MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96499061f3cc12472b80926473bab2afd322b22637be12bc22cdfabcd143e149. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96499061f3cc12472b80926473bab2afd322b22637be12bc22cdfabcd143e149
SHA3-384 hash: e8689a4a34f1e15aa93808a50b750746acedd03572df893da6b1d2e8d07bc1108e4451ad4997b513f84aaa29252c5149
SHA1 hash: 820316db3e2765cbe89b40ad0450d52586c17d3f
MD5 hash: 0a9fa24a67b94495fc268c5060be74c1
humanhash: fillet-michigan-fanta-moon
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:237'056 bytes
First seen:2022-12-14 19:25:44 UTC
Last seen:2022-12-14 20:31:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 21fd62d092190955a86dbb87c317401b (9 x Smoke Loader, 8 x Amadey, 4 x RedLineStealer)
ssdeep 3072:T5iiBfqLsbwA1R5xI98aHuDTTvdfZ1B4mMgYIs7X242f6py:Fii5qL9AK8aOXTvdfZ1B4mN6242f6o
TLSH T15634CEE1B794C47DC093D8349D29FBE42B2EBC329D2492473B587A2F1E70AD16623746
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9a9acefecee6eaee (153 x Amadey, 147 x Smoke Loader, 25 x RedLineStealer)
Reporter jstrosch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-14 19:29:12 UTC
Tags:
trojan loader smoke
Link:
https://app.any.run/tasks/2ce53577-31a7-4f26-8ca7-3906c967700e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/346359/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.2237.1581.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP GET request
DNS request
Sending an HTTP POST request
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm azorult greyware lockbit packed
Link:
https://www.filescan.io/uploads/639a234b85831b65b79c669d/reports/dbd17af8-e740-47ed-8d2a-260250670c5e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c339ff06-349d-40ee-b085-9db0004612c5
Result
Threat name:
DanaBot, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1134526
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May use the Tor software to hide its network traffic
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected DanaBot stealer dll
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 767254 Sample: file.exe Startdate: 14/12/2022 Architecture: WINDOWS Score: 100 76 Snort IDS alert for network traffic 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 Antivirus detection for URL or domain 2->80 82 7 other signatures 2->82 11 file.exe 2->11         started        14 hcgwuad 2->14         started        16 hcgwuad 2->16         started        18 E4C8.exe 2->18         started        process3 signatures4 102 Detected unpacking (changes PE section rights) 11->102 104 Maps a DLL or memory area into another process 11->104 106 Checks if the current machine is a virtual machine (disk enumeration) 11->106 20 explorer.exe 6 11->20 injected 108 Machine Learning detection for dropped file 14->108 110 Creates a thread in another existing process (thread injection) 14->110 process5 dnsIp6 60 190.147.188.50, 49707, 49708, 80 TelmexColombiaSACO Colombia 20->60 62 dowe.at 91.195.240.101, 49695, 80 SEDO-ASDE Germany 20->62 64 5 other IPs or domains 20->64 48 C:\Users\user\AppData\Roaming\hcgwuad, PE32 20->48 dropped 50 C:\Users\user\AppData\Local\Temp4C8.exe, PE32 20->50 dropped 52 C:\Users\user\AppData\Local\Temp\CB05.exe, PE32 20->52 dropped 54 C:\Users\user\...\hcgwuad:Zone.Identifier, ASCII 20->54 dropped 86 System process connects to network (likely due to code injection or exploit) 20->86 88 Benign windows process drops PE files 20->88 90 Deletes itself after installation 20->90 92 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->92 25 CB05.exe 5 20->25         started        29 E4C8.exe 20->29         started        file7 signatures8 process9 file10 56 C:\Users\user\AppData\Local\...\Tyiotphai.exe, PE32 25->56 dropped 58 C:\Users\user\AppData\...\Tyiotphai..tmp, DOS 25->58 dropped 94 Detected unpacking (changes PE section rights) 25->94 96 Detected unpacking (overwrites its own PE header) 25->96 98 Machine Learning detection for dropped file 25->98 100 Tries to detect virtualization through RDTSC time measurements 25->100 31 Tyiotphai.exe 25->31         started        34 rundll32.exe 2 25->34         started        signatures11 process12 signatures13 112 Detected unpacking (changes PE section rights) 31->112 114 Machine Learning detection for dropped file 31->114 36 notepad.exe 31->36         started        116 Tries to detect virtualization through RDTSC time measurements 34->116 process14 file15 46 tmp4173.tmp (copy), PE32 36->46 dropped 84 Hides threads from debuggers 36->84 40 chrome.exe 7 3 36->40         started        signatures16 process17 dnsIp18 66 192.168.2.1 unknown unknown 40->66 68 239.255.255.250 unknown Reserved 40->68 43 chrome.exe 40->43         started        process19 dnsIp20 70 clients.l.google.com 142.250.180.142, 443, 49713 GOOGLEUS United States 43->70 72 www.google.com 142.250.184.100, 443, 49714 GOOGLEUS United States 43->72 74 2 other IPs or domains 43->74
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/96499061f3cc12472b80926473bab2afd322b22637be12bc22cdfabcd143e149/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2022-12-14 19:26:07 UTC
File Type:
PE (Exe)
Extracted files:
56
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=szezayptzqjeok4asjshhovsv7jsfmrgg67bfpbczx5lzukd4feq._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:danabot family:smokeloader backdoor banker trojan
Link:
https://tria.ge/reports/221214-x5hapsdg5v/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks computer location settings
Downloads MZ/PE file
Executes dropped EXE
Danabot
Detects Smokeloader packer
SmokeLoader
Malware Config
C2 Extraction:
49.0.50.0:57
51.0.52.0:0
53.0.54.0:1200
55.0.56.0:65535
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6aea5d98-8d83-4cad-91fa-c419a4b0220c
Unpacked files
SH256 hash:
cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383
MD5 hash:
cb4573fa9acae5c637fced7e7cb8192c
SHA1 hash:
d2145f53a192e768b8bfbf9b633941790424ff7f
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/583b2f5f-f53d-42d6-9490-6ba787705963/
Parent samples :
3b73e1cb5c1c3d233475e948a28edfbd7c464a7b7d550229955863d037a5f80c
de558a99c1d4f7035d717797fd54546bd8a563ea308856d6c776da4ac40e447c
e114b82dbb273f622092d7d379134f861879aea5c30855a9056d4b12299a4d0e
7cfa689eff77cd7a4162aa23bc8ee895cde76e042192eea618f3fb8f49ff4a30
ae95ce71367c487132095a7eb1dd2a93c7137cc596a390be560a6afa656754ff
d57ed914bd4e2ce9a741f527cdc6424ed00442ae82e99c81168b78ef7409ab37
a729b1edad51cceeac9a61f69e17f984d48983a9ca72a4bef36a6f48bae3611b
230a95dac1fdef00e1904669c4dfba51e077ccaabf663d0a1da9ef33f7ab5edb
e97eee4a59c1b94dfa4b759b89c68d213a2e585496b76b4233aa25079e6793e6
49453ac2bac7c816c02746c300aa90d8c645ac0d21d317bf6c1774f02508f718
2215fbfce2b9d29e5cf5da500b6e3e9a8b073c70165d3e21f6339133653aae87
4dc0de570728f75f844c7afb84ac6c809ef4620dac3b12a884ff9916f5b5b0ee
a1262ba069d6bf2d8569a43a4387f8423547f6f704f873ff08a3ee49f9e026cc
5f85758bb282680a9e3fcaa5676eaa25eb33703ae01954becfa883f6b47640da
cea5368149853373e7b3bc8c9f0ad2e3eb6c668b5a43af5bce1e2cf52366289a
bdef8b9c80a18a245d62ee4454dcc910912b589d9cc774a97049b47465820a30
61a252f24dadeb189da7930fc6807cdaa5c7c64d9d7bac1f6191aa71461a32b3
96499061f3cc12472b80926473bab2afd322b22637be12bc22cdfabcd143e149
04b0601a18d27105b71c35d5623d9f93b1860b07cc262fcdebe54ec99f9a05ce
65c66c06b934ddfa0e90df3fa57097fd85a8381edb43a75b320f88452b1b047f
73a9cb67da90dae4ee505f8dd558b0285d12e7f439a3a1b6859607c4c16031ff
ead7dd6f405550ced3745cfc15320bfd5fc5dedd1bcac65bf63833679365c353
88084fb90df134bad9d49e08773094b07b7ad521e33204ca32472792ccd2d972
38e999b667e1396ec4793fd9bd4f5abfde6f5ef3c5faaebfcd29d345350cf76f
881c03c857c94709c03fcfbd8cf9bfc11b3d1f3579f0198a88e646d62575ee58
af15f13244a94810f88fb859feffdcdd6793c1eb7298e71060f7181fc6f76e8b
71fa869efa924ab2112f97f4eeaee7062bddd34811ea29a8bb406047f08f9fc0
e5a0952711c2ab163c97a9b13e762724e3e9dc0fce6fe3a128900215baa45eab
c5072261b7b27698e90066a45e204fc5db137427d22133d6a34dfbce68a26e13
76e20bad590b31cd07652c1f1f7caddf4902bd344c4a2935abf3828e77a014cb
a2109e1dd33e4b0e486d0432a2a938775bfd74d14cb247ea7f91c791cc1943f5
89f601f3894c7831084af6e25ef673f67624a7afb93e8004e321af7202940997
cbbb43906ef2d45a68bfc7759bfa621a7878573c426076024f43113892fb8933
2f322ccd5f31968a168f37aab62f4d772dd485343994ac43e171f8e1deea08c1
45f886f87e8f5a34c1f5675dd91666da03065db2255cf9794c0941b730ca2d84
86fe386cc3662c6b8228b24edd8b41be9cb586b68cb33e6d2633dc79baf383ac
e07c6bdc0cde40da74a909112f3326f7a0a091517161221607e9b77032b6b990
e53a167c6e80f9392389e002cf0609f7f4b2cef439bb589459c07a8a5b9de8a1
SH256 hash:
96499061f3cc12472b80926473bab2afd322b22637be12bc22cdfabcd143e149
MD5 hash:
0a9fa24a67b94495fc268c5060be74c1
SHA1 hash:
820316db3e2765cbe89b40ad0450d52586c17d3f
Link:
https://www.unpac.me/results/583b2f5f-f53d-42d6-9490-6ba787705963/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/96499061f3cc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/96499061f3cc12472b80926473bab2afd322b22637be12bc22cdfabcd143e149

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 96499061f3cc12472b80926473bab2afd322b22637be12bc22cdfabcd143e149

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2432863/
Cape
Cape
https://www.capesandbox.com/analysis/346359/

Comments