MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b107afc55476c58af62b82d8f181f4ab90b725e95ccb524851f540b621bdebbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b107afc55476c58af62b82d8f181f4ab90b725e95ccb524851f540b621bdebbb
SHA3-384 hash: 27651ab09573f152cdda1ce611f3e7278709b2c208db0d65e12adcb353526e6b1d64e358d86af4e6865bb01974276c07
SHA1 hash: bafa43e81c302a17f7b5a63b37b5b7df2ac30667
MD5 hash: d73c418cf0ee0f9c1433937819d51972
humanhash: pluto-oscar-iowa-north
File name:d73c418cf0ee0f9c1433937819d51972.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:2'422'784 bytes
First seen:2023-12-08 17:51:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:UwEM8A76wHzVimqSDMnkMg68FW/Hx4T9a8WgbTzpD+3LzTLHqZ5:JEM8A/VimqyrFWp4T9ugbSfjq
TLSH T112B533A6B6E48023CBB9577444F323A31A347EA379F4167777819C0E5A72B84B0353B6
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
308
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/463695/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Creating a file
Replacing files
Launching a service
Changing a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Sending a UDP request
Reading critical registry keys
Launching the default Windows debugger (dwwin.exe)
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm autoit CAB control explorer greyware installer installer keylogger lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/657357c53f60a810348c564c/reports/256ab375-2218-4fba-8bbb-6a0ff6f46ecc/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b107afc55476c58af62b82d8f181f4ab90b725e95ccb524851f540b621bdebbb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7c0d7268-6fe2-433b-a44e-0a76ad88b82c
Result
Threat name:
LummaC Stealer, PrivateLoader, PureLog S
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1356444
Signature
.NET source code contains potential unpacker
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Exclude list of file types from scheduled, custom, and real-time scanning
Found malware configuration
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected LummaC Stealer
Yara detected PrivateLoader
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1356444 Sample: 0L3UB5v8CI.exe Startdate: 08/12/2023 Architecture: WINDOWS Score: 100 137 ipinfo.io 2->137 139 connv2.proxies.tv 2->139 161 Snort IDS alert for network traffic 2->161 163 Found malware configuration 2->163 165 Malicious sample detected (through community Yara rule) 2->165 167 18 other signatures 2->167 13 0L3UB5v8CI.exe 1 4 2->13         started        17 svchost.exe 2->17         started        19 svchost.exe 2->19         started        21 7 other processes 2->21 signatures3 process4 file5 123 C:\Users\user\AppData\Local\...\nd1Fm79.exe, PE32 13->123 dropped 125 C:\Users\user\AppData\Local\...\6xd8lC0.exe, PE32 13->125 dropped 213 Binary is likely a compiled AutoIt script file 13->213 23 nd1Fm79.exe 1 4 13->23         started        26 WerFault.exe 17->26         started        28 WerFault.exe 17->28         started        30 WerFault.exe 17->30         started        signatures6 process7 file8 111 C:\Users\user\AppData\Local\...\zi9kF73.exe, PE32 23->111 dropped 113 C:\Users\user\AppData\Local\...\5rj3VL3.exe, PE32 23->113 dropped 32 zi9kF73.exe 1 4 23->32         started        process9 file10 85 C:\Users\user\AppData\Local\...\gn6yT71.exe, PE32 32->85 dropped 87 C:\Users\user\AppData\Local\...\4SK797Ki.exe, PE32 32->87 dropped 35 gn6yT71.exe 1 4 32->35         started        38 4SK797Ki.exe 32->38         started        process11 file12 105 C:\Users\user\AppData\Local\...\3ai26LM.exe, PE32 35->105 dropped 107 C:\Users\user\AppData\Local\...\1Ef35ob3.exe, PE32 35->107 dropped 41 3ai26LM.exe 35->41         started        44 1Ef35ob3.exe 35->44         started        109 C:\...\l6J5AVz9AqV5U92_OvTEEH4pOD9Y1Oko.zip, Zip 38->109 dropped 169 Tries to steal Mail credentials (via file / registry access) 38->169 171 Disables Windows Defender (deletes autostart) 38->171 173 Tries to harvest and steal browser information (history, passwords, etc) 38->173 175 3 other signatures 38->175 46 WerFault.exe 38->46         started        signatures13 process14 signatures15 177 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 41->177 179 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 41->179 181 Maps a DLL or memory area into another process 41->181 191 2 other signatures 41->191 48 explorer.exe 41->48 injected 183 Contains functionality to inject code into remote processes 44->183 185 Writes to foreign memory regions 44->185 187 Allocates memory in foreign processes 44->187 189 Injects a PE file into a foreign processes 44->189 53 AppLaunch.exe 11 508 44->53         started        55 AppLaunch.exe 44->55         started        process16 dnsIp17 127 185.196.8.238 SIMPLECARRER2IT Switzerland 48->127 129 185.172.128.19, 49711, 80 NADYMSS-ASRU Russian Federation 48->129 131 81.19.131.34, 49710, 80 IVC-ASRU Russian Federation 48->131 89 C:\Users\user\AppData\Local\Temp\F8A0.exe, PE32 48->89 dropped 91 C:\Users\user\AppData\Local\Temp\D5F4.exe, PE32+ 48->91 dropped 93 C:\Users\user\AppData\Local\Temp\C29A.exe, PE32 48->93 dropped 101 5 other malicious files 48->101 dropped 143 System process connects to network (likely due to code injection or exploit) 48->143 145 Benign windows process drops PE files 48->145 57 AA5E.exe 48->57         started        61 6F37.exe 48->61         started        64 74D6.exe 48->64         started        72 4 other processes 48->72 133 193.233.132.51, 49701, 49703, 50500 FREE-NET-ASFREEnetEU Russian Federation 53->133 135 ipinfo.io 34.117.59.81, 443, 49702, 49704 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 53->135 95 C:\Windows\System32behaviorgraphroupPolicybehaviorgraphPT.INI, ASCII 53->95 dropped 97 C:\...\9gHNy_UwqhtES3ObRz5j5LEuct7sKtZW.zip, Zip 53->97 dropped 99 C:\Users\user\AppData\...\FANBooster131.exe, PE32 53->99 dropped 103 2 other files (none is malicious) 53->103 dropped 147 Tries to steal Mail credentials (via file / registry access) 53->147 149 Disables Windows Defender (deletes autostart) 53->149 151 Tries to harvest and steal browser information (history, passwords, etc) 53->151 159 4 other signatures 53->159 66 schtasks.exe 1 53->66         started        68 schtasks.exe 1 53->68         started        70 WerFault.exe 53->70         started        153 Found stalling execution ending in API Sleep call 55->153 155 Contains functionality to inject threads in other processes 55->155 157 Uses schtasks.exe or at.exe to add and modify task schedules 55->157 file18 signatures19 process20 dnsIp21 115 C:\Users\user\AppData\Local\Temp\tuc3.exe, PE32 57->115 dropped 117 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 57->117 dropped 119 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 57->119 dropped 121 2 other malicious files 57->121 dropped 193 Antivirus detection for dropped file 57->193 195 Multi AV Scanner detection for dropped file 57->195 197 Machine Learning detection for dropped file 57->197 74 InstallSetup9.exe 57->74         started        141 77.105.132.87 PLUSTELECOM-ASRU Russian Federation 61->141 199 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 61->199 201 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 61->201 203 Tries to harvest and steal browser information (history, passwords, etc) 61->203 205 Tries to steal Crypto Currency Wallets 61->205 207 Modifies the context of a thread in another process (thread injection) 64->207 209 Injects a PE file into a foreign processes 64->209 77 conhost.exe 66->77         started        79 conhost.exe 68->79         started        81 conhost.exe 72->81         started        83 WerFault.exe 72->83         started        file22 signatures23 process24 signatures25 211 Multi AV Scanner detection for dropped file 74->211
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b107afc55476c58af62b82d8f181f4ab90b725e95ccb524851f540b621bdebbb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b107afc55476c58af62b82d8f181f4ab90b725e95ccb524851f540b621bdebbb/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-08 15:05:03 UTC
AV detection:
21 of 35 (60.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wed27rkuo3cyv5rlqlmpdapuvoilojpjltfvescr6valmin55o5q._file
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:risepro family:smokeloader backdoor loader persistence stealer trojan
Link:
https://tria.ge/reports/231208-wfq1wabeek/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
PrivateLoader
RisePro
SmokeLoader
Malware Config
C2 Extraction:
193.233.132.51
http://81.19.131.34/fks/index.php
Unpacked files
SH256 hash:
94513f36ef94d07e4f4eb4fc1f16f720c517aae322ce9153cf716f08010e2a96
MD5 hash:
d09d113833f72b4cb1e4d32664b2c0c6
SHA1 hash:
a84d58464acb78d7a6bbe4ce97dec3224f643b70
Link:
https://www.unpac.me/results/9d297752-cdfc-417b-873a-b1a2c65588f8/
SH256 hash:
78ae23df3b06702cba044f947252c918006f7db9e6ac365d7db641f03dbc21f2
MD5 hash:
4fc42d657c43796cab2c924204da84a9
SHA1 hash:
e457098ed4bffdd5ff449c8fa5d302626dc94a22
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/9d297752-cdfc-417b-873a-b1a2c65588f8/
Parent samples :
b107afc55476c58af62b82d8f181f4ab90b725e95ccb524851f540b621bdebbb
63a2ca4d70cc4601a03ca16d80b6f965fb9aebb62a0a9915f66b3e32ad625e85
732c972b120ed0c3d375eb811225e133945c56a0744ebd78e137af2446756fd8
3c40f114a892a7e4877e787b88479492da2cc6a9c1ff44f5743fc20694d19fb0
78dd9812c391c45f55ae45735371b6ac7d9f84aba107da824895be3b1d3250e1
d038617c050409f6595fa78e697880e4d3acbdd761ad08ad95f3e58955d0bc0e
SH256 hash:
b107afc55476c58af62b82d8f181f4ab90b725e95ccb524851f540b621bdebbb
MD5 hash:
d73c418cf0ee0f9c1433937819d51972
SHA1 hash:
bafa43e81c302a17f7b5a63b37b5b7df2ac30667
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/9d297752-cdfc-417b-873a-b1a2c65588f8/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b107afc55476/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b107afc55476c58af62b82d8f181f4ab90b725e95ccb524851f540b621bdebbb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe b107afc55476c58af62b82d8f181f4ab90b725e95ccb524851f540b621bdebbb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2738241/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/463695/

Comments