MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c0704fd309cc608f7854ae9586c75d599a61e42bf4f25c17ceed5b46589fa18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c0704fd309cc608f7854ae9586c75d599a61e42bf4f25c17ceed5b46589fa18
SHA3-384 hash: 5cea8e36ebdbee919766c531e3ab10b61813181434354c782d4c91365b0c54c364ad82dbc9d91e8b049a5d620ae63bb4
SHA1 hash: 26f133bf6f6a0ed1b5d2fd7e7328928ad87f0b1a
MD5 hash: ab18999904c8e10934d6df549599bef0
humanhash: saturn-finch-lemon-yellow
File name:Setup.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:206'848 bytes
First seen:2022-11-16 08:51:32 UTC
Last seen:2022-11-16 11:01:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 3072:h/Ntxg/BAC4/ZeW+wL/fhiy3cdOq6tPlJXhxW0nCIjtpqePvVw7+B+FmT4S/bwsK:h/Nt0WwWFLfFzXbu51
Threatray 14'275 similar samples on MalwareBazaar
TLSH T1BF144241B194EC9BD44729F29CAFD52021656B9E8178C60E3297BE2B54F335230AFF4E
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9282a88e8eaab692 (4 x RedLineStealer, 1 x Smoke Loader, 1 x ArkeiStealer)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2022-11-16 08:54:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bcf64452-ebc4-46e3-9b65-79e9f2c0c493

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/334706/
Detection(s):
SecuriteInfo.com.Variant.Strictor.276485.28229.29042.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Sending an HTTP GET request
Unauthorized injection to a recently created process
Creating a file
Searching for synchronization primitives
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6374a4b44cfa4744015c634b/reports/00e3bfb7-2459-4ac3-8eb0-8de6aca7d13b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0a49efa5-43bf-405c-97b5-7402556ed89e
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1114647
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Command shell drops VBS files
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Potential malicious VBS script found (suspicious strings)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Uses cmd line tools excessively to alter registry or file data
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 747343 Sample: Setup.exe Startdate: 16/11/2022 Architecture: WINDOWS Score: 100 71 humman.art 2->71 73 youtube-ui.l.google.com 2->73 75 www.youtube.com 2->75 83 Snort IDS alert for network traffic 2->83 85 Multi AV Scanner detection for domain / URL 2->85 87 Malicious sample detected (through community Yara rule) 2->87 89 5 other signatures 2->89 13 Setup.exe 15 4 2->13         started        18 jfjfaju 14 2 2->18         started        signatures3 process4 dnsIp5 81 91.213.50.70, 49695, 49700, 80 ASBAXETNRU unknown 13->81 69 C:\Users\user\AppData\Local\...\Setup.exe.log, ASCII 13->69 dropped 117 Encrypted powershell cmdline option found 13->117 119 Injects a PE file into a foreign processes 13->119 20 Setup.exe 13->20         started        23 powershell.exe 16 13->23         started        25 Setup.exe 13->25         started        121 Machine Learning detection for dropped file 18->121 file6 signatures7 process8 signatures9 99 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->99 101 Maps a DLL or memory area into another process 20->101 103 Checks if the current machine is a virtual machine (disk enumeration) 20->103 105 Creates a thread in another existing process (thread injection) 20->105 27 explorer.exe 7 20->27 injected 32 conhost.exe 23->32         started        process10 dnsIp11 77 humman.art 104.21.35.215, 443, 49696, 49697 CLOUDFLARENETUS United States 27->77 79 172.67.179.230, 443, 49698 CLOUDFLARENETUS United States 27->79 63 C:\Users\user\AppData\Roaming\jfjfaju, PE32 27->63 dropped 65 C:\Users\user\AppData\Local\Temp\F335.exe, PE32+ 27->65 dropped 67 C:\Users\user\...\jfjfaju:Zone.Identifier, ASCII 27->67 dropped 107 System process connects to network (likely due to code injection or exploit) 27->107 109 Benign windows process drops PE files 27->109 111 Deletes itself after installation 27->111 113 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->113 34 cmd.exe 2 27->34         started        38 F335.exe 27->38         started        file12 signatures13 process14 file15 61 C:\Users\user\AppData\...\OEgetPriv_DE83.vbs, ASCII 34->61 dropped 91 Potential malicious VBS script found (suspicious strings) 34->91 93 Command shell drops VBS files 34->93 95 Uses cmd line tools excessively to alter registry or file data 34->95 40 wscript.exe 1 34->40         started        42 net.exe 1 34->42         started        44 conhost.exe 34->44         started        97 Multi AV Scanner detection for dropped file 38->97 signatures16 process17 process18 46 cmd.exe 40->46         started        49 net1.exe 1 42->49         started        signatures19 115 Uses cmd line tools excessively to alter registry or file data 46->115 51 net.exe 46->51         started        53 conhost.exe 46->53         started        55 taskkill.exe 46->55         started        57 3 other processes 46->57 process20 process21 59 net1.exe 51->59         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c0704fd309cc608f7854ae9586c75d599a61e42bf4f25c17ceed5b46589fa18/
Threat name:
ByteCode-MSIL.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2022-11-16 08:52:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lqdqj7jqttdar54fjluvq3dv2wm2mhscx5hslql453k3izmj7ima._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
1fae0b98796b9393c5dd5345c7f955514feb8ac99b5a3d1fb76021bb1fd5f820
Smoke Loader
294652ca69f6213d7a484ac6de153fd66579c4524d8a11ce4c0e3497df10c9db
Smoke Loader
4b6d9156081ce2b9cc4818f5b03e347c0965f874929f03e427c0407a51f12eb3
Smoke Loader
4f838e78d6ee90470bf23ff8755cf8d81ed281f314bda8a901329a1a08f72b30
Smoke Loader
566525c61d64c378c99f59da573aa7712061bad58bbda3fb6b58842184e88f3a
Smoke Loader
74303c653348f467f012988cee77e18901a0118b000b89ace9b77911380c84f4
Smoke Loader
a17ab1cf1bf7e5d54d6eb7939b1c9db98829e16d3aa5e5b53aa2474e8ac04484
Smoke Loader
c41eea0a015a5afee0dc820e3ed1e4ef0e471bcb6cc25ef1594bb849e26e13e0
Smoke Loader
d6f0bf654937a0f7fbbeb220469299078f524e7fee425cb535a880bdd7b11909
Smoke Loader
+ 14'265 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader backdoor infostealer ransomware spyware stealer trojan
Link:
https://tria.ge/reports/221116-ksqebshh46/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Detects Smokeloader packer
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
95.217.98.127:4275
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/abd31203-f7e9-4c64-8587-50579eb9ffe9
Unpacked files
SH256 hash:
5c0704fd309cc608f7854ae9586c75d599a61e42bf4f25c17ceed5b46589fa18
MD5 hash:
ab18999904c8e10934d6df549599bef0
SHA1 hash:
26f133bf6f6a0ed1b5d2fd7e7328928ad87f0b1a
Link:
https://www.unpac.me/results/98e35d27-364a-4ba0-9275-c5b0958bb0e1/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5c0704fd309c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5c0704fd309cc608f7854ae9586c75d599a61e42bf4f25c17ceed5b46589fa18

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/334706/

Comments