MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bae93cf5e0de35c574ae5c2d78ae5f7929c1f944e885624009972146f85eb1e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bae93cf5e0de35c574ae5c2d78ae5f7929c1f944e885624009972146f85eb1e7
SHA3-384 hash: cba7647c6ff33b63526663a9b6c5d069c962bd6bbce3c3df3793955591e1ed4b7e452a5b76536271fc1886cf45a1fb01
SHA1 hash: b45f1b45b4ea3b8118eec41497e097b0cb3e6fbf
MD5 hash: bd0ffc2e1a9f0f13c8778fbe043af0b7
humanhash: glucose-hawaii-bravo-arkansas
File name:bd0ffc2e1a9f0f13c8778fbe043af0b7
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:223'232 bytes
First seen:2023-08-19 06:48:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e9c0bae0408e0bafadfe55650c235281 (1 x RedLineStealer, 1 x Smoke Loader)
ssdeep 3072:pFCcgLex7JOKS41sh/RR2Hyh0PLQLxrObBKJEUMOaSpzgwfZAz5ckD9yOA:XdgLu7w54SZRKMk1KJEUhJgJqkD9yv
Threatray 1'968 similar samples on MalwareBazaar
TLSH T14F24C0337AE0C032C55B55F19564EBB06A6E783287A0C54B77A807BF7E317A15B3A306
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0810161448c08000 (1 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
a966031691d030d8f8da30e9d31e9aee.exe
Verdict:
Malicious activity
Analysis date:
2023-08-18 14:07:29 UTC
Tags:
stealer redline amadey trojan loader smoke
Link:
https://app.any.run/tasks/d42d1a9f-a99a-4df8-9d7c-7f9909cb34c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/443623/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/103266/overview
Behaviour
MalwareBazaar
CPUID_Instruction
MeasuringTime
SystemUptime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Gathering data
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/bae93cf5e0de35c574ae5c2d78ae5f7929c1f944e885624009972146f85eb1e7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/41150e2c-67e3-4463-81dc-8e71de1caaa0
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1293756
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1293756 Sample: yzFg2xM3mK.exe Startdate: 19/08/2023 Architecture: WINDOWS Score: 100 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus detection for URL or domain 2->42 44 5 other signatures 2->44 8 yzFg2xM3mK.exe 2->8         started        11 vaugrrc 2->11         started        process3 signatures4 56 Detected unpacking (changes PE section rights) 8->56 58 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->58 60 Maps a DLL or memory area into another process 8->60 62 Creates a thread in another existing process (thread injection) 8->62 13 explorer.exe 1 4 8->13 injected 64 Multi AV Scanner detection for dropped file 11->64 66 Machine Learning detection for dropped file 11->66 68 Checks if the current machine is a virtual machine (disk enumeration) 11->68 process5 dnsIp6 36 anydesk-my.com 82.180.174.18, 443, 49770, 49771 BROADCOMDK Denmark 13->36 30 C:\Users\user\AppData\Roaming\vaugrrc, PE32 13->30 dropped 32 C:\Users\user\...\vaugrrc:Zone.Identifier, ASCII 13->32 dropped 70 Benign windows process drops PE files 13->70 72 Injects code into the Windows Explorer (explorer.exe) 13->72 74 Deletes itself after installation 13->74 76 2 other signatures 13->76 18 explorer.exe 6 13->18         started        22 explorer.exe 13->22         started        24 explorer.exe 13->24         started        26 12 other processes 13->26 file7 signatures8 process9 dnsIp10 34 anydesk-my.com 18->34 46 System process connects to network (likely due to code injection or exploit) 18->46 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->48 50 Tries to steal Mail credentials (via file / registry access) 18->50 54 2 other signatures 18->54 52 Tries to harvest and steal browser information (history, passwords, etc) 22->52 28 WerFault.exe 10 24->28         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bae93cf5e0de35c574ae5c2d78ae5f7929c1f944e885624009972146f85eb1e7/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-08-18 15:01:47 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xlutz5pa3y24k5folqwxrls7peu4d6ke5ccweqajs4qun6c6whtq._file
Verdict:
malicious
Similar samples:
0ab54468721453d7237df27d4dd6383366edb5cc3bfab9a20d48a2416ca2aed8
Smoke Loader
31125dd90470955ca70e23ae2c3fd372db8b991a7c92bfb49d442b67539602c3
Smoke Loader
6fae76c5a5b11cf96e9f4577b8e3355807696e9462226f4826da83c0107be114
Smoke Loader
8113159e0ac7c44fb49f3231ea9541e2d9ce9fd06dee9887037349e3370e6e73
Smoke Loader
9e6ce673dc161fc54b110782f18ec9bb3690b9ccdde494196ccb5bb0381dfa94
Smoke Loader
acd063c502b1957bdb4e19c2f677128ff3ba956940a702aa1760e1d2362ff0eb
Smoke Loader
bcabf922d0a9e5c729c6968b214202f2fa7c369198c09c9cb3bff57150a99aeb
Smoke Loader
eeda861f847c8e1965617979471e1983b9fa1838fb804e4d67c7c22b36b9b462
Smoke Loader
+ 1'958 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:sel8 backdoor trojan
Link:
https://tria.ge/reports/230819-hlctjshh5x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Deletes itself
Executes dropped EXE
SmokeLoader
Malware Config
C2 Extraction:
https://anydesk-my.com/faq/
http://anydesk-my.com/faq/
Unpacked files
SH256 hash:
91efd8199baae8f4e9c8023443b6d7f2fa9a92009875727a7826ec38fc1d5854
MD5 hash:
abe0c5a100fcdeb4ec3cd914c019e532
SHA1 hash:
44959f3fde4f7a659593826e5f14b52d6bd29491
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/dd60b154-82b1-4719-be47-5f077c055558/
SH256 hash:
bae93cf5e0de35c574ae5c2d78ae5f7929c1f944e885624009972146f85eb1e7
MD5 hash:
bd0ffc2e1a9f0f13c8778fbe043af0b7
SHA1 hash:
b45f1b45b4ea3b8118eec41497e097b0cb3e6fbf
Link:
https://www.unpac.me/results/dd60b154-82b1-4719-be47-5f077c055558/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bae93cf5e0de/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bae93cf5e0de35c574ae5c2d78ae5f7929c1f944e885624009972146f85eb1e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe bae93cf5e0de35c574ae5c2d78ae5f7929c1f944e885624009972146f85eb1e7

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/443623/
  
URLhaus
https://urlhaus.abuse.ch/url/2705571/

Comments


Avatar
zbet commented on 2023-08-19 06:48:28 UTC

url : hxxps://medichiccenter.com/RuntimeBroker.exe