MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aba228d167cbabe85ed94101c53d367bdd423d3fa84b977f4629c528912b0220. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aba228d167cbabe85ed94101c53d367bdd423d3fa84b977f4629c528912b0220
SHA3-384 hash: 1758b5b867a05b2ba222fe80c08dfd9a80caece5ea97c6dcfac5e5f8865186f3e5d3fc010b26218a6119393e3ad99108
SHA1 hash: cef6d340e836b1deb4be733e67273d1a9a328a35
MD5 hash: fb9c4b9a277d1bec79c5d72eb92048ae
humanhash: carbon-king-music-bravo
File name:fb9c4b9a277d1bec79c5d72eb92048ae.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:753'511 bytes
First seen:2024-05-22 18:09:30 UTC
Last seen:2024-05-22 18:41:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 12288:ZFs228hxeGgy74QrVA2s/gUZj9yypbStAbQwxTnrmyP6iWOFhLKXMht7numB6804:s2/TD4QrsgYRyyItAHrmyfT3mCnT6804
Threatray 1'085 similar samples on MalwareBazaar
TLSH T193F4239347A0CC67C2A34BB096FA12385FE5FB287069C3D777066E822EF97C09561857
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 78f6e3e7e6e6e8e0 (1 x Smoke Loader, 1 x AsyncRAT)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
311
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aba228d167cbabe85ed94101c53d367bdd423d3fa84b977f4629c528912b0220.exe
Verdict:
Malicious activity
Analysis date:
2024-05-22 18:29:44 UTC
Tags:
loader smokeloader
Link:
https://app.any.run/tasks/3e2b7e19-ee0b-4634-bcc6-e4a92264cf2b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Zum.Androm.1.1011.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=664e356c5ebf6665efb435d1win10vpnfull_triage
Tags:
Discovery Encryption Execution Generic Network Static Stealth Trojan Malware
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file
Сreating synchronization primitives
Launching cmd.exe command interpreter
Creating a process with a hidden window
Moving a recently created file
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Running batch commands
Creating a process from a recently created file
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
installer lolbin overlay packed redcap shell32
Link:
https://www.filescan.io/uploads/664e34fec19b369e29fc6bdb/reports/021dbbfe-4779-4493-b376-e05074811a51/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/aba228d167cbabe85ed94101c53d367bdd423d3fa84b977f4629c528912b0220
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/42a45c05-c320-4479-9771-28c1d61212cc
Result
Threat name:
LummaC, CryptOne, LummaC Stealer, SmokeL
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1445950
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files with a suspicious file extension
Found API chain indicative of debugger detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens network shares
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Search for Antivirus process
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected SmokeLoader
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1445950 Sample: a6lzHWp4pa.exe Startdate: 22/05/2024 Architecture: WINDOWS Score: 100 84 whispedwoodmoodsksl.shop 2->84 86 tonybabb.com 2->86 88 4 other IPs or domains 2->88 110 Snort IDS alert for network traffic 2->110 112 Found malware configuration 2->112 114 Malicious sample detected (through community Yara rule) 2->114 116 11 other signatures 2->116 14 a6lzHWp4pa.exe 60 2->14         started        16 sttfdbr 4 16 2->16         started        signatures3 process4 process5 18 cmd.exe 2 14->18         started        file6 62 C:\Users\user\AppData\Local\...\Whale.pif, PE32 18->62 dropped 118 Uses ping.exe to sleep 18->118 120 Drops PE files with a suspicious file extension 18->120 122 Uses ping.exe to check the status of other devices and networks 18->122 22 Whale.pif 18->22         started        25 PING.EXE 1 18->25         started        28 cmd.exe 2 18->28         started        30 7 other processes 18->30 signatures7 process8 dnsIp9 132 Found API chain indicative of debugger detection 22->132 134 Injects a PE file into a foreign processes 22->134 32 Whale.pif 22->32         started        96 127.0.0.1 unknown unknown 25->96 35 WerFault.exe 28->35         started        signatures10 process11 signatures12 102 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 32->102 104 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 32->104 106 Maps a DLL or memory area into another process 32->106 108 2 other signatures 32->108 37 explorer.exe 8 3 32->37 injected process13 dnsIp14 90 186.101.193.110, 49833, 49834, 49835 TelconetSAEC Ecuador 37->90 92 jobresurs.ru 91.189.114.28, 49822, 49823, 49824 RU-CENTERRU Russian Federation 37->92 94 4 other IPs or domains 37->94 72 C:\Users\user\AppData\Roaming\sttfdbr, PE32 37->72 dropped 74 C:\Users\user\AppData\Local\Temp\F456.exe, PE32 37->74 dropped 76 C:\Users\user\AppData\Local\Temp\B649.exe, PE32 37->76 dropped 136 Benign windows process drops PE files 37->136 138 Hides that the sample has been downloaded from the Internet (zone.identifier) 37->138 42 F456.exe 37->42         started        46 B649.exe 37->46         started        file15 signatures16 process17 dnsIp18 78 C:\Users\user\AppData\Local\...\kat7FA7.tmp, PE32 42->78 dropped 140 Machine Learning detection for dropped file 42->140 142 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 42->142 144 Writes to foreign memory regions 42->144 152 3 other signatures 42->152 49 kat7FA7.tmp 42->49         started        98 whispedwoodmoodsksl.shop 104.21.77.72, 443, 49841, 49843 CLOUDFLARENETUS United States 46->98 100 185.235.137.54, 80 AFRARASAIR Iran (ISLAMIC Republic Of) 46->100 146 Antivirus detection for dropped file 46->146 148 Multi AV Scanner detection for dropped file 46->148 150 Detected unpacking (changes PE section rights) 46->150 154 6 other signatures 46->154 54 WerFault.exe 46->54         started        file19 signatures20 process21 dnsIp22 80 steamcommunity.com 23.195.238.96, 443, 49856 AKAMAI-ASUS United States 49->80 82 78.47.123.174, 443, 49858, 49859 HETZNER-ASDE Germany 49->82 64 C:\Users\user\AppData\Local\...\sqls[1].dll, PE32 49->64 dropped 66 C:\Users\user\AppData\...\softokn3[1].dll, PE32 49->66 dropped 68 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 49->68 dropped 70 10 other files (6 malicious) 49->70 dropped 124 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 49->124 126 Found many strings related to Crypto-Wallets (likely being stolen) 49->126 128 Tries to harvest and steal ftp login credentials 49->128 130 4 other signatures 49->130 56 cmd.exe 49->56         started        file23 signatures24 process25 process26 58 conhost.exe 56->58         started        60 timeout.exe 56->60         started       
Score:
92%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/aba228d167cbabe85ed94101c53d367bdd423d3fa84b977f4629c528912b0220
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/aba228d167cbabe85ed94101c53d367bdd423d3fa84b977f4629c528912b0220/
Threat name:
Win32.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2024-05-15 07:36:13 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
18 of 23 (78.26%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vorcrulhzov6qxwziea4kpjwppouepj7vbfzo72gfhcsrejlaiqa._file
Verdict:
malicious
Similar samples:
06724c588f5b9381effa96ca72ae6c136b6ec64ae1e898942d34142e40078bab
Smoke Loader
164f6dd9a77be0fc7425a9f97873435bdade7dc85da44c27474d2187395dfac6
Smoke Loader
21ada98043ea73edf58648a2a43856bed7f8e9fafdc948aae020b1dbb3053d90
Smoke Loader
72c22d9c2150b022f3f15e30bfd2d76435d4091b99a0e443c96dcb4c48aa5539
Smoke Loader
93320dc79416b00e3e78f70e316e4f6d35eb99360b305a706582b845953e1f62
Smoke Loader
9f6eb963b28951006fa6254b74f58b087c4469496c8ab22cf74210510f82c186
Smoke Loader
a0ee463632a3799ed2b21d598d1fa8c4ed7198f3debd175a1eb89b2055b57ccd
Smoke Loader
c01dabdb1e0572151396954fd7bcd7334cee5b1d64de29b7de21c14eafbd6416
Smoke Loader
d3821c1a2684e27713730b1c44580b734ba9517b099fa71cad7b1b6764e5bcad
Smoke Loader
faec9f2bb4da32ed322a8d98e634997ba23d2b28aa64a2efe7d49d6bb2f15467
Smoke Loader
+ 1'075 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:pub2 backdoor trojan
Link:
https://tria.ge/reports/240522-wr2xhsbe24/
Behaviour
Checks SCSI registry key(s)
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5031e218-8b71-4f0e-b24a-1e6387c88bd7
Unpacked files
SH256 hash:
83424bae44d58db0f16caa7e6ce08d6cbb14938543be8968c039f1816d8f2050
MD5 hash:
2094a83d5001933d1fa5a4700f5c6429
SHA1 hash:
c87622343d30a5f59dc20278331314332e282e95
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/f58681b1-390e-4eb2-ad84-32acee8aef00/
Parent samples :
aba228d167cbabe85ed94101c53d367bdd423d3fa84b977f4629c528912b0220
b2506074e22cbbd6c7a54b64c258ca48dd5a06bebf0830cc63596f1034045bfa
ce8ec776eb22c2bf9ec25fe36bd0dfa6617e4926103358b055fd55cdf7912328
19fcb719130f0edd27552e014d5b446e85faabe82611311be6dbe28d33463327
9444f34a94d494a78e19e19f4e1615744e500aca97a563ad2a294bf16a076039
3ef1d040731916fee2fe1317c53a0e363f05fd12f87b84563af86ac5d49f74c2
7632e569071acc40bce87af592e4cc2476d9c088906a1e6651614860b4754bf8
SH256 hash:
aba228d167cbabe85ed94101c53d367bdd423d3fa84b977f4629c528912b0220
MD5 hash:
fb9c4b9a277d1bec79c5d72eb92048ae
SHA1 hash:
cef6d340e836b1deb4be733e67273d1a9a328a35
Link:
https://www.unpac.me/results/f58681b1-390e-4eb2-ad84-32acee8aef00/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dofoil
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/aba228d167cbabe85ed94101c53d367bdd423d3fa84b977f4629c528912b0220

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:NSIS_April_2024
Create hunting rule
Author:NDA0N
Description:Detects NSIS installers
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::SetFileSecurityA
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
SHELL32.dll::SHFileOperationA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::MoveFileA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments