MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c17d5b20427304dc69fe6c8b4e203fa8077ccb1a252caec921c1586132758cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c17d5b20427304dc69fe6c8b4e203fa8077ccb1a252caec921c1586132758cd
SHA3-384 hash: d5b3d26033efc64640718c12f9094fa40675658875d05ecab93d7f3254fc8ddae4e35ccb40b8b998dfba0be0dcd39c32
SHA1 hash: 6c55f1f879721fca7cb650ddb541e3d5bae20c23
MD5 hash: 0d223ae59e8285e57e838b1e19be662d
humanhash: ohio-table-helium-romeo
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:256'000 bytes
First seen:2023-09-10 07:24:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3681be0c4196dc1f0159e8326f6ce58b (3 x RedLineStealer, 2 x Smoke Loader, 2 x Stealc)
ssdeep 3072:QBcFI/LHnUEG9JDE8SOE9y++Nz0NFbnEcH1MTYazNqFCaHRGoPX2:wR/LHIrYHt/2z0PbxH1MnocBy
Threatray 1'536 similar samples on MalwareBazaar
TLSH T1D6448C2377E0BC72D66707340F6EAEEC7B6EB8515E61434A23141E5B1D702B1DA2B326
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0020409010100800 (1 x Vidar, 1 x Smoke Loader)
Reporter andretavare5
Tags:exe Smoke Loader


Avatar
andretavare5
Sample downloaded from https://agsnv.com/tmp/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
US US
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-09-10 07:26:22 UTC
Tags:
loader smoke
Link:
https://app.any.run/tasks/09a4697c-921a-4528-b9a3-02bcdc132f9a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/447698/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed xpack
Link:
https://www.filescan.io/uploads/64fd6f4f86964ed9c61850c4/reports/7f39a8e8-e93d-4a19-b2c7-7f7a7e27ac42/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/8c17d5b20427304dc69fe6c8b4e203fa8077ccb1a252caec921c1586132758cd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a68f5ab8-a26d-4a4d-9216-659fcca72209
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1306795
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1306795 Sample: file.exe Startdate: 10/09/2023 Architecture: WINDOWS Score: 100 28 Snort IDS alert for network traffic 2->28 30 Multi AV Scanner detection for domain / URL 2->30 32 Found malware configuration 2->32 34 6 other signatures 2->34 6 file.exe 2->6         started        9 jetwvha 2->9         started        11 jetwvha 2->11         started        process3 signatures4 36 Detected unpacking (changes PE section rights) 6->36 38 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 6->38 40 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 6->40 48 2 other signatures 6->48 13 explorer.exe 2 3 6->13 injected 42 Multi AV Scanner detection for dropped file 9->42 44 Machine Learning detection for dropped file 9->44 46 Maps a DLL or memory area into another process 9->46 process5 dnsIp6 22 187.134.40.51, 49744, 49763, 49764 UninetSAdeCVMX Mexico 13->22 24 187.212.185.70, 49781, 80 UninetSAdeCVMX Mexico 13->24 26 7 other IPs or domains 13->26 18 C:\Users\user\AppData\Roaming\jetwvha, PE32 13->18 dropped 20 C:\Users\user\...\jetwvha:Zone.Identifier, ASCII 13->20 dropped 50 System process connects to network (likely due to code injection or exploit) 13->50 52 Benign windows process drops PE files 13->52 54 Deletes itself after installation 13->54 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->56 file7 signatures8
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8c17d5b20427304dc69fe6c8b4e203fa8077ccb1a252caec921c1586132758cd/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-09-10 07:25:06 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rql5lmqee4ye3ru743eljyqd7kahptfrujjmv3esdqkymezhldgq._file
Verdict:
malicious
Similar samples:
086f4766cf2fc0414a05a7496f164ff5add9d1de90f68be6824e403f9013456e
Smoke Loader
259ca349e440eeabf9f4fa7e6cb5ec319ee5f2ac7a1fc2893d0a46ed5dad1225
Smoke Loader
2670a729c07877c97a3593905bb25f15b1d27774b89af3bb06e24fe80db64d32
Smoke Loader
41ab200cfaab99710be573a3882c415899a31be22abc6595ce8a5ac35e3683e8
Smoke Loader
436df5626a5852dbc7e583a9539f55d068e65d9b6cd62b339c64dd2a87f4ad46
Smoke Loader
488d08c6b34c661e3b43aa73f5404986ae390ef3fa6a3489b4bdedbd8b5466c3
Smoke Loader
540aaf6ba4135b85b6aa37a66e28b69038e992cd6a92624058177b697b32e15c
Smoke Loader
548cee96ed975089c6ab232856b1b37a0a6c51e75cb49d5e63b5a61216518679
Smoke Loader
5611063a14e894694083c4c54a516ded327abb81ccdcc949906a110677aabcbe
Smoke Loader
cde192b77c6ce93394a5f59b592127da02c7366401c6ed2b249a1a8bb947908c
Smoke Loader
+ 1'526 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:pub4 backdoor trojan
Link:
https://tria.ge/reports/230910-h8ydrsfe96/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Uses Task Scheduler COM API
Deletes itself
SmokeLoader
Malware Config
C2 Extraction:
http://taibi.at/tmp/
http://01stroy.ru/tmp/
http://mal-net.com/tmp/
http://gromograd.ru/tmp/
http://kingpirate.ru/tmp/
Unpacked files
SH256 hash:
a5c406b97933a8aa395b68221cdd20ddcd73cc1f95472d05a7d6b3bd50892743
MD5 hash:
59658350ff5f6470188ebc0fdd06f057
SHA1 hash:
ca75c22af01a5b64a2c73f50fa36c887a9818f5d
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/e9749240-d91d-461a-adbd-5600f7b4aa8d/
Parent samples :
092412b54fb0e9cb731ee75626bc53f0b141ecb5063d4b974a05f6b0ab63367d
4527341e7ba507c6034327633afdbe77481ab609f423ffd68a7ba2e00e35364e
7415704fd2e5ffbb53f5ef4eede832499e18888fc1b206e5263714e669ade596
d9687211c7a526b2eaedd63975a8a0deef343ec8a01a9480d3bf28316dc57107
8ca632e409a6918bf30005a9b2e561771f6427ed03e836c348143c8ef2afbc41
aaa4711bade536afb177325d7971df195bbd235238531c57adcd2c2a7d98c5c9
82ce4a02da068fd7f69b255e60055fbed0fbfaa9dfa15d7aab7185f8dc19f75c
b911c2c7924e997f1349395a95bd57bb211e7b4a67e9c98b01fb3a176b0f27a5
f3fad225386f7222566703f13a3df005b36736afe33c6b324cd18f0df70f973f
a3e06d811446215d4ccf92e136c20795d346f94c23f94caeab63d5727f35b866
dcca1131914f6c8a480e8e0ad87eabb4b85383f804815496cb4f2c2e1a111f39
0c744dfee7acbaa52ab1fc1c1dd11abe966ea1702585492bdfeefb64d8471412
59c3ef0b04f7f8f424ec18d68e886610f886467d9c814e2a3c10378588139967
70856a13672513d4828d2ca74d2f27d4c6239908e8aa303e1ef9536f6e113fcd
14e03b1aaa7c504927a139a2fcaba8976a7ba95a95d3aec4fb0db7f8dde4c45a
1bba9ae0ebee70298d3d5e5bb02a844e07449c945a3a6b0e744c184f1abbe6dd
e440eac7cb52cdaad64e9e46f641e291569789f59aeb2bfa4c6bbc607c2c64e8
c9bfdf471598a56a2c2f8e7ae923c4f05310c919ef4b808276e4a4d4c771dad9
e1fb8f0d455779ea3c3b03f0aa6b0e9377ae17cf421d0d4f8f762db09b8a37ab
cfa9f12a8d7f1970d274d25b7f7ef4512d8d9ea7fce7e22532e97802b55ce104
27628d10eb8210286d7a693bf717d054ded123a64e9983f74d9dd0cd0ff8b8bc
e46d27217c2f60a3deff490c6e70af2bdfbbc2c88389f4ecd2343cf12e36d9a2
f0808f9145505d15318b254701b45482f31fba67e0d0c0fb675122aeadd229ca
b5092c84227a07887205d93213947d670014112568ef15f0f61cf6745aa9eac4
4f2b50cdae8a54b9ea8c2fb0c9a4f90cb3deff3253312f8c2d0511101b210049
b126f012b066653b5005d397a0b184416dc067b2d590355dc6ef9c48166f627b
6dfe70c185debbff667e3683658782e430172a64982532fccf5b9f06f421ed91
4269fc14e1c05c8c10cc3452c1674f3a2cb5c670e1aac1e035d80404c98a3c2c
49626f7992df341d1cf60d497a346e8c5e6e1fc75617f7cc9de649e6c3175085
b07f239481c03cfb14e4ed10dd4e2ee4a5e0f552d10bfcac29980afb565fbde1
124ebe9548272122b27ab21e5b62f9e8e1b8bac6d45a4e3758b83112d3454dc1
e088c9001b5aa8aefb4adc1d2d330e329421cb38207ed632f50caad5309e1d5a
0ca89e45cb7326b579733ba6d787770fa2e1fb854d7cd95e40fc349a4f97b815
0a7e1a7c885b3a1b837b26b445f83a81c26f7b554b43d1496c04340c1cda89db
d272ac4ee1a54facbda171b2c6f82b87c364ed7eff8867466702691a558fb515
61ca2c4e8ca06e00a4e3c81ac8dc195d278cafb2fa3c19b9106db56be7d13f4f
33c9ec83393cb9ae73efdeab84c2c7119e40208e31d10f574e75c2dfff268497
1123332daf11ea61f44deeac5e9955382b8a364a1aee522248841f1096a3e0fb
d8dd8d1a44769db109550352ce1e06fb5487a1024b00a1a041f93e4db81360d6
e83a8cc0363a22af758c588e3562812d025ad8daf4ce5d02b964c4fe556f2243
95461232f730a07e93fde45678f2adc66e41625712073b6a61abd59575d20889
c0ad33866c7e012cbdde8d4b3d7fd05bca3070db5fb1f04efb5d1cb0b853e7c7
62f0f64c7dfc3eee27326734d48b50dd15c668f8109390391f61fe888dd834dc
c32d1a85c36bbd64710315de0eaa5a1cba81e0c2cabc9066dcc9d6abedfae432
fdc7c0972a56c0b78a72b900e1f0c8ddfe2982256870083144ef601e0098e5a7
6a227a344c0b3b87d918eb85404ddec5b578f48452acc6493eca6ca806388954
802ba7207a318efc8155756a171efee5d6f9432d7297c985e3bf63e87dabd0fe
488d08c6b34c661e3b43aa73f5404986ae390ef3fa6a3489b4bdedbd8b5466c3
5611063a14e894694083c4c54a516ded327abb81ccdcc949906a110677aabcbe
cde192b77c6ce93394a5f59b592127da02c7366401c6ed2b249a1a8bb947908c
8c17d5b20427304dc69fe6c8b4e203fa8077ccb1a252caec921c1586132758cd
67d2677beac2c88c2170da3f1a40010c8ea41430f3d34e2a56052b9f1228c054
063363c1b2f576e7ce22154903cbad7770b8b63ec17b0b9eee051638ce40479b
a59a55716baa83c1ead452011fcb236787398c4c5d0c978aa9ad0b9b1bf15057
dfd36cc557c5cfa9ca6c36ebf1640f927e9cbe7383b4aaa87d78c66eda26994c
7bc01f90e9b2c6003233657e4be5c56c8bb70d4bae118998bf75f7f1ed6b7b8f
a8f85fd5c1cfe90bcfcf933d0d76144a1e045321943a6124e1edabe4e10b3635
005ba27d5a25aa46bceba8305caa692e81dcf9df5d015c6814e37b5715e9b4d7
a50e6c7bc177babf2093a4e57daa95e1cd3478e605b3126a82be68b3e36e29f1
590f9c87f7f09b72e8642fa0c3c0cd18d0fd55ac1a20449e6c4b5c20f566499c
07d5358243683de2c27952bfca010d87b5a09b7bdb20235d6f546454c6f47f2b
d008020e569e8a79799d7d5433e208316d41a80bd106852b396948f5b09b4710
c08aef508443dfeaf5159feb6031fa5f5597f3cdb6e0e4d1fe5db9a7820682ec
c9ad6251e9f4afbbd9f4f6c614cd6c012fab67575eaa2a36cb83d3709fc4d4a7
0c5be2f35d60689656e2438187301fc2f8b592f21171f30738e1c5ce7c66ca23
b89197aeed2150dc1faf66186d824c261f41124a17c531297181d7d744c10e0f
6d94bbb53f9465a50c0b26f66a65719a9b643e6946f1543c47e278551e21ee2e
0bf5934811056a692ccadd8c86355bfb1818063ad978982483d4f5b92807ee66
b2843f650b2dad5ef0013b57f06cd51763f62365cf2c8db59fc2cad126dad682
66be9c888095cf0e79854879085490772ff443b7f13f654de2cea26b293dbd27
a93c61d7bd1e389896a858835e1b035a12759086ddb4a25b77b772ee2854d7b9
2cdd69c31af8dbe568ae6233c67b3ef96f32dadb024212f05f96d412c44cd124
9a3c17bc99d69c0ff856d84e9425ab3ed1e95ca1f7c48abfef2842b0a1917473
f913ccf328361219c48c881da151670a2999401ecdf36d2e18f97d441ba381b5
3d590dced909090620ef7c09e5bac071e45ed9e814a6bc6e1038648929ee1474
69a871ba7d2670d162b2feffd9665fcebc4101a47d7892be98c3abbd602573d9
da56e58fab731a84a632df79098f9de55742f30526059fe581e71aef46abef81
006eeeaf0491717f1021983f1ebbfc8ff71d854730229818fc45f432014d63f3
523e52fcaf97bbdefa328efa095228b509fe56d833eb269c85667fdf34588c1b
SH256 hash:
8c17d5b20427304dc69fe6c8b4e203fa8077ccb1a252caec921c1586132758cd
MD5 hash:
0d223ae59e8285e57e838b1e19be662d
SHA1 hash:
6c55f1f879721fca7cb650ddb541e3d5bae20c23
Link:
https://www.unpac.me/results/e9749240-d91d-461a-adbd-5600f7b4aa8d/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8c17d5b20427/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c17d5b20427304dc69fe6c8b4e203fa8077ccb1a252caec921c1586132758cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/447698/
  
URLhaus
https://urlhaus.abuse.ch/url/2708626/

Comments