abea9a5e43
Smoke Loader
880279b76bdfa900bbfdacb6d3221602e34814fab5616c285da902bd7e96430c
Smoke Loader
c6353b3ca2cf558686e949882e30f91bf16c0b6bf845bdcb470d46293aeef0a3
Smoke Loader
ed9ebf49059de7bd5fd25350e344575b77650bbe889160d3567f405334b4d01b
Smoke Loader
efaab91dcc9f31617e0d512545a3be360eaa320701d1e2d686e430647ffb11b9
Smoke Loader
+ 4'758 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:pub1 backdoor trojan
Link:
https://tria.ge/reports/230914-gcagdshg6y/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Deletes itself
Executes dropped EXE
SmokeLoader
Malware Config
C2 Extraction:
http://gudintas.at/tmp/
http://pik96.ru/tmp/
http://rosatiauto.com/tmp/
http://kingpirate.ru/tmp/
Unpacked files
SH256 hash:
f8e33fe12c8d4ea39089e504e4071cee057a69cd4f7198b1b96d6841d73037c5
MD5 hash:
369bfea70013cbf36679b6e8edb298a5
SHA1 hash:
575e3646997d3ffa0267ac4dd989e97436ea31cf
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/963d1ce9-9718-4c71-9839-ed00be0a0c46/
Parent samples :
cf006190a75a8fa6faf74c6200d7d56d0bb4ed0cd140a328537d3096ecd07a32
a2260ac65c2814e6a0e7b839474a298333f2a4a7ac60af12861dcc9edf5a6019
fefa50ffd7c9e19b4c4d84e664b894c6377196942024b71ee371c466d194ee9c
581407074ab82ef32bfaaa4bd7a6bc4da38ca7c4ad8f91166c2be4325ae000f9
947fb340a672bd684a18ab7aeb7fe28cd9f2eee3c0de99c205f3a4a39aad12c0
f5b5c89e8d4e216a731c5fa57e53ebd9012c41f2d65c0c48eb45ccac021b4311
77fcb3294002ee5ecfbd36825e19d038a4d7d213734758dae1fa731bfa2b1058
4201248030180127dc4299a4dbcc6cde35beaafbefd9a25ffb3093d3e35f5dc2
2a8bad21145b4d758332588fb79ef6bcb2aa95bd7de7a2d8c0777e6f7146b115
8c8545f91021086b21437241273005f51f0d05c46a434e9dd4076d6b98aa5c76
c55c92457d03edbc7ec6f2c1ed55ca5e79d66d5ee568beab370229cd278649b1
57023d355566b1bff7490a5bc5c4380e013b2b4fb68152c8118be21718e53329
9efbde4de467c8a82b270b40c014c4243284b016bd2788164d85012f36aed0ad
8bbbf51d4c5404915d1b306121e0226d1f23e88acf635c8cb4f4461dbe142838
06f3c31343921c5f63bc0803569db1a31f0ecdf6029f167dcc234754eabacc9b
9e7c8aea93412acc8d8de3a956e8485a86caf40c626b2abd491bd5404df1bfbb
56be912ce754d75f3385dab925ee34d9a0a1e07fe841c6a2e9adafa8021c99bc
aa918d4dd7706951fc290b6a5d3ba0e48acc5443056894ee3aad1baa52f412ba
5543fd0c115a8af9e627936be64a3f0fafc187665d000954ef32da675ec76a2c
306c89756cc1899b6f76dd3e7b68dcb0b4581a152f14df79ff167f0627c85424
6ea8ce3dab88347218d50dd6b92433f9849086080ad2d31a08aad73a3fd35ff7
aa38ec70b85a9e070536db5b73e65f116023b1d414bbc517c06aae7d6a3aa942
3cbbbd55fe8f11d140207ab210179a8a783b1d6975b82107ccd9344d5454194e
02f6651a25fefd7f952cd2b2dc74c4b2155b8a96e0caf6127f0eb966b5cd9426
cd07ecda2eefa380e4145bc61de665e4685634cf155ee8e2221a01765d2a8378
83f3f206fe4cc3ce88d84364f970ed0ced22d05f418b7760eae1e6fb2178a33c
f28743ef69738184972b65c6b04cae600f1d01ace14a9c1cd1eab7224274812e
a9f3066845f3f00c34bd13812d9b2db561ec77824aa0ece2fca57f0071847d38
739c8d45ca4059f0b591bd553bdab486519b663fb092ad11868a8c6c3d9ec022
a76ac34a9fc8146224d737ebb15bdbf2e35acd67e274ad328fcab5b99f8a99c1
31e54f46b20976c9779d4fde6282ec9fc581b50646a802a517e827c5e7a6aebb
84a2a39c8624e70794650b0ce2c465edb00d4008e4676216e601e062ff982c08
e31e7dac8306f497a88a1c6c51677a08e5b772f38a903abf7029dc907773ccec
a9c5516972bc66b765e441a967eb97ec21c8b0b0b6d0c44180d0317d45fe378a
13f0797738f385a0330c1790cbdf50b0b245aae08345827936582b9369485b15
8a3258d8e2ddf101c043d08960fcab0dacddf2cbd49a5da71156ed2c74a7987b
875263c84abb9b3e5fbdf864f5389b7f863afe454c03f6c0d8bda8fe29db705d
SH256 hash:
57023d355566b1bff7490a5bc5c4380e013b2b4fb68152c8118be21718e53329
MD5 hash:
f4d73b7bcfcdc85f236054d09e6ad097
SHA1 hash:
2a7159b0a2efd5f912886bc6bc2e0d29cee577b6
Link:
https://www.unpac.me/results/963d1ce9-9718-4c71-9839-ed00be0a0c46/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/57023d355566/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/57023d355566b1bff7490a5bc5c4380e013b2b4fb68152c8118be21718e53329

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 57023d355566b1bff7490a5bc5c4380e013b2b4fb68152c8118be21718e53329

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2711441/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2711431/
  
URLhaus
https://urlhaus.abuse.ch/url/2711440/
Cape
Cape
https://www.capesandbox.com/analysis/448539/

Comments