MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63147faf747e65361114c757c4052da0d852c3343818d7f5884481f4638a61a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	63147faf747e65361114c757c4052da0d852c3343818d7f5884481f4638a61a1
SHA3-384 hash:	b3b8b75403d0e6a4f9f29803bede2452b06d57ecb135c0094a45f49b38547adbce72a676739b58c4bab739f33e84cfcf
SHA1 hash:	e9101da986e04c86e8366719047da6b5dce415f6
MD5 hash:	5800efbc5dbf405a95c28c74eb9e7941
humanhash:	zebra-tango-magazine-mockingbird
File name:	file
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	282'112 bytes
First seen:	2022-10-10 18:00:00 UTC
Last seen:	2022-10-10 18:49:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ae11519a6eac288b6a17a0c03e5a652c (10 x Smoke Loader, 2 x GCleaner, 1 x DanaBot)
ssdeep	3072:oXrNE/hpyskTtEDRoq5f166xQeoLB41ARESL0gNvVKM/h3qpZa9uD6VdyhkhUuS:8ZE/h8sd6Y04RoLlhrNv8rwVfquS
Threatray	7'574 similar samples on MalwareBazaar
TLSH	T11A54CF207692CBB1C0072130882ADFE16BBDED35597889873767276E6E73390667631F
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	38b078cccacecc43 (14 x Smoke Loader, 7 x Stop, 5 x ArkeiStealer)
Reporter	andretavare5
Tags:	exe Smoke Loader

andretavare5

Sample downloaded from https://asadjung.com/upload/ChromeSetup.exe

Intelligence

File Origin

# of uploads :

# of downloads :

294

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/318614/

Detection(s):

Win.Malware.Azorult-9949206-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for synchronization primitives

Creating a file in the system32 subdirectories

Creating a file

Sending a custom TCP request

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Sending an HTTP POST request

Sending an HTTP GET request

Reading critical registry keys

Query of malicious DNS domain

Sending a TCP request to an infection source

Unauthorized injection to a system process

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/42334/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CPUID_Instruction

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

75%

Tags:

greyware

Link:

https://www.filescan.io/uploads/63445da6307eeb7d7577f916/reports/802f03a0-fb66-4db3-9e60-2e8d454ede5e/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8be45207-bd3b-478a-8966-b3fbfcf81ea3

Result

Threat name:

DanaBot, SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1087125

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/63147faf747e65361114c757c4052da0d852c3343818d7f5884481f4638a61a1/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2022-10-10 18:00:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mmkh7l3upzstmeiuy5l4ibjnudmffqzuhamnp5miisa7iy4kmgqq._file

Verdict:

malicious

Smoke Loader

42222d4215948ab44c3fa539feb56ce78612a7365e888b1834eec81592eacb75

Smoke Loader

458f3cbc8027068a53fa01e93c5e0f2415657f4bad8143c98d3cd4b6862fb189

Smoke Loader

67ac0d1dd4b73ea5d714efb1de0b18631950b1d2aae4a3c25f007eda9f7aa7d8

Smoke Loader

a6650e8e5968e516505133725bc634c8d524c925bed6de04b068f0f25d469d2b

Smoke Loader

a6944f5e05e82adbaa5a356d3c68d1220c5c5eafa59e63fb74a1ffd01fffb9cf

Smoke Loader

a749aafd3cf83fcfe2a763e09cca6521c3176b3c78af41fecbf5406af99bcfa2

Smoke Loader

d8ee6da314f62db1d1a960275f9f70a059d631f50360f4936501ea753bb68322

Smoke Loader

+ 7'564 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:danabot family:smokeloader backdoor banker spyware stealer trojan

Link:

https://tria.ge/reports/221010-wlbhdacfh5/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Modifies Internet Explorer settings

Modifies registry class

Modifies system certificate store

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Suspicious use of SetThreadContext

Enumerates connected drives

Reads user/profile data of web browsers

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

SmokeLoader

Danabot

Detects Smokeloader packer

Malware Config

C2 Extraction:

192.236.233.188:443
192.119.70.159:443
23.106.124.171:443
213.227.155.103:443

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/63147faf747e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/63147faf747e65361114c757c4052da0d852c3343818d7f5884481f4638a61a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ICMLuaUtil_UACMe_M41 Create hunting rule
Author:	Marius 'f0wL' Genheimer <hello@dissectingmalwa.re>
Description:	A Yara rule for UACMe Method 41 -> ICMLuaUtil Elevated COM interface
Reference:	https://github.com/hfiref0x/UACME

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM Create hunting rule
Author:	ditekSHen
Description:	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/318614/

URLhaus

https://urlhaus.abuse.ch/url/2308767/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample