MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5e53f25bad800e86811e11ecd940b83b1f48cf64a00bfae877084a4624101a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5e53f25bad800e86811e11ecd940b83b1f48cf64a00bfae877084a4624101a1
SHA3-384 hash: cbb80bb2816f6ea8fbdaabfe892e6aac262a4c30c14f0cfd9c4c8cd12eca6fd874b0c81f016e19874bdebab746c0cfc1
SHA1 hash: 95784ac7e9e7ce82da4eb4bb90940d714566bf14
MD5 hash: 99b2f4168e80e2ec97edd578e4fbde1e
humanhash: spaghetti-grey-indigo-glucose
File name:99b2f4168e80e2ec97edd578e4fbde1e.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:565'760 bytes
First seen:2023-11-11 07:52:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:aMrly90b0NA0H7Gae/4IC50pCCHGN0PLvYMXiYQbDL6y8wp:HyCiaaewIsgCQGIgYDcn
TLSH T105C41243AADD8073E5B1637064FB02970B39BC619D7C936F3269194B5CB2AE0693173B
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
286
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Sending a custom TCP request
Behavior that indicates a threat
Searching for the browser window
DNS request
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
advpack anti-vm autoit CAB control explorer greyware installer keylogger lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/654f32e13dd412119bf68ee0/reports/65dc1ea5-cba7-4482-9be9-32da2d760b6c/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/a5e53f25bad800e86811e11ecd940b83b1f48cf64a00bfae877084a4624101a1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/41cb3abb-253a-4532-b2fc-0c006ae723c4
Result
Threat name:
Glupteba, RedLine, SmokeLoader, zgRAT
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1341058
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to modify clipboard data
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of sandbox detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Phishing site detected (based on logo match)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Suspicious execution chain found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Yara detected Glupteba
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1341058 Sample: IgXfbk2kj6.exe Startdate: 11/11/2023 Architecture: WINDOWS Score: 100 159 Multi AV Scanner detection for domain / URL 2->159 161 Found malware configuration 2->161 163 Malicious sample detected (through community Yara rule) 2->163 165 16 other signatures 2->165 10 IgXfbk2kj6.exe 1 4 2->10         started        14 svchost.exe 2->14         started        16 svchost.exe 1 2->16         started        18 8 other processes 2->18 process3 dnsIp4 93 C:\Users\user\AppData\Local\...\3Of28Fs.exe, PE32 10->93 dropped 95 C:\Users\user\AppData\Local\...\1zW85iv5.exe, PE32 10->95 dropped 183 Binary is likely a compiled AutoIt script file 10->183 21 3Of28Fs.exe 10->21         started        24 1zW85iv5.exe 12 10->24         started        185 Changes security center settings (notifications, updates, antivirus, firewall) 14->185 26 MpCmdRun.exe 14->26         started        187 Query firmware table information (likely to detect VMs) 16->187 113 168.61.215.74 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->113 115 104.117.234.93 AKAMAI-ASUS United States 18->115 117 127.0.0.1 unknown unknown 18->117 file5 signatures6 process7 signatures8 169 Antivirus detection for dropped file 21->169 171 Multi AV Scanner detection for dropped file 21->171 173 Machine Learning detection for dropped file 21->173 181 5 other signatures 21->181 28 explorer.exe 8 21 21->28 injected 175 Binary is likely a compiled AutoIt script file 24->175 177 Found API chain indicative of sandbox detection 24->177 179 Contains functionality to modify clipboard data 24->179 33 chrome.exe 24->33         started        35 chrome.exe 2 24->35         started        37 chrome.exe 24->37         started        41 7 other processes 24->41 39 conhost.exe 26->39         started        process9 dnsIp10 119 185.174.136.219 SUPERSERVERSDATACENTERRU Russian Federation 28->119 121 185.196.9.161 SIMPLECARRIERCH Switzerland 28->121 129 5 other IPs or domains 28->129 105 C:\Users\user\AppData\Local\TempF46.exe, PE32+ 28->105 dropped 107 C:\Users\user\AppData\Local\Temp\B336.exe, PE32 28->107 dropped 109 C:\Users\user\AppData\Local\Temp\AED.exe, PE32+ 28->109 dropped 111 5 other malicious files 28->111 dropped 209 System process connects to network (likely due to code injection or exploit) 28->209 211 Benign windows process drops PE files 28->211 213 Adds a directory exclusion to Windows Defender 28->213 43 B336.exe 28->43         started        47 590D.exe 28->47         started        50 EF46.exe 28->50         started        58 3 other processes 28->58 215 Suspicious execution chain found 33->215 52 chrome.exe 33->52         started        123 192.168.2.5 unknown unknown 35->123 125 192.168.2.7 unknown unknown 35->125 127 239.255.255.250 unknown Reserved 35->127 54 chrome.exe 35->54         started        60 2 other processes 35->60 56 chrome.exe 37->56         started        62 7 other processes 41->62 file11 signatures12 process13 dnsIp14 97 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 43->97 dropped 99 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 43->99 dropped 101 C:\Users\user\AppData\...\InstallSetup5.exe, PE32 43->101 dropped 103 C:\...\31839b57a4f11171d6abc8bbc4451ee4.exe, PE32 43->103 dropped 189 Antivirus detection for dropped file 43->189 191 Multi AV Scanner detection for dropped file 43->191 193 Machine Learning detection for dropped file 43->193 195 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 43->195 64 31839b57a4f11171d6abc8bbc4451ee4.exe 43->64         started        67 latestX.exe 43->67         started        70 toolspub2.exe 43->70         started        80 3 other processes 43->80 131 176.123.9.142 ALEXHOSTMD Moldova Republic of 47->131 197 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 47->197 199 Found many strings related to Crypto-Wallets (likely being stolen) 47->199 201 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 47->201 207 2 other signatures 47->207 72 conhost.exe 47->72         started        203 Modifies the context of a thread in another process (thread injection) 50->203 205 Injects a PE file into a foreign processes 50->205 74 EF46.exe 50->74         started        133 104.244.42.131 TWITTERUS United States 54->133 135 104.244.42.133 TWITTERUS United States 54->135 139 71 other IPs or domains 54->139 137 194.49.94.11 EQUEST-ASNL unknown 58->137 76 conhost.exe 58->76         started        78 conhost.exe 58->78         started        file15 signatures16 process17 file18 141 Multi AV Scanner detection for dropped file 64->141 143 Detected unpacking (changes PE section rights) 64->143 145 Detected unpacking (overwrites its own PE header) 64->145 157 2 other signatures 64->157 85 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 67->85 dropped 87 C:\Windows\System32\drivers\etc\hosts, ASCII 67->87 dropped 147 Modifies the hosts file 67->147 149 Adds a directory exclusion to Windows Defender 67->149 151 Machine Learning detection for dropped file 70->151 153 Sample uses process hollowing technique 70->153 155 Injects a PE file into a foreign processes 70->155 89 C:\Users\user\AppData\Local\...\TypeId.exe, PE32+ 74->89 dropped 91 C:\Users\user\AppData\Local\Temp\Broom.exe, PE32 80->91 dropped 82 Broom.exe 80->82         started        signatures19 process20 signatures21 167 Multi AV Scanner detection for dropped file 82->167
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a5e53f25bad800e86811e11ecd940b83b1f48cf64a00bfae877084a4624101a1
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a5e53f25bad800e86811e11ecd940b83b1f48cf64a00bfae877084a4624101a1/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-11-11 07:37:08 UTC
File Type:
PE (Exe)
Extracted files:
63
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uxst6jn23aaoq2ar4epm3falqoy7jdhwjial7luhocckiysbagqq._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor persistence trojan
Link:
https://tria.ge/reports/231111-jqyr9adf29/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
AutoIT Executable
Adds Run key to start application
Executes dropped EXE
SmokeLoader
Malware Config
C2 Extraction:
http://5.42.92.190/fks/index.php
Unpacked files
SH256 hash:
adcd0b033eb5e65780a693ea3c66024196ce38ffb86b1230c481c807c8461547
MD5 hash:
e8f36014cde02efe260bbf4cde34cd16
SHA1 hash:
3f9f62732d61075d29677f18d187af6a65d756f2
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/53a3c436-2fbe-4c61-b1e0-51f9415481e8/
SH256 hash:
46d73000badea343d2cb0847c368847c37606303018f3c4978d01873e0b4fb82
MD5 hash:
91df744d778858b578e9e1200e3644ae
SHA1 hash:
0ad8bc6a8b89368b135918e95f1e6b49150192f1
Link:
https://www.unpac.me/results/53a3c436-2fbe-4c61-b1e0-51f9415481e8/
Parent samples :
dd49ae56ccd5824fe4f6b62ed6b3b3466a40e56163c23adee63b9b26d96b09c5
afa1a1360224b51648fe7c1cb3233199f0c9c41605d0a7107dfc050ec4d6c733
3e7af42c2132ad7ca46675fcc364bbfff19ed9a9b6e7c1416215334bcc1e6a27
30befd088724719df66035cff6175ec647a4e80ec049eb84ba0a769e08c9e60c
SH256 hash:
a5e53f25bad800e86811e11ecd940b83b1f48cf64a00bfae877084a4624101a1
MD5 hash:
99b2f4168e80e2ec97edd578e4fbde1e
SHA1 hash:
95784ac7e9e7ce82da4eb4bb90940d714566bf14
Link:
https://www.unpac.me/results/53a3c436-2fbe-4c61-b1e0-51f9415481e8/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a5e53f25bad8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a5e53f25bad800e86811e11ecd940b83b1f48cf64a00bfae877084a4624101a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe a5e53f25bad800e86811e11ecd940b83b1f48cf64a00bfae877084a4624101a1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2729439/
  
Delivery method
Distributed via web download

Comments