MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 923c7929978a6fe09d671392ecceb643021ff9940b2b9c8522c7f6bbc89f9790. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 923c7929978a6fe09d671392ecceb643021ff9940b2b9c8522c7f6bbc89f9790
SHA3-384 hash: c2cc397a532616335c18becd20d2a9ae48420f262476cb75494c85313e665d196ee91f818fba64d64eb9e09f7b9cd1dd
SHA1 hash: 3bbaba1ebf9a457db8c3d0e352bb8c311e9efef4
MD5 hash: adf9f5ecb2c5cfde8ad9b49abc91abab
humanhash: juliet-paris-floor-wisconsin
File name:SecuriteInfo.com.W32.MSIL_Troj.CYF.gen.Eldorado.7515.21735
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:872'960 bytes
First seen:2023-11-08 22:20:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:/f5RkQgJJNoFQ3es6bxp3juIPWvgrdUC:/jgDaNsDqWAd3
Threatray 3 similar samples on MalwareBazaar
TLSH T127055B60E2F4AA4EF4DE563A8D3063F4A2B274677726D74ACC00E556782D7D389C07A3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
392
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.MSIL_Troj.CYF.gen.Eldorado.7515.21735.zip
Verdict:
No threats detected
Analysis date:
2023-11-09 01:30:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0cc6d047-8b20-44b5-9184-8de0d662ae46

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W32.MSIL_Troj.CYF.gen.Eldorado.7515.21735.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Modifying a system file
Running batch commands
Launching the default Windows debugger (dwwin.exe)
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Connecting to a non-recommended domain
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Blocking the User Account Control
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Blocking the Windows Defender launch
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/654c09d2993fbf888b6b1346/reports/3f6a5d12-548b-4e8e-9829-e678a8a9f31a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/923c7929978a6fe09d671392ecceb643021ff9940b2b9c8522c7f6bbc89f9790
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f744e463-faae-4f74-aba2-631dbd165325
Result
Threat name:
RedLine, SmokeLoader, onlyLogger
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1339376
Signature
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables UAC (registry)
Disables Windows Defender (deletes autostart)
Drops script or batch files to the startup folder
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes many files with high entropy
Writes to foreign memory regions
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1339376 Sample: SecuriteInfo.com.W32.MSIL_T... Startdate: 08/11/2023 Architecture: WINDOWS Score: 100 147 Malicious sample detected (through community Yara rule) 2->147 149 Antivirus detection for URL or domain 2->149 151 Antivirus detection for dropped file 2->151 153 14 other signatures 2->153 11 SecuriteInfo.com.W32.MSIL_Troj.CYF.gen.Eldorado.7515.21735.exe 2 4 2->11         started        14 svchost.exe 2->14         started        17 powershell.exe 2->17         started        process3 dnsIp4 165 Adds a directory exclusion to Windows Defender 11->165 167 Disables UAC (registry) 11->167 19 CasPol.exe 15 275 11->19         started        24 powershell.exe 23 11->24         started        141 23.60.66.72 GTT-BACKBONEGTTDE United States 14->141 143 104.108.66.94 AKAMAI-ASUS United States 14->143 145 127.0.0.1 unknown unknown 14->145 26 conhost.exe 17->26         started        signatures5 process6 dnsIp7 117 179.61.12.110 TECNOWEBPERUSACPE Chile 19->117 119 85.209.11.204 SYNGB Russian Federation 19->119 121 19 other IPs or domains 19->121 73 C:\Users\...\zq7YuhQxzO08Hv5MjdnwmvGA.exe, PE32 19->73 dropped 75 C:\Users\...\zYILv7kcnAPxOcMFzUYclba2.exe, PE32 19->75 dropped 77 C:\Users\...\zTwQjuKb64ISOMBchHJlyQgG.exe, PE32 19->77 dropped 79 258 other malicious files 19->79 dropped 157 Drops script or batch files to the startup folder 19->157 159 Creates HTML files with .exe extension (expired dropper behavior) 19->159 161 Writes many files with high entropy 19->161 28 jzRUzwUD1dEn2flEQRSlIf5T.exe 19->28         started        33 HA0l18EyA1HdzBcHhrW78Bn0.exe 19->33         started        35 uPZAqj4dEbyslOPpdGJmeXDz.exe 19->35         started        39 13 other processes 19->39 37 conhost.exe 24->37         started        file8 signatures9 process10 dnsIp11 127 87.240.132.78 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 28->127 129 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 28->129 137 12 other IPs or domains 28->137 99 C:\Users\...\rVYW3WhoQE8v9gTFMtRrdQnC.exe, PE32 28->99 dropped 101 C:\Users\...\nxKaQCraNzvZaQk7V_wEXe0n.exe, PE32 28->101 dropped 103 C:\Users\...\ndVJt20YsfFwVzWcBdcb3p8d.exe, PE32 28->103 dropped 111 17 other malicious files 28->111 dropped 175 Query firmware table information (likely to detect VMs) 28->175 177 Tries to detect sandboxes and other dynamic analysis tools (window names) 28->177 179 Creates HTML files with .exe extension (expired dropper behavior) 28->179 197 8 other signatures 28->197 131 5.182.38.138 VMAGE-ASRU Russian Federation 33->131 133 149.154.167.99 TELEGRAMRU United Kingdom 33->133 135 116.203.165.60 HETZNER-ASDE Germany 33->135 113 12 other files (8 malicious) 33->113 dropped 181 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 33->181 183 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 33->183 185 Tries to harvest and steal ftp login credentials 33->185 187 Tries to steal Crypto Currency Wallets 33->187 189 Detected unpacking (changes PE section rights) 35->189 191 Detected unpacking (overwrites its own PE header) 35->191 193 Contains functionality to inject code into remote processes 35->193 195 Injects a PE file into a foreign processes 35->195 41 uPZAqj4dEbyslOPpdGJmeXDz.exe 35->41         started        139 5 other IPs or domains 39->139 105 Opera_installer_2311082222022657432.dll, PE32 39->105 dropped 107 C:\Users\user\AppData\Local\...\Install.exe, PE32 39->107 dropped 109 C:\Users\...\8GgLqBsxpBvnCEsBFpwrduTb.exe, PE32 39->109 dropped 115 3 other malicious files 39->115 dropped 199 5 other signatures 39->199 45 KzTGkMadiO185mfQSc3sHEAU.exe 39->45         started        48 Install.exe 39->48         started        50 8GgLqBsxpBvnCEsBFpwrduTb.exe 39->50         started        52 4 other processes 39->52 file12 signatures13 process14 dnsIp15 123 142.251.33.78 GOOGLEUS United States 41->123 125 142.251.33.97 GOOGLEUS United States 41->125 85 C:\Users\user\AppData\...\9240059470.exe, PE32 41->85 dropped 87 C:\Users\user\AppData\Local\...\s51[1], PE32 41->87 dropped 89 C:\Users\user\AppData\Local\...\s51[1], PE32 41->89 dropped 169 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 45->169 171 Maps a DLL or memory area into another process 45->171 173 Checks if the current machine is a virtual machine (disk enumeration) 45->173 54 explorer.exe 45->54 injected 91 C:\Users\user\AppData\Local\...\Install.exe, PE32 48->91 dropped 56 Install.exe 48->56         started        93 Opera_installer_2311082222105187992.dll, PE32 50->93 dropped 60 8GgLqBsxpBvnCEsBFpwrduTb.exe 50->60         started        95 Opera_installer_2311082222072977696.dll, PE32 52->95 dropped 97 Opera_installer_2311082222059057544.dll, PE32 52->97 dropped 62 dialer.exe 52->62         started        64 WerFault.exe 52->64         started        file16 signatures17 process18 file19 66 cmd.exe 54->66         started        81 C:\Users\user\AppData\Local\...\qgEdnaq.exe, PE32 56->81 dropped 163 Multi AV Scanner detection for dropped file 56->163 83 Opera_installer_2311082222114678092.dll, PE32 60->83 dropped signatures20 process21 process22 68 SjB8XioDH4QtnSCmt5TDJZWA.exe 66->68         started        71 conhost.exe 66->71         started        signatures23 155 Multi AV Scanner detection for dropped file 68->155
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/923c7929978a6fe09d671392ecceb643021ff9940b2b9c8522c7f6bbc89f9790
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/923c7929978a6fe09d671392ecceb643021ff9940b2b9c8522c7f6bbc89f9790/
Threat name:
ByteCode-MSIL.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2023-11-08 22:21:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=si6hskmxrjx6bhlhcojoztvwimbb76mubmvzzbjcy73lxse7s6ia._file
Verdict:
malicious
Similar samples:
34d1a565a2750157284ad787009e5a2973c4f27518375a9af7f2d080d9461686
Smoke Loader
5b7713b5af376ac7e9766a3efbae0288fba17c8599ba9c2149d78d5e67eabc7e
Smoke Loader
a68fd4d0e8032ad28e14cdad06feb36b0d6acd3df31db249770ce1c5a72f1704
Smoke Loader
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:glupteba family:privateloader family:smokeloader botnet:pub1 backdoor dropper evasion loader themida trojan upx
Link:
https://tria.ge/reports/231108-19myjaeb2v/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Launches sc.exe
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Themida packer
UPX packed file
Windows security modification
Downloads MZ/PE file
Modifies Windows Firewall
Stops running service(s)
Amadey
Glupteba
Glupteba payload
PrivateLoader
SmokeLoader
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
faa37903655907082d2fb872f7078bb091d6490919247863089ab25fb2c7d2ec
MD5 hash:
020a756655166141ed0494464db6f951
SHA1 hash:
0e3ba87ce3320595a8a778b5d8e4ed07c00514ce
Link:
https://www.unpac.me/results/5dcd6330-3c1c-43d1-9280-df3832dd5d25/
SH256 hash:
923c7929978a6fe09d671392ecceb643021ff9940b2b9c8522c7f6bbc89f9790
MD5 hash:
adf9f5ecb2c5cfde8ad9b49abc91abab
SHA1 hash:
3bbaba1ebf9a457db8c3d0e352bb8c311e9efef4
Link:
https://www.unpac.me/results/5dcd6330-3c1c-43d1-9280-df3832dd5d25/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/923c7929978a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/923c7929978a6fe09d671392ecceb643021ff9940b2b9c8522c7f6bbc89f9790

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 923c7929978a6fe09d671392ecceb643021ff9940b2b9c8522c7f6bbc89f9790

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2728931/
  
Delivery method
Distributed via web download

Comments