MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93b1fc8696846ec264daef2ef4ded9c4803338679eba5a5f7db013d4f1ec367b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 17


Intelligence 17 IOCs YARA 44 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93b1fc8696846ec264daef2ef4ded9c4803338679eba5a5f7db013d4f1ec367b
SHA3-384 hash: 12bd897a0d44989455519a3c3e4a50a9441c304d8635d080e402a23367d36dc749b6634f8d7d6d7568f581625678a44e
SHA1 hash: 4bae1d2a05c1817c61042728b17475f8c9ea9d25
MD5 hash: dfd00cebfa70ea1470514e2c03770fd4
humanhash: undress-fix-sodium-harry
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:301'056 bytes
First seen:2023-10-19 17:23:43 UTC
Last seen:2023-10-21 12:29:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cc55bce3abc3b927f546a56840b83d63 (1 x RemcosRAT, 1 x Smoke Loader, 1 x Amadey)
ssdeep 6144:Zmtm9dlOj4E5XqmYZHOm0kvZqzH/LTsguwEtqsvjoAO1fmIZs:8eOjP5XqpZv0kvATDuwEws0vZs
Threatray 760 similar samples on MalwareBazaar
TLSH T1A7544B517912C072D66051720AB9BFF6C5ADAC159BB04AEF7BC00E77CA212E27931F39
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe Smoke Loader


Avatar
andretavare5
Sample downloaded from http://193.42.33.7/newumma.exe

Intelligence

File Origin
# of uploads :
29
# of downloads :
346
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-10-19 17:28:38 UTC
Tags:
amadey botnet stealer
Link:
https://app.any.run/tasks/1fa2d9ee-2a22-4ce2-883b-4b78f610d20b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.4113.3239.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
Sending an HTTP POST request
Adding an access-denied ACE
Sending a custom TCP request
Enabling autorun by creating a file
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control greyware lolbin shell32
Link:
https://www.filescan.io/uploads/653166344e8eaf1eb5ffe2b6/reports/2e2bcc46-03b0-4021-8c87-f918af11c828/overview
Verdict:
Malicious
Labled as:
Ser.Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/93b1fc8696846ec264daef2ef4ded9c4803338679eba5a5f7db013d4f1ec367b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/173c7692-fc06-4ff1-9fc7-b82940fd736e
Result
Threat name:
Amadey, Babuk, Djvu, Glupteba, RedLine,
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1328861
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found ransom note / readme
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes a notice file (html or txt) to demand a ransom
Yara detected Amadeys stealer DLL
Yara detected Babuk Ransomware
Yara detected Djvu Ransomware
Yara detected Glupteba
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1328861 Sample: file.exe Startdate: 19/10/2023 Architecture: WINDOWS Score: 100 127 zexeq.com 2->127 129 host-host-file8.com 2->129 131 7 other IPs or domains 2->131 169 Found malware configuration 2->169 171 Malicious sample detected (through community Yara rule) 2->171 173 Antivirus detection for URL or domain 2->173 175 17 other signatures 2->175 14 file.exe 4 2->14         started        18 E6C8.exe 2->18         started        20 vvicjwi 2->20         started        22 2 other processes 2->22 signatures3 process4 file5 125 C:\Users\user\AppData\Local\...\Utsysc.exe, PE32 14->125 dropped 231 Contains functionality to inject code into remote processes 14->231 24 Utsysc.exe 19 14->24         started        233 Detected unpacking (changes PE section rights) 18->233 235 Detected unpacking (overwrites its own PE header) 18->235 237 Machine Learning detection for dropped file 18->237 239 Writes a notice file (html or txt) to demand a ransom 18->239 29 E6C8.exe 18->29         started        241 Injects a PE file into a foreign processes 20->241 31 vvicjwi 20->31         started        signatures6 process7 dnsIp8 133 193.42.33.7, 49713, 49715, 49718 EENET-ASEE Germany 24->133 135 galandskiyher5.com 194.169.175.127, 49714, 49741, 49743 CLOUDCOMPUTINGDE Germany 24->135 139 2 other IPs or domains 24->139 103 C:\...\e0cbefcb1af40c7d4aff4aca26621a98.exe, PE32 24->103 dropped 105 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 24->105 dropped 107 C:\Users\user\AppData\...\toolspub2[1].exe, PE32 24->107 dropped 109 e0cbefcb1af40c7d4aff4aca26621a98[1].exe, PE32 24->109 dropped 195 Multi AV Scanner detection for dropped file 24->195 197 Creates an undocumented autostart registry key 24->197 199 Machine Learning detection for dropped file 24->199 201 Uses schtasks.exe or at.exe to add and modify task schedules 24->201 33 toolspub2.exe 24->33         started        36 e0cbefcb1af40c7d4aff4aca26621a98.exe 13 24->36         started        38 cmd.exe 1 24->38         started        40 schtasks.exe 1 24->40         started        137 zexeq.com 190.219.136.87, 49781, 80 CableOndaPA Panama 29->137 111 C:\Users\user\_readme.txt, ASCII 29->111 dropped 113 C:\Users\user\Desktop\file.exe, MS-DOS 29->113 dropped 115 C:\Users\user\Desktop115VWZAPQSQL.pdf, data 29->115 dropped 117 3 other malicious files 29->117 dropped 203 Modifies existing user documents (likely ransomware behavior) 29->203 205 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 31->205 207 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 31->207 209 Maps a DLL or memory area into another process 31->209 211 2 other signatures 31->211 file9 signatures10 process11 signatures12 157 Detected unpacking (changes PE section rights) 33->157 159 Machine Learning detection for dropped file 33->159 161 Injects a PE file into a foreign processes 33->161 42 toolspub2.exe 33->42         started        163 Detected unpacking (overwrites its own PE header) 36->163 165 Found Tor onion address 36->165 167 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 36->167 45 e0cbefcb1af40c7d4aff4aca26621a98.exe 36->45         started        47 powershell.exe 36->47         started        49 conhost.exe 38->49         started        51 cmd.exe 1 38->51         started        53 cmd.exe 1 38->53         started        57 4 other processes 38->57 55 conhost.exe 40->55         started        process13 signatures14 213 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 42->213 215 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 42->215 217 Maps a DLL or memory area into another process 42->217 221 2 other signatures 42->221 59 explorer.exe 44 25 42->59 injected 219 Found Tor onion address 45->219 64 powershell.exe 45->64         started        66 conhost.exe 47->66         started        process15 dnsIp16 141 100acresclub.com 103.53.42.238, 443, 49778 PUBLIC-DOMAIN-REGISTRYUS India 59->141 143 colisumy.com 211.168.53.110, 49748, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 59->143 119 C:\Users\user\AppData\Roaming\vvicjwi, PE32 59->119 dropped 121 C:\Users\user\AppData\Local\Temp6C8.exe, PE32 59->121 dropped 123 C:\Users\user\AppData\Local\Temp\257A.exe, PE32 59->123 dropped 223 System process connects to network (likely due to code injection or exploit) 59->223 225 Benign windows process drops PE files 59->225 227 Hides that the sample has been downloaded from the Internet (zone.identifier) 59->227 68 257A.exe 59->68         started        71 E6C8.exe 59->71         started        73 E6C8.exe 59->73         started        77 3 other processes 59->77 75 conhost.exe 64->75         started        file17 signatures18 process19 signatures20 177 Multi AV Scanner detection for dropped file 68->177 179 Detected unpacking (changes PE section rights) 68->179 181 Query firmware table information (likely to detect VMs) 68->181 193 5 other signatures 68->193 79 AppLaunch.exe 68->79         started        183 Detected unpacking (overwrites its own PE header) 71->183 185 Machine Learning detection for dropped file 71->185 187 Injects a PE file into a foreign processes 71->187 83 E6C8.exe 71->83         started        189 Sample uses process hollowing technique 73->189 191 Uses cmd line tools excessively to alter registry or file data 77->191 86 conhost.exe 77->86         started        88 reg.exe 77->88         started        90 conhost.exe 77->90         started        92 2 other processes 77->92 process21 dnsIp22 145 171.22.28.216, 45922, 49792 CMCSUS Germany 79->145 149 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 79->149 151 Found many strings related to Crypto-Wallets (likely being stolen) 79->151 153 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 79->153 155 2 other signatures 79->155 147 api.2ip.ua 172.67.139.220, 443, 49758, 49770 CLOUDFLARENETUS United States 83->147 101 C:\Users\user\AppData\Local\...6C8.exe, PE32 83->101 dropped 94 E6C8.exe 83->94         started        97 icacls.exe 83->97         started        file23 signatures24 process25 signatures26 229 Injects a PE file into a foreign processes 94->229 99 E6C8.exe 94->99         started        process27
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/93b1fc8696846ec264daef2ef4ded9c4803338679eba5a5f7db013d4f1ec367b
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/93b1fc8696846ec264daef2ef4ded9c4803338679eba5a5f7db013d4f1ec367b/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-10-19 17:24:06 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=soy7zbuwqrxmezg254xpjxwzysadgodht25fux35waj5j4pmgz5q._file
Verdict:
malicious
Similar samples:
0efe90fbe05fdbe7645cc238be406b3add95c4b2307120b73697674ad408b0de
Smoke Loader
19f0386456060982bf9880a31c55022371ea3825c10f5ecca1310c8219ed738c
Smoke Loader
2430698bf0a0c32648e7e27dffbad606e82be3d88b03166b997fec2daeb7a3bc
Smoke Loader
3a29ac8fe5135b7114a8b38b9dcf0a9126d949ee334d0200e291b810a8cee835
Smoke Loader
6ecf9fda65dc1a4a9c7610510ac9f78a6663e75d736a8444c72e11a0cc8d8d46
Smoke Loader
884696bd9335b0113cf3f2d8ea9741e09f80a11a2c1eb2cc1bd3fd8835c62e89
Smoke Loader
db3b2d6c5a1a8da7b336f9fdba52c4119354bbc20aae3d5970edebeb82502ae9
Smoke Loader
+ 750 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:smokeloader botnet:up3 backdoor discovery dropper evasion loader persistence rootkit trojan upx
Link:
https://tria.ge/reports/231019-vypebshe3s/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Glupteba
Glupteba payload
SmokeLoader
Windows security bypass
Malware Config
C2 Extraction:
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
93b1fc8696846ec264daef2ef4ded9c4803338679eba5a5f7db013d4f1ec367b
MD5 hash:
dfd00cebfa70ea1470514e2c03770fd4
SHA1 hash:
4bae1d2a05c1817c61042728b17475f8c9ea9d25
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/2297b03e-8dd9-4a77-a141-807699fbaf83/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/93b1fc869684/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:crime_ZZ_botnet_aicm
Create hunting rule
Author:imp0rtp3
Description:DDoS Golang Botnet sample for linux called 'aicm'
Reference:https://twitter.com/IntezerLabs/status/1401869234511175683
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables containing artifcats associated with disabling Widnows Defender
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many varying, potentially fake Windows User-Agents
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_Amadey
Create hunting rule
Author:ditekSHen
Description:Amadey downloader payload
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UroburosVirtualBoxDriver
Create hunting rule
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Trojan_Amadey_7abb059b
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples
Rule name:win_amadey_bytecodes_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2722541/

Comments