MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e
SHA3-384 hash: e1de0b0b91138b409abe35ae76f60d114f7de4f2dbad376d6c9462f907149068de60b7f2140f0a674584a152fe9524df
SHA1 hash: f54b9ed42b60eb6793cd55ed25e6f2bd6120218f
MD5 hash: 3f6d5376b6d40c82644287c7621dfc5b
humanhash: winner-carpet-cold-bulldog
File name:6Js1.bin
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:632'832 bytes
First seen:2023-09-07 08:18:44 UTC
Last seen:2023-09-07 08:19:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:vbNq3U22k24PnuBvJTvfIVcmaBhIaQBanLFHL4UhnPtJHKFm5fto1XGTI:zI24PuvJTEYHLzhnPwU1cL
Threatray 1'025 similar samples on MalwareBazaar
TLSH T136D44A17BB66C9F1E2C96736C69B100C13B1D986E39FDB0A798E23A558433A6DC015CF
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter JAMESWT_WT
Tags:exe Smoke Loader SmokeLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
381
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb
Verdict:
Malicious activity
Analysis date:
2023-09-07 04:52:01 UTC
Tags:
ransomware
Link:
https://app.any.run/tasks/71007bfe-bda1-4159-8c4c-0b1360e069fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/446914/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.23563.17294.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Sending an HTTP GET request
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64f987772a262962b7963490/reports/c3b20491-07c9-48b2-9593-0a128ab900f2/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CinaRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d4ec7e61-0082-4cc4-8124-5a50f31c1d49
Result
Threat name:
FlawedAmmyy, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1305055
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected FlawedAmmyy Remote Access Tool
Drops PE files with benign system names
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Performs DNS queries to domains with low reputation
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Flawedammyy RAT
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1305055 Sample: 6Js1.bin.exe Startdate: 07/09/2023 Architecture: WINDOWS Score: 100 56 servxblog79.xyz 2->56 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 Antivirus detection for URL or domain 2->78 80 8 other signatures 2->80 10 6Js1.bin.exe 3 2->10         started        13 ftftejj 3 2->13         started        signatures3 process4 signatures5 100 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->100 102 Injects a PE file into a foreign processes 10->102 15 6Js1.bin.exe 10->15         started        104 Multi AV Scanner detection for dropped file 13->104 106 Machine Learning detection for dropped file 13->106 18 ftftejj 13->18         started        process6 signatures7 126 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->126 128 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->128 130 Maps a DLL or memory area into another process 15->130 20 explorer.exe 6 15->20 injected 132 Checks if the current machine is a virtual machine (disk enumeration) 18->132 134 Creates a thread in another existing process (thread injection) 18->134 process8 dnsIp9 58 servxblog79.xyz 20->58 60 servxblog79.xyz 5.45.127.232, 49732, 49744, 49745 PAGM-ASEE Estonia 20->60 62 3 other IPs or domains 20->62 40 C:\Users\user\AppData\Roaming\ftftejj, PE32 20->40 dropped 42 C:\Users\user\AppData\Local\Temp\2914.exe, PE32+ 20->42 dropped 44 C:\Users\user\...\ftftejj:Zone.Identifier, ASCII 20->44 dropped 92 System process connects to network (likely due to code injection or exploit) 20->92 94 Benign windows process drops PE files 20->94 96 Performs DNS queries to domains with low reputation 20->96 98 4 other signatures 20->98 25 explorer.exe 20->25         started        30 explorer.exe 6 20->30         started        32 explorer.exe 20->32         started        34 13 other processes 20->34 file10 signatures11 process12 dnsIp13 70 servxblog79.xyz 25->70 46 C:\Users\user\AppData\Local\...\svchost.exe, PE32 25->46 dropped 108 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 25->108 110 Hijacks the control flow in another process 25->110 112 Writes to foreign memory regions 25->112 122 2 other signatures 25->122 36 svchost.exe 25->36         started        72 servxblog79.xyz 30->72 114 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 30->114 116 Tries to steal Mail credentials (via file / registry access) 30->116 118 Performs DNS queries to domains with low reputation 30->118 124 2 other signatures 30->124 48 C:\...\Windows.ApplicationModel.Wallet.dll, PE32 32->48 dropped 50 C:\Users\user\AppData\...\WalletProxy.dll, PE32 32->50 dropped 52 C:\Users\...\WalletBackgroundServiceProxy.dll, PE32 32->52 dropped 54 3 other malicious files 32->54 dropped 120 Multi AV Scanner detection for dropped file 34->120 file14 signatures15 process16 dnsIp17 64 www.ammyy.com 36->64 66 136.243.104.235, 443, 49748, 49750 HETZNER-ASDE Germany 36->66 68 3 other IPs or domains 36->68 82 Antivirus detection for dropped file 36->82 84 System process connects to network (likely due to code injection or exploit) 36->84 86 Multi AV Scanner detection for dropped file 36->86 90 2 other signatures 36->90 signatures18 88 Performs DNS queries to domains with low reputation 64->88
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2023-09-07 08:15:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=stn7mce45tfp2nhmcaizihyynarwdvy2t66fjukjlxapt3csc2pa._file
Verdict:
malicious
Similar samples:
367694ed3588ece2435244e5fb94d190a17adc4410da1d392c117f9bc543b55a
Smoke Loader
6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb
Smoke Loader
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9
Smoke Loader
83e202c299d139b909d80f39e81487515d2f21a9a0b6546f42dbd194088e07e7
Smoke Loader
90199e919b753c405f76a253d0994209b7231e9f1927d9af81e6bc022f93235b
Smoke Loader
c7c9747e107c823e94461ec0bb0c2dd3be694d8761f8599d6b3ae1ba3ef6a2f1
Smoke Loader
d62ab80a981120bc862738658cae6128082845908836dd11bbdd8c9e7995b17a
Smoke Loader
db604e87813d78254ad31ff37943e58df66714b5b9df25590b4055730c0a65fc
Smoke Loader
de7f0a7a62c3e2c5e4a6a2131c82b3acf6ac8e2f1e08117dea045b3c6738bd5e
Smoke Loader
+ 1'015 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:ammyyadmin family:smokeloader backdoor bootkit collection evasion persistence rat trojan
Link:
https://tria.ge/reports/230907-j7t6dsff58/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Writes to the Master Boot Record (MBR)
Deletes itself
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Stops running service(s)
Ammyy Admin
AmmyyAdmin payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://serverxlogs21.xyz/statweb255/
http://servxblog79.xyz/statweb255/
http://demblog289.xyz/statweb255/
http://admlogs77x.online/statweb255/
http://blogxstat38.xyz/statweb255/
http://blogxstat25.xyz/statweb255/
Unpacked files
SH256 hash:
941e5485b146243641d0a5c1a6dd1cfd8c63b6502c0cddb50b489edf70d38eb0
MD5 hash:
610dcde8231939db1bf63235ec20523a
SHA1 hash:
b24dbe5390c2a597c081c6dda27257889c6642e9
Link:
https://www.unpac.me/results/23731012-f01a-4e76-a2fb-309fe9729507/
SH256 hash:
0e29279895aa8f3c32aa1ffc1048a5b80f8e963e8544f170fe3195ea8513ee39
MD5 hash:
7dcded28a92daa1105c09d6a9a08e2e5
SHA1 hash:
96729901eb60f90d78105cbfe58ac0f603e8665c
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/23731012-f01a-4e76-a2fb-309fe9729507/
SH256 hash:
733c6784d5b030c2378359777d5a93633d53ae3647e5f194de15aa6f6b34a977
MD5 hash:
bd6ef898f8e18188c1d9fa312d1d2718
SHA1 hash:
9548d69744266eb08a446d2d716803a62a5645e2
Link:
https://www.unpac.me/results/23731012-f01a-4e76-a2fb-309fe9729507/
SH256 hash:
3b1cdb4d15455292118fe5f4c6bdc38f9a0850bded6aedb68501d900909a8747
MD5 hash:
50b7134a0c49296f574f8d8053f7630b
SHA1 hash:
26f6cf1699e4242de5b9b09f1f9cfc4461f54742
Link:
https://www.unpac.me/results/23731012-f01a-4e76-a2fb-309fe9729507/
SH256 hash:
94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e
MD5 hash:
3f6d5376b6d40c82644287c7621dfc5b
SHA1 hash:
f54b9ed42b60eb6793cd55ed25e6f2bd6120218f
Link:
https://www.unpac.me/results/23731012-f01a-4e76-a2fb-309fe9729507/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/94dbf6089cec/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/446914/

Comments