MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57dd76c7c512afbed21d7304a66fffd89cd904c39a47d459a49aec1f5f1d5235. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57dd76c7c512afbed21d7304a66fffd89cd904c39a47d459a49aec1f5f1d5235
SHA3-384 hash: 7892b710a7c9713f0a042e07c1eef427c91aac35e80a94fbe19acf06c628df4b4b5f87b997d6c31988ff5d40f0752090
SHA1 hash: bea8ba8c44766d446e264bb6d25c9f9b5158ff78
MD5 hash: d3bcc11e32d75fec333d1857c4e0a3da
humanhash: yellow-green-spring-uranus
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:1'504'256 bytes
First seen:2023-11-03 11:47:46 UTC
Last seen:2023-11-05 15:30:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:nbm+AIHqd5yIfvDkTlAKot2+c3t7JVpfjfWZnHbyBrN1Rd9rmRve2GViRXUmFX:bm+Aoqd5yMvDkTlAKoty3t7/Fjs+BrvK
Threatray 2 similar samples on MalwareBazaar
TLSH T1EA65BDD1B0AF956AD4DDF03D89D8669760333EF21602F2778844BD9BF61CA8349C16B2
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter andretavare5
Tags:exe Smoke Loader


Avatar
andretavare5
Sample downloaded from http://171.22.28.221/files/Ads.exe

Intelligence

File Origin
# of uploads :
21
# of downloads :
334
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/458011/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.22010.15514.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Connecting to a non-recommended domain
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %temp% directory
Launching the process to interact with network services
Blocking the User Account Control
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6544de0300fc3ea8b7571e32/reports/5414f701-0511-4aac-b2c0-b10d62186b43/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/57dd76c7c512afbed21d7304a66fffd89cd904c39a47d459a49aec1f5f1d5235
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Upgdsed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/36b3166b-7640-44d8-bbec-0c6b187d26d6
Result
Threat name:
Glupteba, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1336617
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found evasive API chain checking for user administrative privileges
Found malware configuration
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1336617 Sample: file.exe Startdate: 03/11/2023 Architecture: WINDOWS Score: 100 137 Found malware configuration 2->137 139 Malicious sample detected (through community Yara rule) 2->139 141 Antivirus detection for URL or domain 2->141 143 11 other signatures 2->143 11 file.exe 2 4 2->11         started        14 svchost.exe 1 1 2->14         started        process3 dnsIp4 159 Writes to foreign memory regions 11->159 161 Allocates memory in foreign processes 11->161 163 Adds a directory exclusion to Windows Defender 11->163 165 2 other signatures 11->165 17 AddInProcess32.exe 15 408 11->17         started        22 powershell.exe 21 11->22         started        24 CasPol.exe 11->24         started        133 23.41.168.93 ZAYO-6461US United States 14->133 135 127.0.0.1 unknown unknown 14->135 signatures5 process6 dnsIp7 121 107.167.110.211 OPERASOFTWAREUS United States 17->121 123 148.251.234.93 HETZNER-ASDE Germany 17->123 125 10 other IPs or domains 17->125 73 C:\Users\...\zfdbNV2VVfK4rit3UF9e3v86.exe, PE32 17->73 dropped 75 C:\Users\...\x3Q8hoBY1St3vwZtlxQrmWFe.exe, PE32 17->75 dropped 77 C:\Users\...\vQvEyaI97YDoRU0Se8lghXeg.exe, PE32 17->77 dropped 79 223 other malicious files 17->79 dropped 145 Drops script or batch files to the startup folder 17->145 147 Creates HTML files with .exe extension (expired dropper behavior) 17->147 149 Writes many files with high entropy 17->149 26 x3Q8hoBY1St3vwZtlxQrmWFe.exe 17->26         started        29 HtDRKrk0cepUodxFpOLPDOG8.exe 17->29         started        31 ixgIsHp3CfRLazMGmdXKJXML.exe 17->31         started        35 15 other processes 17->35 33 conhost.exe 22->33         started        file8 signatures9 process10 dnsIp11 107 C:\Users\user\AppData\Local\...\is-TH1DM.tmp, PE32 26->107 dropped 39 is-TH1DM.tmp 26->39         started        109 C:\Users\user\AppData\Local\...\is-BQOAD.tmp, PE32 29->109 dropped 42 is-BQOAD.tmp 29->42         started        111 C:\Users\user\AppData\Local\...\is-VCHBE.tmp, PE32 31->111 dropped 44 is-VCHBE.tmp 31->44         started        127 107.167.110.216 OPERASOFTWAREUS United States 35->127 129 107.167.110.218 OPERASOFTWAREUS United States 35->129 131 5 other IPs or domains 35->131 113 C:\Users\user\AppData\Local\Temp\...\Zip.dll, PE32 35->113 dropped 115 C:\Users\user\AppData\Local\...\Checker.dll, PE32 35->115 dropped 117 Opera_installer_2311031241179576900.dll, PE32 35->117 dropped 119 25 other malicious files 35->119 dropped 151 Detected unpacking (changes PE section rights) 35->151 153 Detected unpacking (overwrites its own PE header) 35->153 155 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 35->155 157 7 other signatures 35->157 46 zfdbNV2VVfK4rit3UF9e3v86.exe 35->46         started        49 8QzzCBXEhgqKiteqpsejYGmB.exe 35->49         started        51 8QzzCBXEhgqKiteqpsejYGmB.exe 35->51         started        53 4 other processes 35->53 file12 signatures13 process14 file15 91 30 other files (29 malicious) 39->91 dropped 55 ABuster.exe 39->55         started        58 net.exe 39->58         started        81 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 42->81 dropped 83 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 42->83 dropped 85 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 42->85 dropped 93 26 other files (25 malicious) 42->93 dropped 95 29 other files (28 malicious) 44->95 dropped 173 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 46->173 175 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 46->175 177 Maps a DLL or memory area into another process 46->177 179 2 other signatures 46->179 60 explorer.exe 46->60 injected 87 Opera_installer_2311031241056132936.dll, PE32 49->87 dropped 63 8QzzCBXEhgqKiteqpsejYGmB.exe 49->63         started        89 Opera_installer_2311031241008968016.dll, PE32 51->89 dropped 97 3 other malicious files 53->97 dropped signatures16 process17 file18 99 C:\ProgramData\...\Video Fetcher.exe, PE32 55->99 dropped 65 conhost.exe 58->65         started        101 C:\Users\user\AppData\Roaming\bddhubj, PE32 60->101 dropped 103 C:\Users\user\AppData\Local\Temp\5170.exe, PE32 60->103 dropped 167 Benign windows process drops PE files 60->167 169 Writes to foreign memory regions 60->169 171 Allocates memory in foreign processes 60->171 67 cmd.exe 60->67         started        105 Opera_installer_2311031241074807448.dll, PE32 63->105 dropped signatures19 process20 process21 69 conhost.exe 67->69         started        71 YnIjp1KnqqKk0BZYuGGulgxm.exe 67->71         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/57dd76c7c512afbed21d7304a66fffd89cd904c39a47d459a49aec1f5f1d5235
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57dd76c7c512afbed21d7304a66fffd89cd904c39a47d459a49aec1f5f1d5235/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-11-03 11:37:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k7oxnr6fckx35uq5omckm3773consbgdtjd5iwnetlwb6xy5ki2q._file
Verdict:
unknown
Similar samples:
c77aeea8df56c68cf64ac5486a0d5774a1bd8dc6f94e3fa8ae447ff78ec12ace
Smoke Loader
fc0648345e4be061ff4ec08d72c7210afa00a8ff3c490dd0e4f023474e87bef9
Smoke Loader
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:glupteba family:smokeloader botnet:pub1 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/231103-nye3bsca25/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
NSIS installer
Enumerates physical storage devices
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Registers COM server for autorun
UPX packed file
Windows security modification
Downloads MZ/PE file
Modifies Windows Firewall
DcRat
Glupteba
Glupteba payload
SmokeLoader
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
8a76e936232baf3b966f0b593b21b5976cedcc4f24311fa8731ad776efc335d0
MD5 hash:
ce5ba2fa46b1fc2c1c7759909dbee19e
SHA1 hash:
9869362674a833c586dce07762b7f67f3a1c9185
Link:
https://www.unpac.me/results/46c582f4-9514-4d5e-b5a6-cceadba3c629/
SH256 hash:
57dd76c7c512afbed21d7304a66fffd89cd904c39a47d459a49aec1f5f1d5235
MD5 hash:
d3bcc11e32d75fec333d1857c4e0a3da
SHA1 hash:
bea8ba8c44766d446e264bb6d25c9f9b5158ff78
Link:
https://www.unpac.me/results/46c582f4-9514-4d5e-b5a6-cceadba3c629/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/57dd76c7c512/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/57dd76c7c512afbed21d7304a66fffd89cd904c39a47d459a49aec1f5f1d5235

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2721934/
Cape
Cape
https://www.capesandbox.com/analysis/458011/

Comments