MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 16


Intelligence 16 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade
SHA3-384 hash: 1348718756e203227d811abaf75136dae41cf1a4dce5c5f51e8c0e0a3f06dfaa1cc2f2f202cfefcbe2f13752bb10e6ce
SHA1 hash: d651b9cf8a717609656f13183ac1c9128e5c9105
MD5 hash: 534e8c1d3d71f8736793b80048c3dbdd
humanhash: blossom-harry-maryland-oven
File name:534e8c1d3d71f8736793b80048c3dbdd.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:1'983'488 bytes
First seen:2023-10-11 19:31:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:eGgZShKmrSYSvcrWgzZTqZ8u+gJHE3nY0AdxPQaXm7sqUF0MU8GO0bb:ee+eWghqbEGdxPRWQqy0MU8GPb
Threatray 27 similar samples on MalwareBazaar
TLSH T16295F703BA4789B1CD49573AE69B0C3423ACD5817713F61A798A235918437BE6A4FF0F
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
534e8c1d3d71f8736793b80048c3dbdd.exe
Verdict:
Malicious activity
Analysis date:
2023-10-11 19:52:58 UTC
Tags:
rhadamanthys stealer loader smoke
Link:
https://app.any.run/tasks/663a4c95-e61b-4406-93ef-3a3d4959b94a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Rhadamanthys
Create hunting rule
Link:
https://www.capesandbox.com/analysis/453492/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.13907.5708.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Launching a process
DNS request
Sending an HTTP GET request
Reading critical registry keys
Searching for the window
Creating a process from a recently created file
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6526f839c51de9263e585699/reports/12a02202-9ba9-48cc-84eb-e3ebc2975600/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9ad0e2d5-144e-4302-a988-d622e569a0a5
Result
Threat name:
DarkTortilla, Phobos, RHADAMANTHYS, Smok
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1324083
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Performs DNS queries to domains with low reputation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected DarkTortilla Crypter
Yara detected Phobos
Yara detected RHADAMANTHYS Stealer
Yara detected SmokeLoader
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1324083 Sample: Z8B3qXUXHu.exe Startdate: 11/10/2023 Architecture: WINDOWS Score: 100 83 xemtex534.xyz 2->83 85 servermlogs27.xyz 2->85 87 6 other IPs or domains 2->87 97 Found malware configuration 2->97 99 Malicious sample detected (through community Yara rule) 2->99 101 Antivirus detection for URL or domain 2->101 103 13 other signatures 2->103 15 Z8B3qXUXHu.exe 3 2->15         started        18 hvhurat 2->18         started        signatures3 process4 signatures5 143 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->143 145 Injects a PE file into a foreign processes 15->145 20 Z8B3qXUXHu.exe 1 15->20         started        23 MpCmdRun.exe 15->23         started        25 Z8B3qXUXHu.exe 15->25         started        147 Machine Learning detection for dropped file 18->147 27 hvhurat 18->27         started        process6 dnsIp7 89 amxt25.xyz 45.131.66.61, 49701, 49707, 49708 LOVESERVERSGB Germany 20->89 30 certreq.exe 3 20->30         started        34 conhost.exe 23->34         started        117 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 27->117 119 Maps a DLL or memory area into another process 27->119 121 Checks if the current machine is a virtual machine (disk enumeration) 27->121 123 Creates a thread in another existing process (thread injection) 27->123 signatures8 process9 file10 79 C:\Users\user\AppData\Local\...\MXoUK%z9].exe, PE32 30->79 dropped 81 C:\Users\user\AppData\Local\...\LQT.exe, PE32 30->81 dropped 149 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 30->149 151 Tries to steal Mail credentials (via file / registry access) 30->151 153 Tries to harvest and steal browser information (history, passwords, etc) 30->153 155 2 other signatures 30->155 36 MXoUK%z9].exe 3 30->36         started        39 LQT.exe 3 30->39         started        41 conhost.exe 30->41         started        signatures11 process12 signatures13 105 Machine Learning detection for dropped file 36->105 43 MXoUK%z9].exe 36->43         started        107 Antivirus detection for dropped file 39->107 46 LQT.exe 39->46         started        48 LQT.exe 39->48         started        50 LQT.exe 39->50         started        52 7 other processes 39->52 process14 signatures15 125 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 43->125 127 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 43->127 129 Maps a DLL or memory area into another process 43->129 131 2 other signatures 43->131 54 explorer.exe 12 8 43->54 injected process16 dnsIp17 91 servermlogs27.xyz 45.131.66.120, 49710, 49724, 49725 LOVESERVERSGB Germany 54->91 93 xemtex534.xyz 45.131.66.222, 49711, 80 LOVESERVERSGB Germany 54->93 95 5 other IPs or domains 54->95 73 C:\Users\user\AppData\Roaming\hvhurat, PE32 54->73 dropped 75 C:\Users\user\AppData\Local\Temp\88CB.exe, PE32 54->75 dropped 77 C:\Users\user\AppData\Local\Temp\8280.exe, PE32 54->77 dropped 109 Benign windows process drops PE files 54->109 111 Injects code into the Windows Explorer (explorer.exe) 54->111 113 Writes to foreign memory regions 54->113 115 Hides that the sample has been downloaded from the Internet (zone.identifier) 54->115 59 88CB.exe 54->59         started        62 8280.exe 54->62         started        file18 signatures19 process20 signatures21 133 Antivirus detection for dropped file 59->133 135 Machine Learning detection for dropped file 59->135 137 Hides that the sample has been downloaded from the Internet (zone.identifier) 59->137 139 Injects a PE file into a foreign processes 59->139 141 Found evasive API chain (may stop execution after checking locale) 62->141 64 8280.exe 62->64         started        process22 file23 71 C:\Users\user\AppData\Local\8280.exe, PE32 64->71 dropped 67 8280.exe 64->67         started        process24 process25 69 8280.exe 67->69         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-10-10 23:49:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
19 of 36 (52.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=odplzy5fixfmzkfqxw3abckfquqijm3osfqeet5wgr44fgi5zlpa._file
Verdict:
malicious
Similar samples:
029cb71b11ee64c16cdaf203d594a1378808bf1a449459d4374a88882dc25aa4
Smoke Loader
19e5692b41613cb8790fd5f3381e8b10c0fbb4d885d826cb5b7f7075441d42b0
Smoke Loader
257891b32e5b952cf172a11affd291e4964ec9c1b24e51e174a4146503f8164a
Smoke Loader
795b951e16aa4aa0557c24eedad4897e457864838393fcf66220da85ad8be9d8
Smoke Loader
90bb8de06b3450c6b63aa813597ed02a9fec7a1c2040a3271a0f5a7cdc145e66
Smoke Loader
9554e7ef83f9c1aabed52be7a308d7e25c99e7d71e006146aee045d29784f92d
Smoke Loader
a151dc5591395591d37f55a184a3b9f37e1ea1065ad7acdc2ad88b73654e8719
Smoke Loader
be8ccfb19dab5c8d7b4273dc77b34c7ca0afea516e6bf85f607904345a3ad54f
Smoke Loader
f40e1c8b377326be3e33ef49ddfb71fabf7af2f9a337a3c74784fc7f0356edcc
Smoke Loader
f7b3f82ede7c4912eea7acea9aa344ee28b10cebe5b7a45a690651e9e40a8a4d
Smoke Loader
+ 17 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:ammyyadmin family:flawedammyy family:phobos family:rhadamanthys family:smokeloader backdoor bootkit collection evasion persistence ransomware rat spyware stealer trojan
Link:
https://tria.ge/reports/231011-x8zzxsha2x/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Interacts with shadow copies
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
outlook_office_path
outlook_win_path
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Drops desktop.ini file(s)
Writes to the Master Boot Record (MBR)
Checks computer location settings
Deletes itself
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Deletes backup catalog
Downloads MZ/PE file
Modifies Windows Firewall
Deletes shadow copies
Modifies boot configuration data using bcdedit
Renames multiple (86) files with added filename extension
Renames multiple (91) files with added filename extension
Ammyy Admin
AmmyyAdmin payload
Detect rhadamanthys stealer shellcode
FlawedAmmyy RAT
Phobos
Rhadamanthys
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://servermlogs27.xyz/statweb255/
http://servmblog45.xyz/statweb255/
http://demblog575.xyz/statweb255/
http://admlogs85x.xyz/statweb255/
http://blogmstat389.xyz/statweb255/
http://blogmstat255.xyz/statweb255/
Unpacked files
SH256 hash:
1dec84cd310cff478836aed1cd1e97289615185a88cd3d7c96e2086fd46c41fe
MD5 hash:
407bf1c4790a58fed9062affe02fdb94
SHA1 hash:
ec62e82b37fd465a69fdc81de340dbc47a28a669
Link:
https://www.unpac.me/results/05e33a8f-fec7-444b-b888-f6869ad6a8f3/
SH256 hash:
c162ee08421362f9c11db881b2df000d2a49db6aef7f1b232a39fd06f6312dc9
MD5 hash:
a73566f8961f183191719f16899e5946
SHA1 hash:
b95c8e40625c876cf89f4147babd8ca3825ec13d
Link:
https://www.unpac.me/results/05e33a8f-fec7-444b-b888-f6869ad6a8f3/
SH256 hash:
81a81e2130d99e22630fdb30f6637f95b0a896ab996f24a312c2edd862dc4d38
MD5 hash:
c8f84c0e39916d7bf839f9296e04ed9b
SHA1 hash:
0e877b7a25499829527e26f263feadcdd7424a82
Detections:
RhadamanthysLoader
Create hunting rule
win_brute_ratel_c4_w0
Create hunting rule
Link:
https://www.unpac.me/results/05e33a8f-fec7-444b-b888-f6869ad6a8f3/
Parent samples :
8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f
70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade
SH256 hash:
6c49071f4db9129ed886fffc840950db851adc8b2c9151ee2791182d2ea56fdf
MD5 hash:
08c689aa43382970bf3e47675028d752
SHA1 hash:
0a0c277a569e50b5b93756e1b5860c44a8bd8243
Link:
https://www.unpac.me/results/05e33a8f-fec7-444b-b888-f6869ad6a8f3/
SH256 hash:
70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade
MD5 hash:
534e8c1d3d71f8736793b80048c3dbdd
SHA1 hash:
d651b9cf8a717609656f13183ac1c9128e5c9105
Link:
https://www.unpac.me/results/05e33a8f-fec7-444b-b888-f6869ad6a8f3/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/70debce3a545/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BruteSyscallHashes
Create hunting rule
Author:Embee_Research @ Huntress
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_bruteratel_syscall_hashes_oct_2022
Create hunting rule
Author:Embee_Research @ Huntress
Description:Detection of Brute Ratel Badger via api hashes of Nt* functions.
Rule name:win_brute_ratel_c4_w0
Create hunting rule
Author:Embee_Research @ Huntress
Rule name:win_Brute_Syscall_Hashes
Create hunting rule
Author:Embee_Research @ Huntress
Description:Detection of Brute Ratel Badger via api hashes of Nt* functions.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2703908/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/453492/

Comments