MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 753db6144d00d5b02a4f940b2734510f58ef831a37f8754a9bd58a2a7a7e092e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Smoke Loader
Vendor detections: 12
| SHA256 hash: | 753db6144d00d5b02a4f940b2734510f58ef831a37f8754a9bd58a2a7a7e092e |
|---|---|
| SHA3-384 hash: | 0f7aa17b7a41666daddae52f91403ce08d249bb85d0ab9c3aebc70b602c31989aea7f336bd4f932e749143466d5308d2 |
| SHA1 hash: | a0537875d8193cad2521a90e1c4a3a72301f15a6 |
| MD5 hash: | 5771577bcff866b926cacd16d66b10ef |
| humanhash: | seven-quiet-thirteen-sodium |
| File name: | 5771577bcff866b926cacd16d66b10ef |
| Download: | download sample |
| Signature | Smoke Loader |
| File size: | 181'248 bytes |
| First seen: | 2022-06-02 14:59:39 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 029fa20ad5a3f17b1ab62d31461de34c (3 x Smoke Loader, 1 x RedLineStealer) |
| ssdeep | 1536:qjPE+/PD0ky65juHK65DDGTll+xYhxriCxDbB9FIvICmwIYbqFaFvInd2FIHmkT+:qj1b25D4lGYhxrlDXzC/uFIaNcIO1s |
| Threatray | 332 similar samples on MalwareBazaar |
| TLSH | T1E204BF1172B0C032E1B775301975C2B26A7BBC736175C84B3B94127E6F726C2AAB5B27 |
| TrID | 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1) |
| File icon (PE): |  |
| dhash icon | 5c599a3ce0c3c850 (43 x Stop, 37 x RedLineStealer, 36 x Smoke Loader) |
| Reporter |  zbetcheckin |
| Tags: | 32 exe Smoke Loader |
Intelligence
File Origin
# of uploads :
1
# of downloads :
855
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5771577bcff866b926cacd16d66b10ef
Verdict:
No threats detected
Analysis date:
2022-06-02 15:09:10 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
5/10
Confidence:
100%
Tags:
packed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Verdict:
Malicious
Result
Threat name:
Amadey, CryptOne, RedLine, SmokeLoader
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to infect the boot sector
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected CryptOne packer
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Threat name:
Win32.Ransomware.StopCrypt
Status:
Malicious
First seen:
2022-05-31 04:40:58 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
23 of 25 (92.00%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Similar samples:
+ 322 additional samples on MalwareBazaar
Result
Malware family:
amadey
Score:
10/10
Tags:
family:amadey collection suricata trojan
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Accesses Microsoft Outlook profiles
Checks computer location settings
Downloads MZ/PE file
Executes dropped EXE
Amadey
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
garts.at/forum/index.php
uknovodom.ru/forum/index.php
prospectsnorth.com/forum/index.php
uknovodom.ru/forum/index.php
prospectsnorth.com/forum/index.php
Unpacked files
SH256 hash:
4b6b7a0506feefdc17f1259b88b2d2774ca6eb291b6b75f33cfe3852b70c36b0
MD5 hash:
71429edac29bb1210b91b18b90566499
SHA1 hash:
a7464c6d3b4585c22989c9b6d06b842e124a4a48
SH256 hash:
753db6144d00d5b02a4f940b2734510f58ef831a37f8754a9bd58a2a7a7e092e
MD5 hash:
5771577bcff866b926cacd16d66b10ef
SHA1 hash:
a0537875d8193cad2521a90e1c4a3a72301f15a6
Malware family:
SmokeLoader
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.url : hxxp://pandeicaruggiu.com/