MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63a2ca4d70cc4601a03ca16d80b6f965fb9aebb62a0a9915f66b3e32ad625e85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63a2ca4d70cc4601a03ca16d80b6f965fb9aebb62a0a9915f66b3e32ad625e85
SHA3-384 hash: 2e8c316ed5547923e9cc7ecad5f99e73c5c11f3b3428ddd0a6bc2e04184e1592a017eb65c3699914b604582eca12575d
SHA1 hash: 19757be8d7d7461c445cf3cd35f3679ac458123f
MD5 hash: 88f06c42b6a5abb4bca8d456bbdb0b0d
humanhash: rugby-wyoming-mockingbird-maryland
File name:88f06c42b6a5abb4bca8d456bbdb0b0d.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:2'421'760 bytes
First seen:2023-12-08 17:52:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:w3yAdXMYh9aYk2JWVeIZNWabFjJEaImL+5GMSMFgrFPVSkd:kFtBaSEVeIZNX1O/GMKFPVS
TLSH T1B3B53323EFCAD473E82A2B7450E341A30D707D2659F8A1663B5E94444DB33AA393177B
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
312
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/463700/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Creating a file
Replacing files
Launching a service
Changing a file
DNS request
Sending a UDP request
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Creating a window
Launching the default Windows debugger (dwwin.exe)
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm autoit CAB control explorer greyware installer keylogger lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/6573580118cffa73b1ded69c/reports/878761ed-a042-484a-8aa8-76f3574d18d7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/63a2ca4d70cc4601a03ca16d80b6f965fb9aebb62a0a9915f66b3e32ad625e85
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7da04088-4b77-4484-80fd-a437b546eb03
Result
Threat name:
LummaC Stealer, PrivateLoader, PureLog S
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1356445
Signature
.NET source code contains potential unpacker
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Exclude list of file types from scheduled, custom, and real-time scanning
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected LummaC Stealer
Yara detected PrivateLoader
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1356445 Sample: t0iZaKuIFB.exe Startdate: 08/12/2023 Architecture: WINDOWS Score: 100 120 ipinfo.io 2->120 154 Found malware configuration 2->154 156 Malicious sample detected (through community Yara rule) 2->156 158 Antivirus detection for URL or domain 2->158 160 16 other signatures 2->160 13 t0iZaKuIFB.exe 1 4 2->13         started        17 svchost.exe 2->17         started        19 svchost.exe 1 2->19         started        21 12 other processes 2->21 signatures3 process4 file5 96 C:\Users\user\AppData\Local\...\gG7nW35.exe, PE32 13->96 dropped 98 C:\Users\user\AppData\Local\...\6nW2ca8.exe, PE32 13->98 dropped 220 Binary is likely a compiled AutoIt script file 13->220 23 gG7nW35.exe 1 4 13->23         started        222 Changes security center settings (notifications, updates, antivirus, firewall) 17->222 224 Query firmware table information (likely to detect VMs) 19->224 27 WerFault.exe 21->27         started        29 WerFault.exe 21->29         started        signatures6 process7 file8 92 C:\Users\user\AppData\Local\...\TI4ji42.exe, PE32 23->92 dropped 94 C:\Users\user\AppData\Local\...\5ok1AV0.exe, PE32 23->94 dropped 200 Antivirus detection for dropped file 23->200 202 Machine Learning detection for dropped file 23->202 31 TI4ji42.exe 1 4 23->31         started        signatures9 process10 file11 100 C:\Users\user\AppData\Local\...\xu3MF69.exe, PE32 31->100 dropped 102 C:\Users\user\AppData\Local\...\4oC416uQ.exe, PE32 31->102 dropped 138 Antivirus detection for dropped file 31->138 140 Machine Learning detection for dropped file 31->140 35 xu3MF69.exe 1 4 31->35         started        39 4oC416uQ.exe 31->39         started        signatures12 process13 file14 82 C:\Users\user\AppData\Local\...\3OR33jN.exe, PE32 35->82 dropped 84 C:\Users\user\AppData\Local\...\1eb74op8.exe, PE32 35->84 dropped 162 Antivirus detection for dropped file 35->162 164 Machine Learning detection for dropped file 35->164 41 3OR33jN.exe 35->41         started        44 1eb74op8.exe 35->44         started        86 C:\...\gJiG61vJLrLkyv6Ry1G7S5yxf9d0a3_h.zip, Zip 39->86 dropped 166 Tries to steal Mail credentials (via file / registry access) 39->166 168 Found many strings related to Crypto-Wallets (likely being stolen) 39->168 170 Disables Windows Defender (deletes autostart) 39->170 172 4 other signatures 39->172 signatures15 process16 signatures17 204 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 41->204 206 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 41->206 208 Maps a DLL or memory area into another process 41->208 218 2 other signatures 41->218 46 explorer.exe 41->46 injected 210 Contains functionality to inject code into remote processes 44->210 212 Writes to foreign memory regions 44->212 214 Allocates memory in foreign processes 44->214 216 Injects a PE file into a foreign processes 44->216 51 AppLaunch.exe 11 508 44->51         started        process18 dnsIp19 128 81.19.131.34, 49715, 80 IVC-ASRU Russian Federation 46->128 130 185.196.8.238 SIMPLECARRER2IT Switzerland 46->130 132 185.172.128.19, 49716, 80 NADYMSS-ASRU Russian Federation 46->132 104 C:\Users\user\AppData\Local\Temp\F1C8.exe, PE32+ 46->104 dropped 106 C:\Users\user\AppData\Local\TempB7.exe, PE32 46->106 dropped 108 C:\Users\user\AppData\Local\Temp\D7A7.exe, PE32 46->108 dropped 116 5 other malicious files 46->116 dropped 142 Benign windows process drops PE files 46->142 144 Found many strings related to Crypto-Wallets (likely being stolen) 46->144 53 69F5.exe 46->53         started        57 7FD1.exe 46->57         started        59 76E7.exe 46->59         started        68 4 other processes 46->68 134 ipinfo.io 34.117.59.81, 443, 49706, 49708 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 51->134 136 193.233.132.51, 49705, 49707, 50500 FREE-NET-ASFREEnetEU Russian Federation 51->136 110 C:\Windows\System32behaviorgraphroupPolicybehaviorgraphPT.INI, ASCII 51->110 dropped 112 C:\...\lFzLHI2RMWUr2_cW7WECjo6WM4hyBkyB.zip, Zip 51->112 dropped 114 C:\Users\user\AppData\...\FANBooster131.exe, PE32 51->114 dropped 118 2 other files (none is malicious) 51->118 dropped 146 Tries to steal Mail credentials (via file / registry access) 51->146 148 Found stalling execution ending in API Sleep call 51->148 150 Disables Windows Defender (deletes autostart) 51->150 152 7 other signatures 51->152 62 schtasks.exe 51->62         started        64 schtasks.exe 51->64         started        66 WerFault.exe 51->66         started        file20 signatures21 process22 dnsIp23 88 C:\Users\user\AppData\Roaming\...\File2.exe, PE32 53->88 dropped 90 C:\Users\user\AppData\Roaming\...\File1.exe, PE32 53->90 dropped 174 Multi AV Scanner detection for dropped file 53->174 176 Machine Learning detection for dropped file 53->176 70 File2.exe 53->70         started        74 File1.exe 53->74         started        76 conhost.exe 53->76         started        178 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 57->178 180 Modifies the context of a thread in another process (thread injection) 57->180 182 Injects a PE file into a foreign processes 57->182 126 77.105.132.87 PLUSTELECOM-ASRU Russian Federation 59->126 184 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 59->184 186 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 59->186 188 Tries to steal Crypto Currency Wallets 59->188 78 conhost.exe 62->78         started        80 conhost.exe 64->80         started        file24 signatures25 process26 dnsIp27 122 176.123.7.190 ALEXHOSTMD Moldova Republic of 70->122 190 Multi AV Scanner detection for dropped file 70->190 192 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 70->192 194 Found many strings related to Crypto-Wallets (likely being stolen) 70->194 124 176.123.10.211 ALEXHOSTMD Moldova Republic of 74->124 196 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 74->196 198 Tries to harvest and steal browser information (history, passwords, etc) 74->198 signatures28
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/63a2ca4d70cc4601a03ca16d80b6f965fb9aebb62a0a9915f66b3e32ad625e85
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/63a2ca4d70cc4601a03ca16d80b6f965fb9aebb62a0a9915f66b3e32ad625e85/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-08 21:12:28 UTC
AV detection:
17 of 22 (77.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mormutlqzrdadib4ufwybnxzmx5zv25wfifjsfpwnm7dfllcl2cq._file
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:risepro family:smokeloader backdoor collection loader persistence spyware stealer trojan
Link:
https://tria.ge/reports/231208-wgbbtadbe8/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
PrivateLoader
RisePro
SmokeLoader
Malware Config
C2 Extraction:
193.233.132.51
http://81.19.131.34/fks/index.php
Unpacked files
SH256 hash:
94513f36ef94d07e4f4eb4fc1f16f720c517aae322ce9153cf716f08010e2a96
MD5 hash:
d09d113833f72b4cb1e4d32664b2c0c6
SHA1 hash:
a84d58464acb78d7a6bbe4ce97dec3224f643b70
Link:
https://www.unpac.me/results/f3ae1363-4d41-453f-90ce-ee0c10b4b009/
SH256 hash:
78ae23df3b06702cba044f947252c918006f7db9e6ac365d7db641f03dbc21f2
MD5 hash:
4fc42d657c43796cab2c924204da84a9
SHA1 hash:
e457098ed4bffdd5ff449c8fa5d302626dc94a22
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/f3ae1363-4d41-453f-90ce-ee0c10b4b009/
Parent samples :
b107afc55476c58af62b82d8f181f4ab90b725e95ccb524851f540b621bdebbb
63a2ca4d70cc4601a03ca16d80b6f965fb9aebb62a0a9915f66b3e32ad625e85
732c972b120ed0c3d375eb811225e133945c56a0744ebd78e137af2446756fd8
3c40f114a892a7e4877e787b88479492da2cc6a9c1ff44f5743fc20694d19fb0
78dd9812c391c45f55ae45735371b6ac7d9f84aba107da824895be3b1d3250e1
d038617c050409f6595fa78e697880e4d3acbdd761ad08ad95f3e58955d0bc0e
SH256 hash:
63a2ca4d70cc4601a03ca16d80b6f965fb9aebb62a0a9915f66b3e32ad625e85
MD5 hash:
88f06c42b6a5abb4bca8d456bbdb0b0d
SHA1 hash:
19757be8d7d7461c445cf3cd35f3679ac458123f
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/f3ae1363-4d41-453f-90ce-ee0c10b4b009/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/63a2ca4d70cc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63a2ca4d70cc4601a03ca16d80b6f965fb9aebb62a0a9915f66b3e32ad625e85

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 63a2ca4d70cc4601a03ca16d80b6f965fb9aebb62a0a9915f66b3e32ad625e85

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2738241/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/463700/

Comments