MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65fce57c145f3f982b0b6d7e33f181b5eb922c72c12526be8c18942dd62bdb42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65fce57c145f3f982b0b6d7e33f181b5eb922c72c12526be8c18942dd62bdb42
SHA3-384 hash: 741dff1d0ed6a48b988fef4f99ade174efd1f915936b0f3dca5623b69873e2be64dd87b8d9e7ad05198d640357b7370c
SHA1 hash: cf26804c74b1b4f569a484afed21418ca7c7b2d4
MD5 hash: 7b2279ba77e21c9397c39f0e44d3b6aa
humanhash: vermont-sierra-hawaii-floor
File name:7b2279ba77e21c9397c39f0e44d3b6aa.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:265'216 bytes
First seen:2024-02-29 09:57:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a24ea59447df74f26ce8c1567f650e9c (4 x Smoke Loader, 1 x Stealc, 1 x Socks5Systemz)
ssdeep 3072:lfXIlpfiFAx9zO5hB0TmvCtA3NKeUL9e0mWYgx/pV6XfWg55FLT+yx:lxFALYhuT84A9JURe3gVaOwFLT
Threatray 2'322 similar samples on MalwareBazaar
TLSH T12344CF2236D2D0B2E85B41318864FAF46A7BFCB39667C25B33642F7F1E316916726311
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.1% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 28a888c0a088c450 (1 x Smoke Loader)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
366
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
b5724d1ea8d2a379e0989ab74ab7719ed93d94dee8638b3dc31e53569cc36107.exe
Verdict:
Malicious activity
Analysis date:
2024-02-27 21:35:49 UTC
Tags:
loader smoke smokeloader stealer stealc evasion trojan glupteba
Link:
https://app.any.run/tasks/6ef67899-9eef-4192-994f-5ae33c4626aa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint packed
Link:
https://www.filescan.io/uploads/65e0552ff73edfc4770061bd/reports/418e33a2-47fe-47ea-9183-8252a1646e83/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/65fce57c145f3f982b0b6d7e33f181b5eb922c72c12526be8c18942dd62bdb42
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/187fd309-10a6-4a86-a0c8-503ec9a44131
Result
Threat name:
LummaC, Meduza Stealer, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1400818
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Ping/Del Command Combination
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected LummaC Stealer
Yara detected Meduza Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1400818 Sample: O50eNzuKlB.exe Startdate: 29/02/2024 Architecture: WINDOWS Score: 100 49 swallowpractocaowlp.shop 2->49 51 landscapearchitect.com 2->51 53 3 other IPs or domains 2->53 61 Snort IDS alert for network traffic 2->61 63 Multi AV Scanner detection for domain / URL 2->63 65 Found malware configuration 2->65 67 10 other signatures 2->67 10 O50eNzuKlB.exe 2->10         started        13 cfgftbu 2->13         started        15 cfgftbu 2->15         started        signatures3 process4 signatures5 93 Detected unpacking (changes PE section rights) 10->93 95 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 10->95 97 Maps a DLL or memory area into another process 10->97 17 explorer.exe 64 7 10->17 injected 99 Antivirus detection for dropped file 13->99 101 Multi AV Scanner detection for dropped file 13->101 103 Machine Learning detection for dropped file 13->103 105 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->105 107 Checks if the current machine is a virtual machine (disk enumeration) 15->107 109 Creates a thread in another existing process (thread injection) 15->109 process6 dnsIp7 43 kamsmad.com 189.232.56.10, 49707, 49708, 49709 UninetSAdeCVMX Mexico 17->43 45 landscapearchitect.com 170.249.220.42, 443, 49715 PRIVATESYSTEMSUS United States 17->45 47 2 other IPs or domains 17->47 35 C:\Users\user\AppData\Roaming\cfgftbu, PE32 17->35 dropped 37 C:\Users\user\AppData\Local\Temp\6AB.exe, PE32+ 17->37 dropped 39 C:\Users\user\AppData\Local\Temp\5E70.exe, PE32 17->39 dropped 41 C:\Users\user\...\cfgftbu:Zone.Identifier, ASCII 17->41 dropped 69 System process connects to network (likely due to code injection or exploit) 17->69 71 Benign windows process drops PE files 17->71 73 Deletes itself after installation 17->73 75 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->75 22 5E70.exe 17->22         started        26 6AB.exe 7 17->26         started        file8 signatures9 process10 dnsIp11 55 swallowpractocaowlp.shop 104.21.69.179 CLOUDFLARENETUS United States 22->55 77 Multi AV Scanner detection for dropped file 22->77 79 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->79 81 Query firmware table information (likely to detect VMs) 22->81 89 5 other signatures 22->89 57 89.185.85.207, 15666, 49717 OLIMP-SVYAZ-ASRU Russian Federation 26->57 59 api.ipify.org 104.26.12.205, 443, 49718 CLOUDFLARENETUS United States 26->59 83 Tries to steal Mail credentials (via file / registry access) 26->83 85 Machine Learning detection for dropped file 26->85 87 Found many strings related to Crypto-Wallets (likely being stolen) 26->87 91 2 other signatures 26->91 28 cmd.exe 1 26->28         started        signatures12 process13 signatures14 111 Uses ping.exe to sleep 28->111 113 Uses ping.exe to check the status of other devices and networks 28->113 31 conhost.exe 28->31         started        33 PING.EXE 1 28->33         started        process15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/65fce57c145f3f982b0b6d7e33f181b5eb922c72c12526be8c18942dd62bdb42
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/65fce57c145f3f982b0b6d7e33f181b5eb922c72c12526be8c18942dd62bdb42/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2024-02-28 00:22:23 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mx6ok7aul47zqkylnv7dh4mbwxvzeldsyessnpumdckc3vrl3nba._file
Verdict:
malicious
Similar samples:
01006e47ba030748e7843e01ec62fdf7970d003931434837fa79cd4b84e3e0e0
Smoke Loader
17bf11baccfc41056deed1f7658ca2183c34cff636c9372b1ecb812cdb4efea2
Smoke Loader
5aa92bfd228195b36e88e6b22e27a4802596d1c7803d20b0d943f0207e563844
Smoke Loader
65429cc8e058b11f92e4fe5f36528aef791097679d0984b977f47c6ef936ad64
Smoke Loader
65fce57c145f3f982b0b6d7e33f181b5eb922c72c12526be8c18942dd62bdb42
Smoke Loader
9e3f3d4b3afc4ce161869ac6a5e07ee0318b8d436602411bad6fad75549757dd
Smoke Loader
d6567cc8e6b82d69347065de9fa8c7d2441ee63185ac52fe0e5e4bc6b2642910
Smoke Loader
dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483
Smoke Loader
+ 2'312 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:pub1 backdoor trojan
Link:
https://tria.ge/reports/240229-lzhhqsdh43/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Deletes itself
Executes dropped EXE
SmokeLoader
Malware Config
C2 Extraction:
http://kamsmad.com/tmp/index.php
http://souzhensil.ru/tmp/index.php
http://teplokub.com.ua/tmp/index.php
Unpacked files
SH256 hash:
f4c59ad4a0f8adcd251559374b3ce4f94a40499211a1dddaaebc797c43d8de08
MD5 hash:
ffb31c421b4b9b6cc063733cf2e934b1
SHA1 hash:
f8f7af57d1772dd0af829ba91fb8e4feb12dfe21
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/2097dd6d-3788-42e5-bac9-1bd8912c1b43/
Parent samples :
9e3f3d4b3afc4ce161869ac6a5e07ee0318b8d436602411bad6fad75549757dd
65fce57c145f3f982b0b6d7e33f181b5eb922c72c12526be8c18942dd62bdb42
be5ce235a69b87bbd080436bb83c7a502a53a0f18b2e1e158f6ae027a98abe8c
SH256 hash:
65fce57c145f3f982b0b6d7e33f181b5eb922c72c12526be8c18942dd62bdb42
MD5 hash:
7b2279ba77e21c9397c39f0e44d3b6aa
SHA1 hash:
cf26804c74b1b4f569a484afed21418ca7c7b2d4
Link:
https://www.unpac.me/results/2097dd6d-3788-42e5-bac9-1bd8912c1b43/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/65fce57c145f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/65fce57c145f3f982b0b6d7e33f181b5eb922c72c12526be8c18942dd62bdb42

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 65fce57c145f3f982b0b6d7e33f181b5eb922c72c12526be8c18942dd62bdb42

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2749336/
  
Delivery method
Distributed via web download

Comments