MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4e2ade8adbc6d1929061425d4e4ddcaa308b5a11df15816f93c95dfb0ce2a3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4e2ade8adbc6d1929061425d4e4ddcaa308b5a11df15816f93c95dfb0ce2a3d
SHA3-384 hash: 2b51bd93e6b64dbb4b6a8255e817612fcc9e9f5a6088ae8d666fde9a65afbd3a30941b5f2bc5851a93839ce3d00291af
SHA1 hash: 11544fe61557896c15e852fd5e4009e0533240f3
MD5 hash: 0d7ab2dcc17796570efba7777005a384
humanhash: lamp-echo-butter-undress
File name:0d7ab2dcc17796570efba7777005a384.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:332'800 bytes
First seen:2023-02-03 19:19:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 64f2017133017378e6738b9a4be235bb (6 x RedLineStealer, 2 x Smoke Loader, 1 x Rhadamanthys)
ssdeep 6144:i0SSL7YOmtN+WqSWDRBE9/CJTk637eQfnd55LWB:i0SSnYroWt9CJb7d55L
Threatray 16'926 similar samples on MalwareBazaar
TLSH T116648E02B290BC58ED328B72CF3EE7E4795FBD508E5967761314AA1F2C711A1CDA2325
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0207230213070500 (1 x Smoke Loader)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
0d7ab2dcc17796570efba7777005a384.exe
Verdict:
Malicious activity
Analysis date:
2023-02-03 19:21:46 UTC
Tags:
trojan loader smoke stealer
Link:
https://app.any.run/tasks/94964b35-4fb0-498d-9bb2-050591a6f285

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/360020/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
75%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63dd5e651c9cbf7d6255a7aa/reports/e4c0f098-9cd1-4a6b-aebc-61204847ceb3/overview
Verdict:
Malicious
Labled as:
Ransom.788A61AA
Link:
https://www.hybrid-analysis.com/sample/b4e2ade8adbc6d1929061425d4e4ddcaa308b5a11df15816f93c95dfb0ce2a3d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/02f7e578-96c1-4b40-a1b0-e7305675e496
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1165550
Signature
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 798326 Sample: GkZvdkY6cG.exe Startdate: 03/02/2023 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 4 other signatures 2->47 8 GkZvdkY6cG.exe 2->8         started        11 jbectwr 2->11         started        process3 signatures4 65 Detected unpacking (changes PE section rights) 8->65 13 GkZvdkY6cG.exe 8->13         started        67 Multi AV Scanner detection for dropped file 11->67 69 Machine Learning detection for dropped file 11->69 process5 signatures6 71 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 13->71 73 Maps a DLL or memory area into another process 13->73 75 Checks if the current machine is a virtual machine (disk enumeration) 13->75 77 Creates a thread in another existing process (thread injection) 13->77 16 explorer.exe 1 4 13->16 injected process7 dnsIp8 35 novirater.ru 89.108.98.246, 49729, 49730, 80 AGAVA3RU Russian Federation 16->35 31 C:\Users\user\AppData\Roaming\jbectwr, PE32 16->31 dropped 33 C:\Users\user\...\jbectwr:Zone.Identifier, ASCII 16->33 dropped 49 Benign windows process drops PE files 16->49 51 Injects code into the Windows Explorer (explorer.exe) 16->51 53 Deletes itself after installation 16->53 55 2 other signatures 16->55 21 explorer.exe 6 16->21         started        25 explorer.exe 16->25         started        27 explorer.exe 16->27         started        29 6 other processes 16->29 file9 signatures10 process11 dnsIp12 37 novirater.ru 21->37 57 System process connects to network (likely due to code injection or exploit) 21->57 59 Found evasive API chain (may stop execution after checking mutex) 21->59 61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->61 63 4 other signatures 21->63 39 192.168.2.1 unknown unknown 25->39 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b4e2ade8adbc6d1929061425d4e4ddcaa308b5a11df15816f93c95dfb0ce2a3d/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2023-02-03 08:50:00 UTC
File Type:
PE (Exe)
Extracted files:
86
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wtrk32fnxrwrskigcqs5jzg5zkrqrnnbdxyvqfxzhsk57mgofi6q._file
Verdict:
malicious
Similar samples:
050c2acd0f467ab6089c32fa9b0921bb1685ef697b6ef2ed7509db4e18eaff9e
Smoke Loader
2ad9af4d99a267b9999bf64ae074415083055d48381a60556d38265c2a167c49
Smoke Loader
680ba889fe8404eae74f3b037e9acc69703c8d96f311314d25f9e04e6177cc3d
Smoke Loader
7ca0dc49758c113141ab126d33dce9e482f857363a9603373844d8cf651ceb7e
Smoke Loader
a0c596054ba3c272a4138874f918347bc9d3d67370a66fc1f1152cee60ae9546
Smoke Loader
b4e2ade8adbc6d1929061425d4e4ddcaa308b5a11df15816f93c95dfb0ce2a3d
Smoke Loader
d1d6cb926e13808764271dbc10680e34ab3665997731a8b650c6e8fa27a24097
Smoke Loader
e0e3705c5fcef8f160ebe209e6f5e2e872f6168b80634ba50cf0bd940f130267
Smoke Loader
edd4bdbdd4718c8e28c0e35043c199a4beed017857aa8add3d3079e7ffdc5b4d
Smoke Loader
+ 16'916 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor collection trojan
Link:
https://tria.ge/reports/230203-x14cdaac22/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Detects Smokeloader packer
SmokeLoader
Unpacked files
SH256 hash:
d7c9367c6cd57b78bed4a9bba5f2a00e22aeb780e869c01d52de434eba32fdac
MD5 hash:
2cb52c5b15dc2778ee510efe134e1693
SHA1 hash:
4cbbe782c4b2c95521e754376674dc50b283178f
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/e802cd86-5473-4a02-ac53-49ceae4d1f62/
SH256 hash:
b4e2ade8adbc6d1929061425d4e4ddcaa308b5a11df15816f93c95dfb0ce2a3d
MD5 hash:
0d7ab2dcc17796570efba7777005a384
SHA1 hash:
11544fe61557896c15e852fd5e4009e0533240f3
Link:
https://www.unpac.me/results/e802cd86-5473-4a02-ac53-49ceae4d1f62/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b4e2ade8adbc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b4e2ade8adbc6d1929061425d4e4ddcaa308b5a11df15816f93c95dfb0ce2a3d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe b4e2ade8adbc6d1929061425d4e4ddcaa308b5a11df15816f93c95dfb0ce2a3d

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/360020/
  
URLhaus
https://urlhaus.abuse.ch/url/2529333/
  
Delivery method
Distributed via web download

Comments