MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a51028636c248144ec21dcc056c1bc19bc0ecaf61bdf2a845410e64f7f26803c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 16


Intelligence 16 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a51028636c248144ec21dcc056c1bc19bc0ecaf61bdf2a845410e64f7f26803c
SHA3-384 hash: 0e2e6f5c69d514c79a78360421d7cfcaf06be3aaed3b4b00d365b43b5415fc7038ee9f7e3d089ed41e75415dfe99fe17
SHA1 hash: 97a7beb766427372478cf2961d6635570703db33
MD5 hash: 5cc9482bfa632c0f5bdc71c9e3d9e123
humanhash: kitten-twenty-two-arizona
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:1'818'336 bytes
First seen:2024-07-22 10:50:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bdd12e28ad568dc64eacd7cb42d8e2d5 (2 x RedLineStealer, 2 x Formbook, 1 x Smoke Loader)
ssdeep 49152:Q2u/BMdg532rpsjCMqigjns2+a95PlpiH9MzMrcgt4hUNyiBaU:nrpEZI6BaU
Threatray 78 similar samples on MalwareBazaar
TLSH T1E785AE05E3E801A8D57BDA34CA659333D67178460730E58F069CD65A2FB3EA1AF7B312
TrID 72.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
13.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.EXE) OS/2 Executable (generic) (2029/13)
2.5% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Bitsight
Tags:exe signed Smoke Loader

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2024-07-22T08:56:44Z
Valid to:2025-07-22T08:56:44Z
Serial number: eea5347983ae91f16ab0a1bb081e3162
Thumbprint Algorithm:SHA256
Thumbprint: 57b374c44c0625219eb8effa63156aaae130471c362417a1873cde003d52e98d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
Bitsight
url: https://raw.githubusercontent.com/evan9908/setup1/main/file200h.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
395
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
archive-200724-01_07_10.zip
Verdict:
Malicious activity
Analysis date:
2024-07-22 09:06:59 UTC
Tags:
evasion privateloader github loader risepro stealer stealc pastebin redline metastealer telegram vidar themida cryptbot miner tofsee socks5systemz proxy
Link:
https://app.any.run/tasks/f7364090-e9ee-4ccb-b6a4-f60e4c57c25f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Dacic-10033090-0
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=669e399a2f6eaff4b90f2a79
Tags:
Encryption Execution Network Static Stealth Crypt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Sending an HTTP GET request
Creating a process from a recently created file
Sending an HTTP POST request
Creating a window
Reading critical registry keys
Searching for the window
Stealing user critical data
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint hacktool lolbin microsoft_visual_cc overlay packed regedit remote shell32
Link:
https://www.filescan.io/uploads/669e3999a537d9330be17ed3/reports/073b01e0-7ba0-474e-9794-2305a36e2935/overview
Verdict:
Malicious
Labled as:
Win64/GenKryptik.GYXR trojan
Link:
https://www.hybrid-analysis.com/sample/a51028636c248144ec21dcc056c1bc19bc0ecaf61bdf2a845410e64f7f26803c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b66d4aca-5be4-47b9-902e-41581280bc13
Result
Threat name:
Cryptbot, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1478274
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Drops script or batch files to the startup folder
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Cryptbot
Yara detected Generic Downloader
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1478274 Sample: file.exe Startdate: 22/07/2024 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 55 10 other signatures 2->55 7 file.exe 1 2->7         started        process3 signatures4 67 Writes to foreign memory regions 7->67 69 Allocates memory in foreign processes 7->69 71 Adds a directory exclusion to Windows Defender 7->71 73 2 other signatures 7->73 10 InstallUtil.exe 15 306 7->10         started        15 powershell.exe 23 7->15         started        17 conhost.exe 7->17         started        process5 dnsIp6 43 103.28.36.182 NHANHOA-AS-VNNhanHoaSoftwarecompanyVN Viet Nam 10->43 45 185.199.110.133 FASTLYUS Netherlands 10->45 47 2 other IPs or domains 10->47 33 C:\Users\...\zgtz67JKbdEtH0XhcIypt9pq.exe, PE32 10->33 dropped 35 C:\Users\...\yko37xFbG7mITPgMpkgv5Mn4.exe, PE32 10->35 dropped 37 C:\Users\...\ykLssNmsFfUOQnVf0icV9H8Y.exe, PE32 10->37 dropped 39 246 other malicious files 10->39 dropped 75 Drops script or batch files to the startup folder 10->75 77 Creates HTML files with .exe extension (expired dropper behavior) 10->77 79 Found many strings related to Crypto-Wallets (likely being stolen) 10->79 19 yko37xFbG7mITPgMpkgv5Mn4.exe 10->19         started        22 W62OsxkS8pHys7DWwZP7gliI.exe 10->22         started        25 8CuqO5VdbDTEO3dLAu6pZd2W.exe 10->25         started        31 23 other processes 10->31 81 Loading BitLocker PowerShell Module 15->81 27 conhost.exe 15->27         started        29 WmiPrvSE.exe 15->29         started        file7 signatures8 process9 dnsIp10 57 Detected unpacking (changes PE section rights) 19->57 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->59 61 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 19->61 65 4 other signatures 19->65 41 84.38.182.247 SELECTELRU Russian Federation 22->41 63 Tries to harvest and steal browser information (history, passwords, etc) 22->63 signatures11
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a51028636c248144ec21dcc056c1bc19bc0ecaf61bdf2a845410e64f7f26803c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a51028636c248144ec21dcc056c1bc19bc0ecaf61bdf2a845410e64f7f26803c/
Threat name:
Win64.Trojan.Operaloader
Create hunting rule
Status:
Malicious
First seen:
2024-07-22 10:51:08 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uuicqy3mesauj3bb3tafnqn4dg6a5sxwdppsvbcucdte67zgqa6a._file
Verdict:
malicious
Similar samples:
032894933fc40d5f1533c5f1056c3a5fd39f32e74b8620d72ff05ba7e6a5f45f
Smoke Loader
2585cb569fb0b17313e1181b721645f7b56114a527c94dac60e3fd15c7411370
Smoke Loader
4d3ab87fb7d7837d1ec36eb2c804b1dd39981cc3389cae370c7a70fd238f272e
Smoke Loader
5b3882062ae00e0e7a16786510e58e6d6fbe83a5b36691eb3911647e98b16c53
Smoke Loader
70367e0bfb4de8097ebef88d2a33d035db64f84cc202e44e46c006eb87b937e0
Smoke Loader
a51028636c248144ec21dcc056c1bc19bc0ecaf61bdf2a845410e64f7f26803c
Smoke Loader
+ 68 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution spyware stealer
Link:
https://tria.ge/reports/240722-mxtcwsvajp/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e58b29ca-8345-4adb-b5d5-a863294273cb
Unpacked files
SH256 hash:
a51028636c248144ec21dcc056c1bc19bc0ecaf61bdf2a845410e64f7f26803c
MD5 hash:
5cc9482bfa632c0f5bdc71c9e3d9e123
SHA1 hash:
97a7beb766427372478cf2961d6635570703db33
Link:
https://www.unpac.me/results/ad02be33-e4f3-484a-8d37-e1d8654ecb71/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a51028636c24/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a51028636c248144ec21dcc056c1bc19bc0ecaf61bdf2a845410e64f7f26803c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe a51028636c248144ec21dcc056c1bc19bc0ecaf61bdf2a845410e64f7f26803c

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3060614/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::CreateWellKnownSid
ADVAPI32.dll::RevertToSelf
ADVAPI32.dll::GetSecurityDescriptorLength
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetWindowsAccountDomainSid
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
ADVAPI32.dll::SetThreadToken
KERNEL32.dll::VirtualAllocExNuma
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::DeleteVolumeMountPointW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetVolumeInformationW
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::FreeConsole
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleWindow
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::ReplaceFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptDecrypt
bcrypt.dll::BCryptDestroyKey
bcrypt.dll::BCryptEncrypt
bcrypt.dll::BCryptGenRandom
bcrypt.dll::BCryptImportKey
bcrypt.dll::BCryptOpenAlgorithmProvider
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyExW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExA
ADVAPI32.dll::RegSetValueExW

Comments