MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa339bd1440cf0f7a5faae531ab035233cf357baa7295af69239a9f2bb572996. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa339bd1440cf0f7a5faae531ab035233cf357baa7295af69239a9f2bb572996
SHA3-384 hash: 779d4cace83c34b35da2474e93f7d17d4c25fb631a451f4699e53e7191118ac86932aab36fcce0d09e924096743a16ad
SHA1 hash: fdc7f3ed1c1cdace4ed464b4e9fa16a4b95b8a5f
MD5 hash: 331bffe2f372fb71367f9cd6312ed2df
humanhash: nineteen-california-ack-oklahoma
File name:331bffe2f372fb71367f9cd6312ed2df
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:234'496 bytes
First seen:2024-01-16 07:42:56 UTC
Last seen:2024-01-16 09:22:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4810d21d2e41f7ea32b1ed09331148af (3 x Smoke Loader, 1 x Stealc, 1 x TeamBot)
ssdeep 3072:4nqLS1HySqzJLBdUSJiA/1KvZYNbHR97xN25TbjqHMeIlVRGKXRTqTiZ/9rkWglm:4nwFB9bHm5WseN8quZlrk
Threatray 1'754 similar samples on MalwareBazaar
TLSH T178349E1135F1C032F3B7A97988B0D7F04E7BB8672A31558F6AD802794F296D2DA2471B
TrID 46.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
25.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon d2b1e4c4ecf9c7f9 (16 x Smoke Loader, 3 x Stealc, 3 x GCleaner)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
364
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aa339bd1440cf0f7a5faae531ab035233cf357baa7295af69239a9f2bb572996.exe
Verdict:
Suspicious activity
Analysis date:
2024-01-16 07:45:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9c799c96-cf7c-4e36-810b-8dc34eb57893

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/471070/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.3299.26002.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65a63388fd5068bbc3d6f975/reports/0c3f5e98-25be-4395-99c3-e32e53166752/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/aa339bd1440cf0f7a5faae531ab035233cf357baa7295af69239a9f2bb572996
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1c524b99-b30f-445c-8211-d9db9004281a
Result
Threat name:
LummaC, Babuk, Clipboard Hijacker, Djvu,
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1375199
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found ransom note / readme
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes a notice file (html or txt) to demand a ransom
Yara detected AntiVM3
Yara detected Babuk Ransomware
Yara detected Clipboard Hijacker
Yara detected Costura Assembly Loader
Yara detected Djvu Ransomware
Yara detected PersistenceViaHiddenTask
Yara detected PureLog Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1375199 Sample: vRngJnoGJU.exe Startdate: 16/01/2024 Architecture: WINDOWS Score: 100 122 tradein-myus.com 2->122 124 trade-inmyus.com 2->124 126 10 other IPs or domains 2->126 168 Snort IDS alert for network traffic 2->168 170 Multi AV Scanner detection for domain / URL 2->170 172 Found malware configuration 2->172 174 21 other signatures 2->174 15 vRngJnoGJU.exe 2->15         started        18 gjhtugw 2->18         started        20 4346.exe 2->20         started        22 3 other processes 2->22 signatures3 process4 signatures5 200 Detected unpacking (changes PE section rights) 15->200 202 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->202 204 Maps a DLL or memory area into another process 15->204 206 Creates a thread in another existing process (thread injection) 15->206 24 explorer.exe 12 10 15->24 injected 208 Multi AV Scanner detection for dropped file 18->208 210 Machine Learning detection for dropped file 18->210 212 Checks if the current machine is a virtual machine (disk enumeration) 18->212 214 Detected unpacking (overwrites its own PE header) 20->214 216 Writes a notice file (html or txt) to demand a ransom 20->216 218 Injects a PE file into a foreign processes 20->218 29 4346.exe 20->29         started        220 Antivirus detection for dropped file 22->220 222 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->222 31 mstsca.exe 22->31         started        process6 dnsIp7 132 trad-einmyus.com 188.119.67.81, 49734, 49735, 49736 RETN-ASEU Russian Federation 24->132 134 146.0.41.68, 49800, 80 MYLOC-ASIPBackboneofmyLocmanagedITAGDE Germany 24->134 136 4 other IPs or domains 24->136 98 C:\Users\user\AppData\Roaming\gjhtugw, PE32 24->98 dropped 100 C:\Users\user\AppData\Local\Temp\70FE.exe, PE32 24->100 dropped 102 C:\Users\user\AppData\Local\Temp\4346.exe, PE32 24->102 dropped 108 2 other malicious files 24->108 dropped 192 System process connects to network (likely due to code injection or exploit) 24->192 194 Benign windows process drops PE files 24->194 196 Deletes itself after installation 24->196 198 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->198 33 4346.exe 24->33         started        36 3809.exe 24->36         started        39 70FE.exe 24->39         started        44 2 other processes 24->44 104 C:\Users\user\_readme.txt, ASCII 29->104 dropped 106 C:\Users\user\AppData\Local\...\_readme.txt, ASCII 29->106 dropped 42 schtasks.exe 31->42         started        file8 signatures9 process10 dnsIp11 142 Detected unpacking (changes PE section rights) 33->142 144 Detected unpacking (overwrites its own PE header) 33->144 146 Machine Learning detection for dropped file 33->146 162 2 other signatures 33->162 46 4346.exe 1 16 33->46         started        88 C:\Users\user\AppData\Roaming\sasuke.exe, PE32+ 36->88 dropped 148 Multi AV Scanner detection for dropped file 36->148 150 Creates multiple autostart registry keys 36->150 152 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 36->152 154 Modifies the context of a thread in another process (thread injection) 36->154 51 3809.exe 36->51         started        128 copyexpertisesausewaverw.site 104.21.67.126, 443, 49778 CLOUDFLARENETUS United States 39->128 130 goddirtybrilliancece.fun 172.67.204.58, 443, 49820, 49821 CLOUDFLARENETUS United States 39->130 156 Antivirus detection for dropped file 39->156 158 LummaC encrypted strings found 39->158 53 WerFault.exe 39->53         started        55 WerFault.exe 39->55         started        57 conhost.exe 42->57         started        160 Injects a PE file into a foreign processes 44->160 59 4346.exe 44->59         started        61 4346.exe 44->61         started        file12 signatures13 process14 dnsIp15 138 api.2ip.ua 104.21.65.24, 443, 49750, 49756 CLOUDFLARENETUS United States 46->138 114 C:\Users\user\AppData\Local\...\4346.exe, PE32 46->114 dropped 140 Creates multiple autostart registry keys 46->140 63 4346.exe 46->63         started        66 icacls.exe 46->66         started        116 C:\Users\user\AppData\Roaming\...\Tags.exe, PE32+ 51->116 dropped file16 signatures17 process18 signatures19 224 Injects a PE file into a foreign processes 63->224 68 4346.exe 1 23 63->68         started        process20 file21 90 C:\Users\user\AppData\Local\...\build3.exe, PE32 68->90 dropped 92 C:\Users\user\AppData\Local\...\build2.exe, PE32 68->92 dropped 94 C:\Users\user\AppData\Local\...\build3[1].exe, PE32 68->94 dropped 96 7 other malicious files 68->96 dropped 176 Modifies existing user documents (likely ransomware behavior) 68->176 72 build3.exe 68->72         started        75 build2.exe 68->75         started        signatures22 process23 signatures24 178 Antivirus detection for dropped file 72->178 180 Multi AV Scanner detection for dropped file 72->180 182 Detected unpacking (changes PE section rights) 72->182 184 Uses schtasks.exe or at.exe to add and modify task schedules 72->184 77 build3.exe 72->77         started        186 Detected unpacking (overwrites its own PE header) 75->186 188 Machine Learning detection for dropped file 75->188 190 Injects a PE file into a foreign processes 75->190 80 build2.exe 75->80         started        process25 dnsIp26 110 C:\Users\user\AppData\Roaming\...\mstsca.exe, PE32 77->110 dropped 84 schtasks.exe 77->84         started        118 t.me 149.154.167.99, 443, 49765 TELEGRAMRU United Kingdom 80->118 120 49.13.6.118, 10220, 49769, 49770 HETZNER-ASDE Germany 80->120 112 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 80->112 dropped 164 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 80->164 166 Tries to harvest and steal browser information (history, passwords, etc) 80->166 file27 signatures28 process29 process30 86 conhost.exe 84->86         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/aa339bd1440cf0f7a5faae531ab035233cf357baa7295af69239a9f2bb572996
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/aa339bd1440cf0f7a5faae531ab035233cf357baa7295af69239a9f2bb572996/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2024-01-16 07:43:06 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vizzxukebtyppjp2vzjrvmbvem6pgv52u4uvv5ushgu7fo2xfgla._file
Verdict:
malicious
Similar samples:
0004d851f92bfea425f064b898e7668d84a26e12954785ce0ec3b62ff2e34d46
Smoke Loader
02eb002f33af51183396e8406bc7518c01c4b2f3b326d227fef6bc7e3c8fd1a6
Smoke Loader
247eb6cc11d0a92ac985fb99c19dcfe4779878f4989764b8ced06727820ff57c
Smoke Loader
50ca2730d4feb93b8d6cf986a86b34912d83c10dd7d7259d3538d415c904af73
Smoke Loader
5c88a340b3b0502c9777fe6159f01d66875341dc739e23a56a21ee18479890f2
Smoke Loader
a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271
Smoke Loader
e629fcf41de2187cafd4c8c38b1e9408a5c521d29459971bb96fae5da26fa9d5
Smoke Loader
f518307808486c2718cd6b83e4e5f012e3531c8d352abd6d51b7311fcfa2c28c
Smoke Loader
f662b3ef913a9bfb62cb970e6f8f8e81ad75b21deaccffc01cbc1390f34e776e
Smoke Loader
+ 1'744 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:smokeloader family:vidar family:zgrat botnet:up3 backdoor discovery persistence ransomware rat stealer trojan
Link:
https://tria.ge/reports/240116-jj8zmsgfa8/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Deletes itself
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Downloads MZ/PE file
Detect Vidar Stealer
Detect ZGRat V1
Detected Djvu ransomware
Djvu Ransomware
SmokeLoader
Vidar
ZGRat
Malware Config
C2 Extraction:
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
http://habrafa.com/test1/get.php
Unpacked files
SH256 hash:
9d89a3fb322ca87e9ffd11b86b5f8ff7782ef17d8c4c25aa681d4a43144264f2
MD5 hash:
3115a5525c3ae11f354b2d31de48b8ff
SHA1 hash:
aa7b6c66b7c720caf3f2845b10588b698a7d7ff6
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/b44d99dc-6a01-4156-8162-22fd02ba818c/
Parent samples :
aa339bd1440cf0f7a5faae531ab035233cf357baa7295af69239a9f2bb572996
48684fe74ef34bd1c9542aea357d418b96df47273d809e6ebdc38e538bc66d42
e1a928db45702326f8bb4dd27902f5052440d12ad5db140340bb17be4103297b
SH256 hash:
aa339bd1440cf0f7a5faae531ab035233cf357baa7295af69239a9f2bb572996
MD5 hash:
331bffe2f372fb71367f9cd6312ed2df
SHA1 hash:
fdc7f3ed1c1cdace4ed464b4e9fa16a4b95b8a5f
Link:
https://www.unpac.me/results/b44d99dc-6a01-4156-8162-22fd02ba818c/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aa339bd1440c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa339bd1440cf0f7a5faae531ab035233cf357baa7295af69239a9f2bb572996

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe aa339bd1440cf0f7a5faae531ab035233cf357baa7295af69239a9f2bb572996

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2735142/
Cape
Cape
https://www.capesandbox.com/analysis/471070/

Comments


Avatar
zbet commented on 2024-01-16 07:42:57 UTC

url : hxxp://galandskiyher5.com/downloads/toolspub2.exe