MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 871ff4f111c7042e1c73e77bc497b8442d51e617ceb546ddb00dc193e7ea9eb9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 14


Intelligence 14 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 871ff4f111c7042e1c73e77bc497b8442d51e617ceb546ddb00dc193e7ea9eb9
SHA3-384 hash: 5d6d431ef850db5aafefd9b948d0f10ad953f1b69c2b640c9907b81f2184837b7b7bc0089eb4feaeb5e123cdb0631c9e
SHA1 hash: b94048cb02a957f53585862382f96e707a3fe7bf
MD5 hash: 93d6175fe1726d7f201a13e359e3c3f8
humanhash: idaho-helium-july-sierra
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:2'266'624 bytes
First seen:2024-08-19 19:33:50 UTC
Last seen:2024-08-20 18:45:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9e02808def02e999c496dcaa4fcfd6ba (2 x CryptBot, 1 x Smoke Loader, 1 x RedLineStealer)
ssdeep 49152:zI/0Xh92X3FAOkoQgcK17eVBOHpwIf0bOtW1sLjSng:gO2X33Dfp98bObLe
Threatray 4 similar samples on MalwareBazaar
TLSH T170A5BF15D3E802A5E47BD630CA699733C7B1B81A2734D68B0659D6862FB3ED14B3F312
TrID 47.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
35.2% (.EXE) InstallShield setup (43053/19/16)
8.6% (.EXE) Win64 Executable (generic) (10523/12/4)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.6% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter Bitsight
Tags:exe Smoke Loader


Avatar
Bitsight
url: http://89.105.201.137/Files/File1.exe

Intelligence

File Origin
# of uploads :
12
# of downloads :
380
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-08-19 19:34:03 UTC
Tags:
pastebin discord opendir loader lumma stealer cryptbot adware neoreklami
Link:
https://app.any.run/tasks/7d901fff-8109-4d1f-a927-fd6198e7b3a7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.DownLoaderNET.786.20338.1377.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c39e2ce7ff3f5a063b9476
Tags:
Execution Network Static Stealth Crypt
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint hacktool lolbin microsoft_visual_cc packed regedit remote
Link:
https://www.filescan.io/uploads/66c39e2d1136ce4923101958/reports/19829e4e-a379-4ee3-92a6-411347a4b56c/overview
Verdict:
Malicious
Labled as:
Win64/GenKryptik.HASK trojan
Link:
https://www.hybrid-analysis.com/sample/871ff4f111c7042e1c73e77bc497b8442d51e617ceb546ddb00dc193e7ea9eb9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/96f5cd36-8c39-45dd-9426-b73737d62ee5
Result
Threat name:
Cryptbot, Neoreklami
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1495245
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Cryptbot
Yara detected Generic Downloader
Yara detected Neoreklami
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1495245 Sample: file.exe Startdate: 19/08/2024 Architecture: WINDOWS Score: 100 153 Found malware configuration 2->153 155 Antivirus detection for URL or domain 2->155 157 Multi AV Scanner detection for submitted file 2->157 159 8 other signatures 2->159 13 file.exe 2 2->13         started        16 svchost.exe 2->16         started        process3 dnsIp4 183 Writes to foreign memory regions 13->183 185 Allocates memory in foreign processes 13->185 187 Modifies Windows Defender protection settings 13->187 189 4 other signatures 13->189 19 InstallUtil.exe 15 180 13->19         started        24 forfiles.exe 13->24         started        26 forfiles.exe 13->26         started        28 5 other processes 13->28 131 184.28.90.27 AKAMAI-ASUS United States 16->131 133 127.0.0.1 unknown unknown 16->133 signatures5 process6 dnsIp7 137 89.105.201.137 NOVOSERVE-ASNL Netherlands 19->137 139 62.133.62.93 FIRSTDC-ASRU Russian Federation 19->139 141 10 other IPs or domains 19->141 107 C:\Users\...\yjb1zbRJat01TmgKkYk52Lo9.exe, PE32 19->107 dropped 109 C:\Users\...\xycvxHtmw4Nroe1QmfLnV2SY.exe, PE32 19->109 dropped 111 C:\Users\...\uDE9otbO8txU7Fkgx6BtY10o.exe, PE32 19->111 dropped 113 110 other malicious files 19->113 dropped 165 Drops script or batch files to the startup folder 19->165 167 Creates HTML files with .exe extension (expired dropper behavior) 19->167 169 Found many strings related to Crypto-Wallets (likely being stolen) 19->169 171 Writes many files with high entropy 19->171 30 lGM0dVpfz37ddmnYdgJ7pYmO.exe 19->30         started        34 M5QB1mQaTT8gUT9ImRGGEC3p.exe 19->34         started        36 UijlSmZzz3mq7ipJNpaxlyRc.exe 19->36         started        48 10 other processes 19->48 173 Modifies Windows Defender protection settings 24->173 38 cmd.exe 24->38         started        40 cmd.exe 26->40         started        175 Loading BitLocker PowerShell Module 28->175 42 cmd.exe 28->42         started        44 conhost.exe 28->44         started        46 cmd.exe 28->46         started        file8 signatures9 process10 dnsIp11 115 C:\Users\user\AppData\Local\...\Install.exe, PE32 30->115 dropped 117 C:\Users\user\AppData\Local\...\config.txt, data 30->117 dropped 191 Writes many files with high entropy 30->191 51 Install.exe 30->51         started        119 C:\Users\user\AppData\Local\...\Install.exe, PE32 34->119 dropped 121 C:\Users\user\AppData\Local\...\config.txt, data 34->121 dropped 55 Install.exe 34->55         started        123 C:\Users\user\AppData\Local\...\Install.exe, PE32 36->123 dropped 125 C:\Users\user\AppData\Local\...\config.txt, data 36->125 dropped 193 Uses cmd line tools excessively to alter registry or file data 38->193 57 reg.exe 38->57         started        59 reg.exe 40->59         started        61 reg.exe 42->61         started        135 77.232.42.234 EUT-ASEUTIPNetworkRU Russian Federation 48->135 127 C:\Users\user\AppData\Local\...\Install.exe, PE32 48->127 dropped 129 C:\Users\user\AppData\Local\...\config.txt, data 48->129 dropped 195 Tries to harvest and steal browser information (history, passwords, etc) 48->195 63 Conhost.exe 48->63         started        file12 signatures13 process14 file15 103 C:\Users\user\AppData\Local\...\Install.exe, PE32 51->103 dropped 161 Machine Learning detection for dropped file 51->161 65 Install.exe 51->65         started        105 C:\Users\user\AppData\Local\...\Install.exe, PE32 55->105 dropped 68 Install.exe 55->68         started        signatures16 process17 signatures18 143 Antivirus detection for dropped file 65->143 145 Multi AV Scanner detection for dropped file 65->145 147 Machine Learning detection for dropped file 65->147 149 Uses cmd line tools excessively to alter registry or file data 65->149 70 cmd.exe 65->70         started        151 Modifies Windows Defender protection settings 68->151 73 cmd.exe 68->73         started        process19 signatures20 177 Modifies Windows Defender protection settings 70->177 75 forfiles.exe 70->75         started        78 forfiles.exe 70->78         started        80 forfiles.exe 70->80         started        82 2 other processes 70->82 179 Uses cmd line tools excessively to alter registry or file data 73->179 process21 signatures22 181 Modifies Windows Defender protection settings 75->181 84 cmd.exe 75->84         started        87 Conhost.exe 75->87         started        89 cmd.exe 78->89         started        91 cmd.exe 80->91         started        93 cmd.exe 82->93         started        process23 signatures24 95 reg.exe 84->95         started        163 Uses cmd line tools excessively to alter registry or file data 89->163 97 reg.exe 89->97         started        99 Conhost.exe 89->99         started        101 reg.exe 91->101         started        process25
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/871ff4f111c7042e1c73e77bc497b8442d51e617ceb546ddb00dc193e7ea9eb9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/871ff4f111c7042e1c73e77bc497b8442d51e617ceb546ddb00dc193e7ea9eb9/
Threat name:
Win64.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2024-08-19 19:34:05 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q4p7j4iry4cc4hdt4554jf5yiqwvdzqxz22unxnqbxazhz7kt24q._file
Verdict:
malicious
Similar samples:
45923c5e0fa75d8265252dcdaa59b90db697db59e1badc8e474ac804ddeb41fd
Smoke Loader
63d9319414c01f4172c4fdb53645cfd848f380bdc08ed3c1cb83bacb715b6770
Smoke Loader
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion execution trojan
Link:
https://tria.ge/reports/240819-x93r7swckj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Command and Scripting Interpreter: PowerShell
UAC bypass
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7073adf2-7c11-4cb2-aa68-2d0c5af85092
Unpacked files
SH256 hash:
871ff4f111c7042e1c73e77bc497b8442d51e617ceb546ddb00dc193e7ea9eb9
MD5 hash:
93d6175fe1726d7f201a13e359e3c3f8
SHA1 hash:
b94048cb02a957f53585862382f96e707a3fe7bf
Link:
https://www.unpac.me/results/8455a77b-9095-4d0f-8bef-00e298056799/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/871ff4f111c7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/871ff4f111c7042e1c73e77bc497b8442d51e617ceb546ddb00dc193e7ea9eb9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 871ff4f111c7042e1c73e77bc497b8442d51e617ceb546ddb00dc193e7ea9eb9

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3116279/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::CreateWellKnownSid
ADVAPI32.dll::RevertToSelf
ADVAPI32.dll::GetSecurityDescriptorLength
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetWindowsAccountDomainSid
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenThreadToken
ADVAPI32.dll::SetThreadToken
KERNEL32.dll::VirtualAllocExNuma
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::FreeConsole
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleWindow
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptDestroyKey
bcrypt.dll::BCryptGenerateSymmetricKey
bcrypt.dll::BCryptGenRandom
bcrypt.dll::BCryptOpenAlgorithmProvider
bcrypt.dll::BCryptCloseAlgorithmProvider
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyExW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW

Comments