MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5da18a9350a63a4d2ec54da2d3e49bf4277307209979bfad54538eff856bf9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5da18a9350a63a4d2ec54da2d3e49bf4277307209979bfad54538eff856bf9c
SHA3-384 hash: c768e526a06d788a632d959fb6ef2423b3980f9e31550923688f51f9a8d79e9250ba4c795b340804cb276a07dbdc29e8
SHA1 hash: e0b759566e97982e514be29db259b50c1970c67e
MD5 hash: 9b65ca43d28bdea147a039143e759361
humanhash: early-golf-mexico-skylark
File name:9b65ca43d28bdea147a039143e759361
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:294'400 bytes
First seen:2024-02-14 10:39:23 UTC
Last seen:2024-02-14 12:34:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7b013929d49f752f683cc55db1700a48 (1 x Glupteba, 1 x LummaStealer, 1 x Smoke Loader)
ssdeep 3072:NjazK4SL7StnhPfuC0G7p7LVQ4zKjf7COAINF9Nmd1XJsxUxaIa2Vd:AzK4Gep7LVQ4zKBAIv3mDJsxUxaIh
TLSH T1C854BE1023D490B1D34311344561EBB90BEEBC25A262BA8F6FD5E67E5F38395B62730E
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 3370ccd2ccf033da (36 x Smoke Loader, 10 x Stealc, 8 x GCleaner)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
511
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
a5da18a9350a63a4d2ec54da2d3e49bf4277307209979bfad54538eff856bf9c.exe
Verdict:
Malicious activity
Analysis date:
2024-02-14 10:41:38 UTC
Tags:
loader smoke smokeloader
Link:
https://app.any.run/tasks/148f5e59-f2e5-4cf3-a8e1-291c75bee2cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/476119/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.7188.3378.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Connection attempt to an infection source
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Searching for synchronization primitives
Launching a process
Sending an HTTP GET request to an infection source
DNS request
Connection attempt
Sending an HTTP GET request
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint packed
Link:
https://www.filescan.io/uploads/65cc9885ac375bec15e6e121/reports/5ea39bef-16fc-4315-ab9f-4016d5a50037/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/a5da18a9350a63a4d2ec54da2d3e49bf4277307209979bfad54538eff856bf9c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/24321dcf-0014-405e-8e13-a51db5ce35e4
Result
Threat name:
LummaC, Babuk, Djvu, PureLog Stealer, Re
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1392065
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found ransom note / readme
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Silenttrinity Stager Msbuild Activity
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Writes a notice file (html or txt) to demand a ransom
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Babuk Ransomware
Yara detected Djvu Ransomware
Yara detected Generic Downloader
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1392065 Sample: 69Rgjcm24m.exe Startdate: 14/02/2024 Architecture: WINDOWS Score: 100 91 trad-einmyus.com 2->91 93 theoryapparatusjuko.fun 2->93 95 13 other IPs or domains 2->95 113 Snort IDS alert for network traffic 2->113 115 Multi AV Scanner detection for domain / URL 2->115 117 Found malware configuration 2->117 119 20 other signatures 2->119 11 69Rgjcm24m.exe 2->11         started        14 C15B.exe 2->14         started        16 rhjigwj 2->16         started        18 rhjigwj 2->18         started        signatures3 process4 signatures5 141 Detected unpacking (changes PE section rights) 11->141 143 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->143 145 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 11->145 20 explorer.exe 102 14 11->20 injected 147 Antivirus detection for dropped file 14->147 149 Detected unpacking (overwrites its own PE header) 14->149 151 Machine Learning detection for dropped file 14->151 161 2 other signatures 14->161 25 C15B.exe 14->25         started        153 Multi AV Scanner detection for dropped file 16->153 155 Maps a DLL or memory area into another process 16->155 157 Checks if the current machine is a virtual machine (disk enumeration) 16->157 159 Creates a thread in another existing process (thread injection) 18->159 process6 dnsIp7 97 m2reg.ulm.ac.id 103.23.232.80, 49755, 80 UNLAM-AS-IDUniversitasLambungMangkuratID Indonesia 20->97 99 45.15.156.174, 443, 49766 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 20->99 103 6 other IPs or domains 20->103 65 C:\Users\user\AppData\Roaming\rhjigwj, PE32 20->65 dropped 67 C:\Users\user\AppData\Local\Temp377.exe, PE32 20->67 dropped 69 C:\Users\user\AppData\Local\Temp\C15B.exe, PE32 20->69 dropped 77 2 other malicious files 20->77 dropped 121 System process connects to network (likely due to code injection or exploit) 20->121 123 Benign windows process drops PE files 20->123 125 Deletes itself after installation 20->125 127 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->127 27 E377.exe 20->27         started        30 C15B.exe 20->30         started        32 BA6F.exe 20->32         started        35 4 other processes 20->35 101 habrafa.com 95.86.30.3, 49743, 80 INEL-AS-MK Macedonia 25->101 71 C:\Users\user\_README.txt, ASCII 25->71 dropped 73 C:\Users\user\Desktop\UNKRLCVOHV.mp3, data 25->73 dropped 75 C:\Users\user\DesktopIVQSAOTAQ.jpg, data 25->75 dropped 79 2 other malicious files 25->79 dropped 129 Modifies existing user documents (likely ransomware behavior) 25->129 file8 signatures9 process10 file11 163 Writes to foreign memory regions 27->163 165 Allocates memory in foreign processes 27->165 167 Injects a PE file into a foreign processes 27->167 37 RegAsm.exe 27->37         started        42 conhost.exe 27->42         started        169 Antivirus detection for dropped file 30->169 171 Detected unpacking (changes PE section rights) 30->171 173 Detected unpacking (overwrites its own PE header) 30->173 181 2 other signatures 30->181 44 C15B.exe 1 15 30->44         started        63 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 32->63 dropped 175 Sample uses process hollowing technique 32->175 177 LummaC encrypted strings found 32->177 46 MSBuild.exe 32->46         started        179 Uses cmd line tools excessively to alter registry or file data 35->179 48 conhost.exe 35->48         started        50 reg.exe 1 1 35->50         started        52 C15B.exe 35->52         started        54 3 other processes 35->54 signatures12 process13 dnsIp14 105 216.98.13.202, 49770, 80 ATLANTIC-NET-1US United States 37->105 81 C:\Users\user\AppData\...\softokn3[1].dll, PE32 37->81 dropped 83 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 37->83 dropped 85 C:\Users\user\AppData\...\mozglue[1].dll, PE32 37->85 dropped 89 9 other files (5 malicious) 37->89 dropped 131 Tries to steal Mail credentials (via file / registry access) 37->131 133 Found many strings related to Crypto-Wallets (likely being stolen) 37->133 135 Tries to harvest and steal ftp login credentials 37->135 137 2 other signatures 37->137 107 api.2ip.ua 104.21.65.24, 443, 49727, 49733 CLOUDFLARENETUS United States 44->107 87 C:\Users\user\AppData\Local\...\C15B.exe, PE32 44->87 dropped 56 C15B.exe 44->56         started        59 icacls.exe 44->59         started        109 strainriskpropos.store 172.67.223.132, 443, 49778, 49780 CLOUDFLARENETUS United States 46->109 111 punchtelephoneverdi.store 172.67.154.29, 443, 49779 CLOUDFLARENETUS United States 46->111 file15 signatures16 process17 signatures18 139 Injects a PE file into a foreign processes 56->139 61 C15B.exe 12 56->61         started        process19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a5da18a9350a63a4d2ec54da2d3e49bf4277307209979bfad54538eff856bf9c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5da18a9350a63a4d2ec54da2d3e49bf4277307209979bfad54538eff856bf9c/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2024-02-14 10:40:07 UTC
File Type:
PE (Exe)
Extracted files:
62
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uxnbrkjvbjr2juxmktnc2psjx5bhomdsbglzx6wviu4o76cwx6oa._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:djvu family:smokeloader family:stealc family:vidar family:zgrat botnet:13bd7290c1961db27b4ede41bfbf4c5e botnet:tfd5 backdoor discovery infostealer persistence ransomware rat spyware stealer trojan
Link:
https://tria.ge/reports/240214-mqjj4sgb41/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Deletes itself
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Downloads MZ/PE file
DcRat
Detect Vidar Stealer
Detect ZGRat V1
Detected Djvu ransomware
Djvu Ransomware
SmokeLoader
Stealc
Vidar
ZGRat
Malware Config
C2 Extraction:
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
http://habrafa.com/test1/get.php
https://t.me/karl3on
https://steamcommunity.com/profiles/76561199637071579
http://216.98.13.202
Unpacked files
SH256 hash:
8920c744aebda5cd6304ea1aa88b1a051a5e34a3d5d7d2dab182ef9cb0aec361
MD5 hash:
9f6f0abfef1cad87fbdd302b790ab0be
SHA1 hash:
1e93fbaadbd9d880dd0dde3623b6f16233aa7811
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/5583da0b-d95b-4c7d-8115-b8a140930277/
Parent samples :
f4488ed8da62e7e849070788bcf45eb70f4a2461333918b9b9087f8bbe8d2a22
b8a974ff0066513b4fac4f6a256a39933af90a9df9b03d6234d1a4bf88b7b0e8
a5da18a9350a63a4d2ec54da2d3e49bf4277307209979bfad54538eff856bf9c
078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164
7c94ffaf6d76f18ce6bfc6039f9252a4b71d79e483d822aeab0de9b3189b6d0e
b1f57f9e13e75717674eeca314a042ac3e0816f17e7743c361e0be7f45bf9897
d3dc74a3bca3cc38943b90bd7b33dffd683d0bcf20bd507404185e595909d11f
e2ee33a7a4d96b608f35b98c659f1e65642f4036353140ac2fd0ff5152eb4964
8bc3990f004b22558934ae39d088d52e4359509f5d7be8542dbdc8cc05ee7e78
741a4adf79d60db1ff4d13e84129beffe78d2fd0be9e58b3b076052b121ad1b6
SH256 hash:
a5da18a9350a63a4d2ec54da2d3e49bf4277307209979bfad54538eff856bf9c
MD5 hash:
9b65ca43d28bdea147a039143e759361
SHA1 hash:
e0b759566e97982e514be29db259b50c1970c67e
Link:
https://www.unpac.me/results/5583da0b-d95b-4c7d-8115-b8a140930277/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a5da18a9350a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a5da18a9350a63a4d2ec54da2d3e49bf4277307209979bfad54538eff856bf9c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe a5da18a9350a63a4d2ec54da2d3e49bf4277307209979bfad54538eff856bf9c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/476119/

Comments


Avatar
zbet commented on 2024-02-14 10:39:24 UTC

url : hxxp://galandskiyher5.com/downloads/toolspub5.exe