MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 741a4adf79d60db1ff4d13e84129beffe78d2fd0be9e58b3b076052b121ad1b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 741a4adf79d60db1ff4d13e84129beffe78d2fd0be9e58b3b076052b121ad1b6
SHA3-384 hash: 2fabb494781b67eb9bb15e726a78184464fca1a8208f2d84e1e353d891df63bb773113fcb0b1d93966637b2a75db0d58
SHA1 hash: 4058872c28eed549c3d891c470d9995690f405fa
MD5 hash: 6506d5c0294b836710848586a7b8df80
humanhash: uranus-hydrogen-hot-may
File name:6506d5c0294b836710848586a7b8df80
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:315'392 bytes
First seen:2024-03-23 00:35:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3a70316d41fb098a9176638cafb09b63 (3 x Smoke Loader, 1 x Stealc)
ssdeep 3072:DGmUR5Wgf491+wYYmEXzwF2D3v+j8PQf4hsFhQgQaVaZUXkb7K:jURzg1LloRjeQf4CzQgQaVGUUbu
Threatray 2'174 similar samples on MalwareBazaar
TLSH T183648D03B2D1ECA0E97247329D29C6E8662EFD718E55AB5733587E0F34703A1D623B61
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.1% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0030e09020301000 (1 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
360
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
741a4adf79d60db1ff4d13e84129beffe78d2fd0be9e58b3b076052b121ad1b6.exe
Verdict:
Malicious activity
Analysis date:
2024-03-23 00:36:53 UTC
Tags:
loader smoke smokeloader
Link:
https://app.any.run/tasks/b02c9c10-09ab-4897-8159-dbb371686018

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Connection attempt to an infection source
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Deleting a recently created file
Launching a process
Query of malicious DNS domain
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint smokeloader
Link:
https://www.filescan.io/uploads/65fe23f2a37c92181885d24d/reports/f594d7fb-4d59-43bf-a4a7-4c465eba479e/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/741a4adf79d60db1ff4d13e84129beffe78d2fd0be9e58b3b076052b121ad1b6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bd3b8e38-0c33-467a-b29f-09733e2e9b3b
Result
Threat name:
RHADAMANTHYS, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1414330
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RHADAMANTHYS Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1414330 Sample: 4p9nmGarFL.exe Startdate: 23/03/2024 Architecture: WINDOWS Score: 100 51 trad-einmyus.com 2->51 53 noithaticon.vn 2->53 69 Snort IDS alert for network traffic 2->69 71 Multi AV Scanner detection for domain / URL 2->71 73 Found malware configuration 2->73 75 11 other signatures 2->75 10 4p9nmGarFL.exe 2->10         started        13 rshwtat 2->13         started        signatures3 process4 signatures5 93 Detected unpacking (changes PE section rights) 10->93 95 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 10->95 97 Maps a DLL or memory area into another process 10->97 105 2 other signatures 10->105 15 explorer.exe 70 7 10->15 injected 99 Antivirus detection for dropped file 13->99 101 Multi AV Scanner detection for dropped file 13->101 103 Machine Learning detection for dropped file 13->103 process6 dnsIp7 57 trad-einmyus.com 81.94.159.197, 49712, 80 WESTCALL-ASRU Russian Federation 15->57 59 noithaticon.vn 103.221.220.14, 443, 49713 FPT-AS-APTheCorporationforFinancingPromotingTechnolo Viet Nam 15->59 43 C:\Users\user\AppData\Roaming\rshwtat, PE32 15->43 dropped 45 C:\Users\user\AppData\Local\Temp\342A.exe, PE32 15->45 dropped 47 C:\Users\user\...\rshwtat:Zone.Identifier, ASCII 15->47 dropped 61 System process connects to network (likely due to code injection or exploit) 15->61 63 Benign windows process drops PE files 15->63 65 Deletes itself after installation 15->65 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->67 20 342A.exe 2 15->20         started        24 OpenWith.exe 15->24         started        26 dialer.exe 15->26         started        29 cmd.exe 1 15->29         started        file8 signatures9 process10 dnsIp11 49 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 20->49 dropped 77 Multi AV Scanner detection for dropped file 20->77 79 Machine Learning detection for dropped file 20->79 81 Writes to foreign memory regions 20->81 91 3 other signatures 20->91 31 MSBuild.exe 1 20->31         started        33 WerFault.exe 21 20->33         started        83 Found many strings related to Crypto-Wallets (likely being stolen) 24->83 85 Tries to harvest and steal browser information (history, passwords, etc) 24->85 87 Tries to harvest and steal Bitcoin Wallet information 24->87 55 94.156.8.76, 4283, 49723, 49727 NET1-ASBG Bulgaria 26->55 89 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 26->89 35 conhost.exe 29->35         started        37 reg.exe 1 1 29->37         started        file12 signatures13 process14 process15 39 WerFault.exe 4 31->39         started        41 WerFault.exe 4 31->41         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/741a4adf79d60db1ff4d13e84129beffe78d2fd0be9e58b3b076052b121ad1b6
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/741a4adf79d60db1ff4d13e84129beffe78d2fd0be9e58b3b076052b121ad1b6/
Threat name:
Win32.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2024-03-22 15:45:35 UTC
File Type:
PE (Exe)
Extracted files:
34
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oqnevx3z2yg3d72ncpueckn677ty2l6qx2pfrm5qoycsweq22g3a._file
Verdict:
malicious
Similar samples:
5d757b69732066527c841f7007486942fe0f339770121327053917bf6c05d7c5
Smoke Loader
741a4adf79d60db1ff4d13e84129beffe78d2fd0be9e58b3b076052b121ad1b6
Smoke Loader
b6b2a535b20c12e6098f63029a4a1f235d0801815316cc2b8d170f27b3fd5b60
Smoke Loader
c0db80c802efadad423ac6db9d62d1b6a67c593a177774524658ec91e8f9910e
Smoke Loader
cab8ce1b9026b804505c128b7da21af759db3007b134c1ab6e232ce27e0fd6f9
Smoke Loader
f995e7b6121391a9214a3f3068a1d0ce7ccace5ff86a12bb51c8f9ae325b1d0a
Smoke Loader
+ 2'164 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys family:smokeloader botnet:tfd5 backdoor stealer trojan
Link:
https://tria.ge/reports/240323-axw3kaba85/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Program crash
Suspicious use of SetThreadContext
Deletes itself
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Rhadamanthys
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Unpacked files
SH256 hash:
8920c744aebda5cd6304ea1aa88b1a051a5e34a3d5d7d2dab182ef9cb0aec361
MD5 hash:
9f6f0abfef1cad87fbdd302b790ab0be
SHA1 hash:
1e93fbaadbd9d880dd0dde3623b6f16233aa7811
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/58126cc6-e3ae-40da-8a7b-3af8a7eb13b0/
Parent samples :
f4488ed8da62e7e849070788bcf45eb70f4a2461333918b9b9087f8bbe8d2a22
b8a974ff0066513b4fac4f6a256a39933af90a9df9b03d6234d1a4bf88b7b0e8
a5da18a9350a63a4d2ec54da2d3e49bf4277307209979bfad54538eff856bf9c
078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164
7c94ffaf6d76f18ce6bfc6039f9252a4b71d79e483d822aeab0de9b3189b6d0e
b1f57f9e13e75717674eeca314a042ac3e0816f17e7743c361e0be7f45bf9897
d3dc74a3bca3cc38943b90bd7b33dffd683d0bcf20bd507404185e595909d11f
e2ee33a7a4d96b608f35b98c659f1e65642f4036353140ac2fd0ff5152eb4964
8bc3990f004b22558934ae39d088d52e4359509f5d7be8542dbdc8cc05ee7e78
741a4adf79d60db1ff4d13e84129beffe78d2fd0be9e58b3b076052b121ad1b6
SH256 hash:
741a4adf79d60db1ff4d13e84129beffe78d2fd0be9e58b3b076052b121ad1b6
MD5 hash:
6506d5c0294b836710848586a7b8df80
SHA1 hash:
4058872c28eed549c3d891c470d9995690f405fa
Link:
https://www.unpac.me/results/58126cc6-e3ae-40da-8a7b-3af8a7eb13b0/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/741a4adf79d6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/741a4adf79d60db1ff4d13e84129beffe78d2fd0be9e58b3b076052b121ad1b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 741a4adf79d60db1ff4d13e84129beffe78d2fd0be9e58b3b076052b121ad1b6

(this sample)

  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationUSER32.dll::GetUserObjectSecurity
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::FindFirstVolumeMountPointW
KERNEL32.dll::SetSystemPowerState
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetVolumeInformationA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::PeekConsoleInputA
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::ReadConsoleOutputCharacterA
KERNEL32.dll::SetConsoleTextAttribute
KERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::RemoveDirectoryA
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::QueryDosDeviceW

Comments


Avatar
zbet commented on 2024-03-23 00:35:17 UTC

url : hxxp://galandskiyher5.com/downloads/toolspub5.exe