MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 875263c84abb9b3e5fbdf864f5389b7f863afe454c03f6c0d8bda8fe29db705d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 19


Intelligence 19 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 875263c84abb9b3e5fbdf864f5389b7f863afe454c03f6c0d8bda8fe29db705d
SHA3-384 hash: 0641e4f1d4230d638a6ae67ad6242a7b1c8cf6df29b8bc23fd47a70f92e9c4b150f3d8fd6fb0aed6747b7545bf66815a
SHA1 hash: 804a889e85b0d1d343896b45c9b824a5c38b8269
MD5 hash: 544d4e212f9b027422752c18c7d6a5dc
humanhash: colorado-grey-low-vermont
File name:875263c84abb9b3e5fbdf864f5389b7f863afe454c03f6c0d8bda8fe29db705d
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:267'264 bytes
First seen:2023-10-12 12:23:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b0b6736b23a4c40d8083fa0336038a2a (3 x Smoke Loader, 2 x Stealc)
ssdeep 3072:Ha/wEnI33lUdsjmdRiid8RFxMAyZdFZDCp5Muxu97nI+6TOa:g9GGdrdRNaRFxMdZrfuxu97nX6TO
TLSH T163449E13B1E0BC62F56766334D2DC6D47A2FF7AA8E69672A22145BDF08701B2D273311
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0010d1c0a4cea200 (1 x Smoke Loader)
Reporter adrian__luca
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
294
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
875263c84abb9b3e5fbdf864f5389b7f863afe454c03f6c0d8bda8fe29db705d
Verdict:
Malicious activity
Analysis date:
2023-10-12 12:25:33 UTC
Tags:
loader smoke
Link:
https://app.any.run/tasks/133c1fea-7a5c-4ec6-8284-c63a214c835f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/453809/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed ransomware
Link:
https://www.filescan.io/uploads/6527e5638d16e62970c32785/reports/4b795482-38c6-4f73-90a8-c9e4313cd16b/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/875263c84abb9b3e5fbdf864f5389b7f863afe454c03f6c0d8bda8fe29db705d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/07dfcc3a-3ddf-475e-8a3c-e89e16b4d77a
Result
Threat name:
Amadey, DanaBot, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1324658
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May use the Tor software to hide its network traffic
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected DanaBot stealer dll
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1324658 Sample: GMUDTQ4Ggf.exe Startdate: 12/10/2023 Architecture: WINDOWS Score: 100 63 gudintas.at 2->63 87 Snort IDS alert for network traffic 2->87 89 Found malware configuration 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 12 other signatures 2->93 10 GMUDTQ4Ggf.exe 2->10         started        13 chvrsji 2->13         started        signatures3 process4 signatures5 105 Detected unpacking (changes PE section rights) 10->105 107 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 10->107 109 Maps a DLL or memory area into another process 10->109 15 explorer.exe 36 7 10->15 injected 111 Multi AV Scanner detection for dropped file 13->111 113 Checks if the current machine is a virtual machine (disk enumeration) 13->113 115 Creates a thread in another existing process (thread injection) 13->115 process6 dnsIp7 73 gudintas.at 201.124.243.137, 49710, 49711, 49712 UninetSAdeCVMX Mexico 15->73 75 193.142.59.12, 49729, 80 HOSTSLICK-GERMANYNL Netherlands 15->75 77 5.226.141.207, 49725, 80 BANDWIDTH-ASGB United Kingdom 15->77 43 C:\Users\user\AppData\Roaming\chvrsji, PE32 15->43 dropped 45 C:\Users\user\AppData\Local\Temp\3DB3.exe, PE32 15->45 dropped 47 C:\Users\user\AppData\Local\Temp\2BB1.exe, PE32 15->47 dropped 49 C:\Users\user\...\chvrsji:Zone.Identifier, ASCII 15->49 dropped 79 System process connects to network (likely due to code injection or exploit) 15->79 81 Benign windows process drops PE files 15->81 83 Deletes itself after installation 15->83 85 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->85 20 3DB3.exe 3 15->20         started        24 2BB1.exe 6 15->24         started        file8 signatures9 process10 file11 51 C:\Users\user\AppData\Local\...\nhdues.exe, PE32 20->51 dropped 95 Detected unpacking (changes PE section rights) 20->95 97 Detected unpacking (overwrites its own PE header) 20->97 26 nhdues.exe 20->26         started        31 WerFault.exe 20->31         started        33 WerFault.exe 20->33         started        37 6 other processes 20->37 53 C:\ProgramData\Qdsypeqeoasuop.tmp, DOS 24->53 dropped 99 Multi AV Scanner detection for dropped file 24->99 101 Found API chain indicative of debugger detection 24->101 103 May use the Tor software to hide its network traffic 24->103 35 rundll32.exe 1 4 24->35         started        signatures12 process13 dnsIp14 65 85.209.11.199, 49737, 49738, 49740 SYNGB Russian Federation 26->65 55 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 26->55 dropped 57 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 26->57 dropped 59 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32+ 26->59 dropped 61 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 26->61 dropped 117 Creates an undocumented autostart registry key 26->117 39 WerFault.exe 26->39         started        41 WerFault.exe 26->41         started        67 185.4.65.42, 443, 49732 RECONNRU United Kingdom 35->67 69 45.136.49.68, 443, 49733 PELUCHE-ASES Estonia 35->69 71 37.59.205.1, 443, 49731, 49734 OVHFR France 35->71 119 System process connects to network (likely due to code injection or exploit) 35->119 file15 signatures16 process17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/875263c84abb9b3e5fbdf864f5389b7f863afe454c03f6c0d8bda8fe29db705d
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/875263c84abb9b3e5fbdf864f5389b7f863afe454c03f6c0d8bda8fe29db705d/
Threat name:
Win32.Trojan.Convagent
Create hunting rule
Status:
Malicious
First seen:
2023-09-28 02:27:23 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q5jghsckxont4x557bspkoe3p6ddv7sfjqb7nqgyxwup4ko3oboq._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:danabot family:smokeloader botnet:pub1 backdoor banker spyware stealer trojan
Link:
https://tria.ge/reports/231012-pk2vlsaa31/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Amadey
Danabot
SmokeLoader
Malware Config
C2 Extraction:
http://gudintas.at/tmp/
http://pik96.ru/tmp/
http://rosatiauto.com/tmp/
http://kingpirate.ru/tmp/
http://85.209.11.199/b9djs2g/index.php
Unpacked files
SH256 hash:
f8e33fe12c8d4ea39089e504e4071cee057a69cd4f7198b1b96d6841d73037c5
MD5 hash:
369bfea70013cbf36679b6e8edb298a5
SHA1 hash:
575e3646997d3ffa0267ac4dd989e97436ea31cf
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/3c282e55-d9f4-4e79-bd20-a2fcefe1c7df/
Parent samples :
cf006190a75a8fa6faf74c6200d7d56d0bb4ed0cd140a328537d3096ecd07a32
a2260ac65c2814e6a0e7b839474a298333f2a4a7ac60af12861dcc9edf5a6019
fefa50ffd7c9e19b4c4d84e664b894c6377196942024b71ee371c466d194ee9c
581407074ab82ef32bfaaa4bd7a6bc4da38ca7c4ad8f91166c2be4325ae000f9
947fb340a672bd684a18ab7aeb7fe28cd9f2eee3c0de99c205f3a4a39aad12c0
f5b5c89e8d4e216a731c5fa57e53ebd9012c41f2d65c0c48eb45ccac021b4311
77fcb3294002ee5ecfbd36825e19d038a4d7d213734758dae1fa731bfa2b1058
4201248030180127dc4299a4dbcc6cde35beaafbefd9a25ffb3093d3e35f5dc2
2a8bad21145b4d758332588fb79ef6bcb2aa95bd7de7a2d8c0777e6f7146b115
8c8545f91021086b21437241273005f51f0d05c46a434e9dd4076d6b98aa5c76
c55c92457d03edbc7ec6f2c1ed55ca5e79d66d5ee568beab370229cd278649b1
57023d355566b1bff7490a5bc5c4380e013b2b4fb68152c8118be21718e53329
9efbde4de467c8a82b270b40c014c4243284b016bd2788164d85012f36aed0ad
8bbbf51d4c5404915d1b306121e0226d1f23e88acf635c8cb4f4461dbe142838
06f3c31343921c5f63bc0803569db1a31f0ecdf6029f167dcc234754eabacc9b
9e7c8aea93412acc8d8de3a956e8485a86caf40c626b2abd491bd5404df1bfbb
56be912ce754d75f3385dab925ee34d9a0a1e07fe841c6a2e9adafa8021c99bc
aa918d4dd7706951fc290b6a5d3ba0e48acc5443056894ee3aad1baa52f412ba
5543fd0c115a8af9e627936be64a3f0fafc187665d000954ef32da675ec76a2c
306c89756cc1899b6f76dd3e7b68dcb0b4581a152f14df79ff167f0627c85424
6ea8ce3dab88347218d50dd6b92433f9849086080ad2d31a08aad73a3fd35ff7
aa38ec70b85a9e070536db5b73e65f116023b1d414bbc517c06aae7d6a3aa942
3cbbbd55fe8f11d140207ab210179a8a783b1d6975b82107ccd9344d5454194e
02f6651a25fefd7f952cd2b2dc74c4b2155b8a96e0caf6127f0eb966b5cd9426
cd07ecda2eefa380e4145bc61de665e4685634cf155ee8e2221a01765d2a8378
83f3f206fe4cc3ce88d84364f970ed0ced22d05f418b7760eae1e6fb2178a33c
f28743ef69738184972b65c6b04cae600f1d01ace14a9c1cd1eab7224274812e
a9f3066845f3f00c34bd13812d9b2db561ec77824aa0ece2fca57f0071847d38
739c8d45ca4059f0b591bd553bdab486519b663fb092ad11868a8c6c3d9ec022
a76ac34a9fc8146224d737ebb15bdbf2e35acd67e274ad328fcab5b99f8a99c1
31e54f46b20976c9779d4fde6282ec9fc581b50646a802a517e827c5e7a6aebb
84a2a39c8624e70794650b0ce2c465edb00d4008e4676216e601e062ff982c08
e31e7dac8306f497a88a1c6c51677a08e5b772f38a903abf7029dc907773ccec
a9c5516972bc66b765e441a967eb97ec21c8b0b0b6d0c44180d0317d45fe378a
13f0797738f385a0330c1790cbdf50b0b245aae08345827936582b9369485b15
8a3258d8e2ddf101c043d08960fcab0dacddf2cbd49a5da71156ed2c74a7987b
875263c84abb9b3e5fbdf864f5389b7f863afe454c03f6c0d8bda8fe29db705d
SH256 hash:
875263c84abb9b3e5fbdf864f5389b7f863afe454c03f6c0d8bda8fe29db705d
MD5 hash:
544d4e212f9b027422752c18c7d6a5dc
SHA1 hash:
804a889e85b0d1d343896b45c9b824a5c38b8269
Link:
https://www.unpac.me/results/3c282e55-d9f4-4e79-bd20-a2fcefe1c7df/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/875263c84abb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/875263c84abb9b3e5fbdf864f5389b7f863afe454c03f6c0d8bda8fe29db705d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 875263c84abb9b3e5fbdf864f5389b7f863afe454c03f6c0d8bda8fe29db705d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2712491/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2712462/
Cape
Cape
https://www.capesandbox.com/analysis/453809/

Comments