MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e97e6e6ccae12c62ee828a165fc3c0945026440716621d90abc77a1f7fc5c62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e97e6e6ccae12c62ee828a165fc3c0945026440716621d90abc77a1f7fc5c62
SHA3-384 hash: e64cc117ca8e5eebe75a2621e8f25aab9b8be4d4a501e3d79d876c2dc8fef082fc8ba966f982e18fad75d3d42cd7c359
SHA1 hash: 3e07fd75182b19df884e838efcbae0b4d7303dd4
MD5 hash: bd872ba52ce39a98cafeb40929e262a5
humanhash: hotel-twenty-mirror-golf
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:1'315'840 bytes
First seen:2024-07-25 21:28:30 UTC
Last seen:2024-07-25 22:24:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:SRPuEL3DiXwK5FN3fiVcsR5jUSrPCzqNz1TL4kGT3nYaBZ2iUP:SRGELD81FNycsR542VpTL4k6Y9R
Threatray 1'050 similar samples on MalwareBazaar
TLSH T14155AD33BE6783F2E2892736D6AA4C149374E993371BDA1E758A236904877F7494070F
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter Bitsight
Tags:exe Smoke Loader


Avatar
Bitsight
url: http://mkstat595.xyz/ldx111.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
555
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.12080.27884.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a34f6e458e130e002a96c8
Tags:
Execution Network Stealth Malware
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
net_reactor packed packed
Link:
https://www.filescan.io/uploads/66a2c3a4556840231715b3e9/reports/8c7e883a-dd03-4dab-b09e-5f92ab81b2ef/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/48761979-d148-45ec-89a9-3387ee959a03
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1482532
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus detection for dropped file
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Drops PE files with a suspicious file extension
Found malware configuration
Found stalling execution ending in API Sleep call
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Performs DNS queries to domains with low reputation
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1482532 Sample: file.exe Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 94 serverlogs275.xyz 2->94 96 mkstat595.xyz 2->96 98 90.168.9.0.in-addr.arpa 2->98 132 Found malware configuration 2->132 134 Malicious sample detected (through community Yara rule) 2->134 136 Yara detected SmokeLoader 2->136 140 5 other signatures 2->140 11 file.exe 5 2->11         started        14 aaeuadj 5 2->14         started        signatures3 138 Performs DNS queries to domains with low reputation 96->138 process4 signatures5 142 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->142 144 Switches to a custom stack to bypass stack traces 11->144 16 file.exe 11->16         started        19 cmd.exe 1 11->19         started        21 cmd.exe 11->21         started        146 Machine Learning detection for dropped file 14->146 23 cmd.exe 14->23         started        25 cmd.exe 14->25         started        process6 signatures7 106 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->106 108 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 16->108 110 Maps a DLL or memory area into another process 16->110 114 2 other signatures 16->114 27 explorer.exe 22 10 16->27 injected 112 Drops PE files with a suspicious file extension 19->112 32 conhost.exe 19->32         started        34 timeout.exe 1 19->34         started        36 conhost.exe 21->36         started        38 timeout.exe 1 21->38         started        40 conhost.exe 23->40         started        42 timeout.exe 1 23->42         started        44 conhost.exe 25->44         started        46 timeout.exe 25->46         started        process8 dnsIp9 100 mkstat595.xyz 5.182.207.10, 53748, 80 SERVERFIELD-ASServerfieldCoLtdTW Germany 27->100 102 serverlogs275.xyz 5.101.179.26, 53747, 53750, 53751 PAGM-ASEE Estonia 27->102 104 51.77.140.74, 53749, 80 OVHFR France 27->104 86 C:\Users\user\AppData\Roaming\aaeuadj, PE32 27->86 dropped 88 C:\Users\user\AppData\Local\Temp\F62F.exe, PE32 27->88 dropped 90 C:\Users\user\AppData\Local\TempA86.exe, PE32 27->90 dropped 92 2 other malicious files 27->92 dropped 148 System process connects to network (likely due to code injection or exploit) 27->148 150 Benign windows process drops PE files 27->150 152 Injects code into the Windows Explorer (explorer.exe) 27->152 154 3 other signatures 27->154 48 explorer.exe 27->48         started        51 B0.exe 27->51         started        53 F62F.exe 27->53         started        55 6 other processes 27->55 file10 signatures11 process12 signatures13 116 System process connects to network (likely due to code injection or exploit) 48->116 118 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 48->118 120 Tries to steal Mail credentials (via file / registry access) 48->120 130 2 other signatures 48->130 122 Machine Learning detection for dropped file 51->122 124 Found stalling execution ending in API Sleep call 51->124 57 cmd.exe 51->57         started        126 Antivirus detection for dropped file 53->126 60 cmd.exe 53->60         started        128 Tries to harvest and steal browser information (history, passwords, etc) 55->128 62 cmd.exe 55->62         started        64 cmd.exe 55->64         started        process14 file15 84 C:\Users\user\AppData\Local\...\Surrey.pif, PE32 57->84 dropped 66 conhost.exe 57->66         started        68 tasklist.exe 57->68         started        70 findstr.exe 57->70         started        72 tasklist.exe 57->72         started        74 conhost.exe 60->74         started        76 timeout.exe 60->76         started        78 conhost.exe 62->78         started        80 timeout.exe 62->80         started        82 2 other processes 64->82 process16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7e97e6e6ccae12c62ee828a165fc3c0945026440716621d90abc77a1f7fc5c62
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7e97e6e6ccae12c62ee828a165fc3c0945026440716621d90abc77a1f7fc5c62/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-07-25 21:29:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p2l6nzwmvyjmmlxifcqwl7b4bfcqezcaoftcdwikxr32d574lrra._file
Verdict:
malicious
Similar samples:
0b8698357d915b97225ab82204e9b4faf9b291286dc595edf2f5798627a11bd6
Smoke Loader
14b752f175fc8348815ba40afb7f48e6904300d02f521adc0c523a83ca787115
Smoke Loader
46d173aae9169713594b60432c48e12d02cbaf815a3a86531275a6712a82fab6
Smoke Loader
5c415a3f7d2dfc912447dfde68e67c6b90cc0fd07011f8bd062390ad72111609
Smoke Loader
d38b7f092af30ecfbbfdb162e1dd8baabb4c0f2dee65ec5179126a8488e499e6
Smoke Loader
ed3abbb92b588a5fea991fa017e66a84306cfc86ba0852c9005ea1a555b199f2
Smoke Loader
+ 1'040 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor discovery trojan
Link:
https://tria.ge/reports/240725-1bxebayfja/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
SmokeLoader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d408492a-40f7-41b2-83c0-571ae6b25bc2
Unpacked files
SH256 hash:
b83d47211d27a7c6f0e5a0e5bc43f5fc9f27578ebfa3ce95b00736aa9e9749c7
MD5 hash:
74ea17cefc30cdc60fa4bd84adcb2031
SHA1 hash:
d90940768873b5365ad26ece4b5a8dd74a4e73be
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/6c52fd4b-efc2-4028-a556-45931600025b/
Parent samples :
7e97e6e6ccae12c62ee828a165fc3c0945026440716621d90abc77a1f7fc5c62
2eb9d2a67aa9761b996f932affd2deab03145b56b96cb9f9ceebfbffc9e866a2
87f3eab16a49cdb0bdfe1906ad5e0989a057a3b253f2622dff125986f813aede
SH256 hash:
a407c8cb0ad5d50140e0ab2d2efe40738ee72e05dd802220a47467e4fb78a7f8
MD5 hash:
03c79098170ba10b2e5eaad8538a2bcf
SHA1 hash:
c76555d96086d2f9916c45e79d70f980bd092351
Link:
https://www.unpac.me/results/6c52fd4b-efc2-4028-a556-45931600025b/
SH256 hash:
78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677
MD5 hash:
f9d2985aa1c41cca281321fffb5ed424
SHA1 hash:
3a7a58d2dcae2762882357ae34d372744b1dbb9d
Link:
https://www.unpac.me/results/6c52fd4b-efc2-4028-a556-45931600025b/
SH256 hash:
cfd0fc2edf87ffc9632d06ea91b44aba31e5c690fcba73caeda27e90de74608b
MD5 hash:
fc22baa282c524bb39cef8b3f2a4682c
SHA1 hash:
3197ea4a9a328e1ff194edbcda1a7064b8de03e6
Link:
https://www.unpac.me/results/6c52fd4b-efc2-4028-a556-45931600025b/
SH256 hash:
99cd97698afe401986db1f1922c7e72af4478bc15afcc44e539b8cc6e5f3c54d
MD5 hash:
8ae57d72cc793a71e7003e668e7fc8c0
SHA1 hash:
145795cb50b1476e907bd1c939339abf4e72d20e
Link:
https://www.unpac.me/results/6c52fd4b-efc2-4028-a556-45931600025b/
SH256 hash:
7e97e6e6ccae12c62ee828a165fc3c0945026440716621d90abc77a1f7fc5c62
MD5 hash:
bd872ba52ce39a98cafeb40929e262a5
SHA1 hash:
3e07fd75182b19df884e838efcbae0b4d7303dd4
Link:
https://www.unpac.me/results/6c52fd4b-efc2-4028-a556-45931600025b/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7e97e6e6ccae/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dofoil
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/7e97e6e6ccae12c62ee828a165fc3c0945026440716621d90abc77a1f7fc5c62

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 7e97e6e6ccae12c62ee828a165fc3c0945026440716621d90abc77a1f7fc5c62

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3067317/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments