MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6d9fe603fd005b5fa8e29eeb04e8b312a8083f58f38ec4367faf1bf6a6ce2dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6d9fe603fd005b5fa8e29eeb04e8b312a8083f58f38ec4367faf1bf6a6ce2dd
SHA3-384 hash: f6564d70b6830dcaf8ed2c830ef49bb98c05f772d047b556dec8227765fcf121aa7a5f64990c6ae337a29982f75ebc60
SHA1 hash: de1c2fa73ab7349b574453988d8025efd06c5135
MD5 hash: df588489d5aea0c65d48ab70c29b9977
humanhash: sad-winter-shade-vegan
File name:df588489d5aea0c65d48ab70c29b9977.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:522'752 bytes
First seen:2023-11-11 07:43:07 UTC
Last seen:2023-11-11 09:19:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:kj+/FhNZfmJlk7fuHjQ3UdCXmtKFm1LkGYyP4VxtPMw/7vmHD:kYTfmoW6+2WkG1ot7OH
Threatray 1 similar samples on MalwareBazaar
TLSH T131B4026060B9A349F2F68A778DA273C053366033B306D766EE42F201B96DBD7D7C1562
TrID 35.4% (.EXE) Win64 Executable (generic) (10523/12/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
280
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.32528.10599.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Connecting to a non-recommended domain
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a window
Modifying a system file
Replacing files
Creating a file in the %AppData% subdirectories
Launching a service
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Launching the process to interact with network services
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Blocking the User Account Control
Query of malicious DNS domain
Sending a TCP request to an infection source
Blocking the Windows Defender launch
Unauthorized injection to a recently created process
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/654f30c5993fbf888b6f98e4/reports/05ef4528-9741-4130-a043-b1bb372922c5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a6d9fe603fd005b5fa8e29eeb04e8b312a8083f58f38ec4367faf1bf6a6ce2dd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dc24a772-335b-49f5-bbd6-167a1f8d3c60
Result
Threat name:
Glupteba, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1341038
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables UAC (registry)
Disables Windows Defender (deletes autostart)
Drops script or batch files to the startup folder
Found evasive API chain (may stop execution after checking computer name)
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1341038 Sample: gDQxSlFT7e.exe Startdate: 11/11/2023 Architecture: WINDOWS Score: 100 107 Multi AV Scanner detection for domain / URL 2->107 109 Malicious sample detected (through community Yara rule) 2->109 111 Antivirus detection for URL or domain 2->111 113 14 other signatures 2->113 8 gDQxSlFT7e.exe 2 4 2->8         started        11 svchost.exe 2->11         started        13 svchost.exe 2->13         started        15 6 other processes 2->15 process3 dnsIp4 121 Writes to foreign memory regions 8->121 123 Allocates memory in foreign processes 8->123 125 Adds a directory exclusion to Windows Defender 8->125 131 2 other signatures 8->131 18 CasPol.exe 15 326 8->18         started        23 powershell.exe 23 8->23         started        127 Query firmware table information (likely to detect VMs) 11->127 129 Changes security center settings (notifications, updates, antivirus, firewall) 13->129 105 168.61.215.74 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->105 signatures5 process6 dnsIp7 89 107.167.110.211 OPERASOFTWAREUS United States 18->89 91 107.167.110.216 OPERASOFTWAREUS United States 18->91 93 19 other IPs or domains 18->93 45 C:\Users\...\z7Mcu9RtcJaPJbvbKc5j0Yje.exe, PE32 18->45 dropped 47 C:\Users\...\z71Bh7aACYVUdoAYpqomTiJb.exe, PE32 18->47 dropped 49 C:\Users\...\ypmkBSWt7mIdw6sAB2UuoFul.exe, PE32 18->49 dropped 51 269 other malicious files 18->51 dropped 115 Drops script or batch files to the startup folder 18->115 117 Creates HTML files with .exe extension (expired dropper behavior) 18->117 119 Writes many files with high entropy 18->119 25 G4ZD9Wtu4gqnpyrrCXULkfoX.exe 18->25         started        28 sy6GzmAhsQQCRLIc726dLzxe.exe 18->28         started        30 4smL3fFrBiALNBgGrPuQez5s.exe 18->30         started        36 21 other processes 18->36 34 conhost.exe 23->34         started        file8 signatures9 process10 dnsIp11 71 C:\Users\user\AppData\Local\...\is-04GJA.tmp, PE32 25->71 dropped 38 is-04GJA.tmp 25->38         started        73 C:\Users\user\AppData\Local\...\is-SJJAM.tmp, PE32 28->73 dropped 41 is-SJJAM.tmp 28->41         started        95 149.154.167.99 TELEGRAMRU United Kingdom 30->95 97 168.119.173.77 HETZNER-ASDE Germany 30->97 75 C:\Users\user\AppData\...\softokn3[1].dll, PE32 30->75 dropped 77 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 30->77 dropped 85 10 other files (6 malicious) 30->85 dropped 133 Detected unpacking (changes PE section rights) 30->133 135 Detected unpacking (overwrites its own PE header) 30->135 137 Found evasive API chain (may stop execution after checking computer name) 30->137 99 107.167.110.218 OPERASOFTWAREUS United States 36->99 101 107.167.125.189 OPERASOFTWAREUS United States 36->101 103 7 other IPs or domains 36->103 79 C:\Users\user\AppData\Local\...\is-34V9B.tmp, PE32 36->79 dropped 81 Opera_installer_2311110939263984036.dll, PE32 36->81 dropped 83 Opera_installer_2311110752464407832.dll, PE32 36->83 dropped 87 5 other malicious files 36->87 dropped 139 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 36->139 141 Found Tor onion address 36->141 143 Disables Windows Defender (deletes autostart) 36->143 145 7 other signatures 36->145 43 FqQrK7hEltYxlm8mJOalQblj.exe 36->43         started        file12 signatures13 process14 file15 53 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 38->53 dropped 55 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 38->55 dropped 57 C:\Program Files (x86)\...\is-LK3SJ.tmp, PE32 38->57 dropped 67 27 other files (26 malicious) 38->67 dropped 59 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 41->59 dropped 61 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 41->61 dropped 63 C:\Program Files (x86)\...\is-G82VA.tmp, PE32 41->63 dropped 69 25 other files (24 malicious) 41->69 dropped 65 Opera_installer_2311110939271704808.dll, PE32 43->65 dropped
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a6d9fe603fd005b5fa8e29eeb04e8b312a8083f58f38ec4367faf1bf6a6ce2dd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a6d9fe603fd005b5fa8e29eeb04e8b312a8083f58f38ec4367faf1bf6a6ce2dd/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2023-11-10 21:56:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u3m74yb72ac3l6uofhxlatulgeviba7vr44oyq3h7ly362tm4loq._file
Verdict:
unknown
Similar samples:
d49b370f904ed81206f425ffcb258c6e52d2de21cfd43d225506f2236e5f1f44
Smoke Loader
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:glupteba family:privateloader family:smokeloader botnet:pub1 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/231111-jktaksde58/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
Unexpected DNS network traffic destination
Windows security modification
Downloads MZ/PE file
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
DcRat
Glupteba
Glupteba payload
PrivateLoader
SmokeLoader
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
a6d9fe603fd005b5fa8e29eeb04e8b312a8083f58f38ec4367faf1bf6a6ce2dd
MD5 hash:
df588489d5aea0c65d48ab70c29b9977
SHA1 hash:
de1c2fa73ab7349b574453988d8025efd06c5135
Link:
https://www.unpac.me/results/bae71b88-eb44-4a7b-9291-e0c9ec36a321/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a6d9fe603fd0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a6d9fe603fd005b5fa8e29eeb04e8b312a8083f58f38ec4367faf1bf6a6ce2dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe a6d9fe603fd005b5fa8e29eeb04e8b312a8083f58f38ec4367faf1bf6a6ce2dd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2728668/
  
Delivery method
Distributed via web download

Comments