MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd05f805a5d224f1b73f1cba33438777abe441c3c625109a5d3342be6e684b20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 18


Intelligence 18 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd05f805a5d224f1b73f1cba33438777abe441c3c625109a5d3342be6e684b20
SHA3-384 hash: e169c8bf3569f43e3cf5c23d825e570c0acc599c2980d195619b4b1aaf1314501e21e89df193acfc7d1326138d0115a3
SHA1 hash: cef429bd50198b60ccc172dcec24db3bec543b2a
MD5 hash: ce8a71360c7571d605225cfe72938290
humanhash: uniform-pennsylvania-one-zulu
File name:ce8a71360c7571d605225cfe72938290.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:236'032 bytes
First seen:2024-03-15 16:11:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 21784de70fd9035e1fb12e10a80008e3 (1 x Smoke Loader)
ssdeep 3072:StNB40PrptIKml2baxTKAI2XWjOPBoIIz/9pybO9yf4Z1LbewDpTb:StM0P9tT22qKwXWjceX6bO9y2iwB
Threatray 2'382 similar samples on MalwareBazaar
TLSH T131349EC232A19C75D79305F07E65E6A09729B89DDB2423B732D4F66F7EB03804932366
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 64d29a9899a9a989 (5 x Stealc, 1 x Smoke Loader)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
362
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
bd05f805a5d224f1b73f1cba33438777abe441c3c625109a5d3342be6e684b20.exe
Verdict:
Malicious activity
Analysis date:
2024-03-15 16:16:20 UTC
Tags:
loader smoke smokeloader
Link:
https://app.any.run/tasks/376f5bd9-4375-4215-8cb4-3c8477da3747

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/479155/
Detection(s):
Win.Dropper.Tofsee-10023347-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP GET request to an infection source
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for analyzing tools
Launching a process
Creating a file
Creating a window
Query of malicious DNS domain
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint smokeloader
Link:
https://www.filescan.io/uploads/65f4735487137159d442974c/reports/98f3f8f9-dc6e-47cf-b2f4-b04bfa13d7c3/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/bd05f805a5d224f1b73f1cba33438777abe441c3c625109a5d3342be6e684b20
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/11379608-7888-4dc5-935a-bd1fa012a2c8
Result
Threat name:
LummaC, Python Stealer, Amadey, Glupteba
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1409724
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Capture Wi-Fi password
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
UAC bypass detected (Fodhelper)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Generic Python Stealer
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected Mars stealer
Yara detected Monster Stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1409724 Sample: NkvJGApqGf.exe Startdate: 15/03/2024 Architecture: WINDOWS Score: 100 202 Multi AV Scanner detection for domain / URL 2->202 204 Found malware configuration 2->204 206 Malicious sample detected (through community Yara rule) 2->206 208 29 other signatures 2->208 12 NkvJGApqGf.exe 2->12         started        15 explorgu.exe 2->15         started        19 tddtrai 2->19         started        process3 dnsIp4 272 Detected unpacking (changes PE section rights) 12->272 274 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->274 276 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->276 21 explorer.exe 91 26 12->21 injected 188 185.215.113.32 WHOLESALECONNECTIONSNL Portugal 15->188 190 185.172.128.109 NADYMSS-ASRU Russian Federation 15->190 192 2 other IPs or domains 15->192 102 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 15->102 dropped 104 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 15->104 dropped 106 C:\Users\user\AppData\...\InstallSetup3.exe, PE32 15->106 dropped 108 17 other malicious files 15->108 dropped 278 Creates multiple autostart registry keys 15->278 280 Tries to evade debugger and weak emulator (self modifying code) 15->280 282 Tries to detect virtualization through RDTSC time measurements 15->282 290 3 other signatures 15->290 26 judith1234.exe 15->26         started        28 osminog.exe 15->28         started        30 goldprime1234.exe 15->30         started        34 2 other processes 15->34 284 Maps a DLL or memory area into another process 19->284 286 Checks if the current machine is a virtual machine (disk enumeration) 19->286 288 Creates a thread in another existing process (thread injection) 19->288 32 Conhost.exe 19->32         started        file5 signatures6 process7 dnsIp8 168 185.215.113.45 WHOLESALECONNECTIONSNL Portugal 21->168 170 187.199.153.167 UninetSAdeCVMX Mexico 21->170 172 4 other IPs or domains 21->172 132 C:\Users\user\AppData\Roaming\tddtrai, PE32 21->132 dropped 134 C:\Users\user\AppData\Roaming\badtrai, PE32 21->134 dropped 136 C:\Users\user\AppData\Local\Temp\9D4C.exe, PE32 21->136 dropped 144 9 other malicious files 21->144 dropped 236 System process connects to network (likely due to code injection or exploit) 21->236 238 Benign windows process drops PE files 21->238 240 Deletes itself after installation 21->240 242 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->242 36 411E.exe 21->36         started        40 2E20.exe 2 21->40         started        42 2267.exe 4 21->42         started        55 5 other processes 21->55 138 C:\Users\user\AppData\...\_quoting_c.pyd, PE32+ 26->138 dropped 140 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 26->140 dropped 142 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 26->142 dropped 146 32 other files (31 malicious) 26->146 dropped 244 Multi AV Scanner detection for dropped file 26->244 246 Writes to foreign memory regions 28->246 248 Allocates memory in foreign processes 28->248 250 Injects a PE file into a foreign processes 28->250 252 LummaC encrypted strings found 28->252 44 RegAsm.exe 28->44         started        47 conhost.exe 28->47         started        49 RegAsm.exe 30->49         started        51 conhost.exe 30->51         started        53 rundll32.exe 34->53         started        file9 signatures10 process11 dnsIp12 120 C:\Users\user\AppData\Local\Temp\april.exe, PE32 36->120 dropped 122 C:\Users\user\...\InstallSetup_four.exe, PE32 36->122 dropped 124 C:\...\288c47bbc1871b439df19ff4df68f076.exe, PE32 36->124 dropped 210 Multi AV Scanner detection for dropped file 36->210 57 InstallSetup_four.exe 36->57         started        62 april.exe 36->62         started        64 288c47bbc1871b439df19ff4df68f076.exe 36->64         started        126 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 40->126 dropped 226 5 other signatures 40->226 66 MSBuild.exe 40->66         started        68 MSBuild.exe 40->68         started        128 C:\Users\user\AppData\Local\...\explorgu.exe, PE32 42->128 dropped 212 Detected unpacking (changes PE section rights) 42->212 228 6 other signatures 42->228 182 104.21.94.2 CLOUDFLARENETUS United States 44->182 214 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 44->214 216 Query firmware table information (likely to detect VMs) 44->216 218 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 44->218 184 20.218.68.91 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 49->184 220 Found many strings related to Crypto-Wallets (likely being stolen) 49->220 230 2 other signatures 49->230 222 Tries to steal Instant Messenger accounts or passwords 53->222 232 3 other signatures 53->232 70 powershell.exe 53->70         started        76 2 other processes 53->76 130 C:\Users\user\AppData\Local\Temp\...\7A32.tmp, PE32 55->130 dropped 224 Tries to detect sandboxes and other dynamic analysis tools (window names) 55->224 234 4 other signatures 55->234 72 7A32.tmp 55->72         started        74 regsvr32.exe 55->74         started        file13 signatures14 process15 dnsIp16 174 185.172.128.126 NADYMSS-ASRU Russian Federation 57->174 176 185.172.128.187 NADYMSS-ASRU Russian Federation 57->176 178 185.172.128.90 NADYMSS-ASRU Russian Federation 57->178 148 C:\Users\user\AppData\Local\Temp\u3c0.1.exe, PE32 57->148 dropped 150 C:\Users\user\AppData\Local\Temp\u3c0.0.exe, PE32 57->150 dropped 254 Multi AV Scanner detection for dropped file 57->254 256 Detected unpacking (changes PE section rights) 57->256 258 Detected unpacking (overwrites its own PE header) 57->258 78 u3c0.0.exe 57->78         started        83 u3c0.1.exe 57->83         started        152 C:\Users\user\AppData\Local\...\april.tmp, PE32 62->152 dropped 85 april.tmp 62->85         started        260 UAC bypass detected (Fodhelper) 64->260 262 Found Tor onion address 64->262 264 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 64->264 180 172.67.206.194 CLOUDFLARENETUS United States 66->180 266 Query firmware table information (likely to detect VMs) 66->266 268 Found many strings related to Crypto-Wallets (likely being stolen) 66->268 270 Tries to steal Crypto Currency Wallets 66->270 154 C:\Users\user\...\246122658369_Desktop.zip, Zip 70->154 dropped 87 conhost.exe 70->87         started        89 7A32.exe 72->89         started        91 conhost.exe 76->91         started        file17 signatures18 process19 dnsIp20 186 185.172.128.145 NADYMSS-ASRU Russian Federation 78->186 158 C:\Users\user\AppData\...behaviorgraphDBKKFHIEG.exe, PE32 78->158 dropped 160 C:\Users\user\AppData\...\softokn3[1].dll, PE32 78->160 dropped 162 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 78->162 dropped 166 11 other files (7 malicious) 78->166 dropped 194 Detected unpacking (changes PE section rights) 78->194 196 Detected unpacking (overwrites its own PE header) 78->196 198 Tries to steal Mail credentials (via file / registry access) 78->198 200 4 other signatures 78->200 93 april.exe 85->93         started        164 C:\Users\user\AppData\Local\Temp\...\7A32.tmp, PE32 89->164 dropped file21 signatures22 process23 file24 156 C:\Users\user\AppData\Local\...\april.tmp, PE32 93->156 dropped 96 april.tmp 93->96         started        process25 file26 110 C:\Users\user\AppData\...\unins000.exe (copy), PE32 96->110 dropped 112 C:\Users\user\AppData\...\textultraedit.exe, PE32 96->112 dropped 114 C:\Users\user\...\libwinpthread-1.dll (copy), PE32 96->114 dropped 116 15 other files (14 malicious) 96->116 dropped 99 textultraedit.exe 96->99         started        process27 file28 118 C:\...\DirectSoundDriver 2.36.198.64.exe, PE32 99->118 dropped
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bd05f805a5d224f1b73f1cba33438777abe441c3c625109a5d3342be6e684b20
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bd05f805a5d224f1b73f1cba33438777abe441c3c625109a5d3342be6e684b20/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-03-15 08:35:42 UTC
File Type:
PE (Exe)
Extracted files:
55
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xuc7qbnf2ispdnz7ds5dgq4ho6v6iqodyysrbgs5gnbl43tijmqa._file
Verdict:
malicious
Similar samples:
a52bf253f87035bf054f9ceb9a7296b980537fa478a09b4f1ae000b819ba5e29
Smoke Loader
cc3da71857b8b0e55de25cccaa43b3d521866c6f82e29008d7a55b8ed8ef8168
Smoke Loader
d7567c94d64fc05b847558d0308b54df1a716fcbe45a480ade6f2987a5ebbaef
Smoke Loader
e6e106a5206be28f2b76c0190d3c1ba85d4f4bf759babd66c64d9a17a4219ddb
Smoke Loader
f69080393c3812537a1f9c367a023d1e8f4cb12ce33fc17eb0a1a6930a8b39cc
Smoke Loader
+ 2'372 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:dcrat family:glupteba family:lumma family:redline family:smokeloader family:zgrat botnet:livetraffic backdoor discovery dropper evasion infostealer loader rat spyware stealer trojan upx
Link:
https://tria.ge/reports/240315-tnhncscg41/
Behaviour
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Detects videocard installed
Enumerates processes with tasklist
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
NSIS installer
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Deletes itself
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
UPX packed file
Blocklisted process makes network request
Downloads MZ/PE file
Modifies Windows Firewall
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
DcRat
Detect ZGRat V1
Glupteba
Glupteba payload
Lumma Stealer
RedLine
RedLine payload
SmokeLoader
ZGRat
Malware Config
C2 Extraction:
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
http://nidoe.org/tmp/index.php
http://sodez.ru/tmp/index.php
http://uama.com.ua/tmp/index.php
http://talesofpirates.net/tmp/index.php
http://185.215.113.32
20.218.68.91:7690
https://resergvearyinitiani.shop/api
https://colorfulequalugliess.shop/api
https://herdbescuitinjurywu.shop/api
Unpacked files
SH256 hash:
e23e8cfb01d2dff9f88d9a351e78867af0b6065371e4dd0324cbe2288927ea80
MD5 hash:
3a4ed517bb6f47b9b9b93ffdd002d5ea
SHA1 hash:
b4ba36d60c7f0c7c2516b6678d3c14993182de2a
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/267894a1-0ec4-4380-a1a0-a3523f9f71bf/
Parent samples :
a52bf253f87035bf054f9ceb9a7296b980537fa478a09b4f1ae000b819ba5e29
d7567c94d64fc05b847558d0308b54df1a716fcbe45a480ade6f2987a5ebbaef
e6e106a5206be28f2b76c0190d3c1ba85d4f4bf759babd66c64d9a17a4219ddb
581412f08e3333ebe7a4661f982106b1e395d3c8f384107df71db4768faec0c8
5bd2b2d7fd28e9ae752fd2e5b669d4b7882f733bb22a4217a4822c5325246647
14bf7a5b4420073171f0cb75ee7f7bbab035ec7a0695ff0f1493c1a648f29a5b
f484734dad45f045ff73d243147ae4fdf353553df6b1976392650630473b0b58
a872d94a56b33329d5b685a2597589dce5d0296fc7905af4dded6573ce626999
8b57faa28f32192c5f5fa3e2f5b865207a2e84a43c145d6b06416857c3ae8717
7371e27487db41883c2177a329fec5c46cb10b24fe771e840ad905fd5ce02469
b4d9bc9471648ef8d072e524b4c6e3f5793e29b663bc85a9809912e7fad320c2
fd0c4ce27e4c30e616b791bde30ffd351faeb416aa3e3717fbf023c41d3c374a
9fbb6be64ce733cabaa16d80b36ab68f4d0ef2f73d7a58f6a644045534125394
b52028609b92de2f7a3621621f2d3b3de11f48c16b1d612ad2efebb2af4af2a2
af3dc0594e46f420ba802d85cd7c3086fd3bb7648fee0fc707d810311aac382b
b2296b0d8a305d1177e12d6746b9a4f341f3ac69b6381d79e8e6a5006d652651
c21bbf910bb1b965f4adc57205591243b1f32ea41cbf5716472ec33fb0628614
96ef0fa612962e229cabe7c23fcd099a34fc49e3dc760aafbddc6c44358db341
8dcfb270d2e69de7c73650e5dedc6266b65fbfb5b6e08597d37d9e18bf23f277
113fdcf5bad1d8bf727311f9bb5d9a63d3bd9a0692cecb88a1f30f45681944a5
fe7d9554cc3d372a10d8b402d1860101c23b02d056117c72dbdd63af3b6963d1
a0c42cc858f7a7253d7c1a9f790453ce549152eccf6d5bc694453e518ee3534a
25825052577f72cf9553334f78fef5fb991ee4891a908e90555bfd16dd6a1c4e
cc3da71857b8b0e55de25cccaa43b3d521866c6f82e29008d7a55b8ed8ef8168
f69080393c3812537a1f9c367a023d1e8f4cb12ce33fc17eb0a1a6930a8b39cc
836d5ea4443049b87613a342b8ac88c008b6ce8a6a8b75c73a7e5b74784dffc9
8dd8887d8acd43b2e8a7b0bed168933dcddf4cb3083906f6ef864e451041ae18
50451b758fd6f0e5df748dd53ba05f414e4fdfa81527c36d994b8d1cce6235e4
d9e82b2bbf5ef1628749c4703f5d38d74b83994cdee1712f5429af889f7c1bfb
19421d02842cab9f7dce5184053c17ecf65b1e3140f51b729c15734a754de979
1a04a01ff9144cee276994c8a5beda3ebacbc4846afb13b8a700212c1092ef14
7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e
0abf665db4fff113929fe52dc658461d7758f40aa3218ecafe53eab3ff9281e6
2b9d440e0a2b6b641c148826946d60bb71a28f866922b05847548563708b4450
6afbc321844d7fce47b566996bb4c3f62b202e0bfcadf18e9e4c7742317c9953
684d80df5e614697691824a9b993b9d9c5cd07b40847fafd90cf1e1660d43288
9fa5c3ae48914ecc23baac692f938f031388692048e10e2154a61dca492e22f1
72bb69d3363e4f9537ead609e7731c0d52fe14e3b741806452244b0aedbda60f
30608da257143510f5ae45ac0bb9c1f1dc4db384fe2bf86110c1fc6a1863e9ad
fea7f052ee9f727d0ecb888eef78674e1220c73276010a9cd6d68c4d9d260f4b
782bdfd0de0d78f62dc62dbfc64e50e0f1dbaecf04340fdd41aa2da00e0ccdbc
4fc932e1d16833c8cf642f6202d864b617673d37b961665d472b02ffc37e3f23
615fc1c3729de8502cbc7b9f522264e0e46f6feb1639ded1547bee5e6564bece
89e1cd7b16ad87f6ef1cb0693ec15c807ce42ad600dae87c1ecb491225035ba7
a7b430e703fe6d3cdebfd2924e992abf89a959fee3afe83d91a68c87f7783eef
0976f55e01c8c51580e9abe32b9a39b9e90a751b408d0852d9dbe43a80164f5a
28369baf597c5b9528ea56773e7b8041b49a4819f04692c2aa989df89fd548fe
457086bbe4a74bfc5ae548054b184841b798341a75df51c0c146b841a68ca90a
f05c41871e8fddaa793a8ed2f53e8591f236d1a1ca953a759ae702f58a6ae2ae
c89ac5cb4dbb4116ed1d3b9630aac5a927066938e5b4a24649cf09116882a146
a545b036db22261edab9698a1cb5f1d6c74d4ff051530c585df0c5230f5941df
d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c
c36d9a5680ece3f4ceb44ed997961422d13e6b7eba7ea1d678a0efc561934194
7b78d121a7fff35d2efdbabeac9ace888d0c6e917b27a258058cd4b075ebcb71
d9e9ad2e1129ea6aa884668a13f6e3b73b7cedaa7fec69a38c4e683bea546879
98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee
66cab13aed3126ab1755e139bf5c2a9c7782dfd36ebeb7078045b5ec107dc4a3
cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84
eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b
bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11
9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524
c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd
6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23
01006e47ba030748e7843e01ec62fdf7970d003931434837fa79cd4b84e3e0e0
ea98c56328b0659d7bfe4a2a04cb0a4c6c10ad5ce9f05c305b9264f305095c86
5aa92bfd228195b36e88e6b22e27a4802596d1c7803d20b0d943f0207e563844
b5724d1ea8d2a379e0989ab74ab7719ed93d94dee8638b3dc31e53569cc36107
d6567cc8e6b82d69347065de9fa8c7d2441ee63185ac52fe0e5e4bc6b2642910
4db6f4628dcd3a4ef8417290ad40c858047ceaed4daaff87a4a5f0d873745809
f7b3ea13abebeb99ddfd4319457ff2d8a8473b8a46963de047cce295abadd2eb
c812242a8cf1ebca3d72479d271863327d4c684deecfe9282516abcc6e68caa6
067950a7b80f52fc946a13bf4fd389ea8cbbc043658d33aaff9e3680e1dadd46
23b811c25515d4880cad236d114edfc12d02f76c5f138fecd68855c540963c75
84c81970d4af15114473225603bae7517743476e0bb4fc65dc0f890cf61e7ca6
bd05f805a5d224f1b73f1cba33438777abe441c3c625109a5d3342be6e684b20
5db3ec41ae7137a8fa030fbf8d923a3f3faa0a75a01f3399944caf28b03acde4
d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278
a550df762611e5384f725b245f433687a508e5fca325d5cac656e9328abab4ef
3330b2decb0669df2e83d25f1c2d5821e584331ed567aef5a55c0c7804af2f5b
81e2a48aed2eb0f524947c8c002f753c1c66583602cf505c7f3adac1aeff1df5
f6df711bd275c98abde917437b5624867e464e4bc055538cb3f4b2022e7cae42
c66ef4f4bed4a422bf7bcbc54628ae0d34f8bcb8385f49abde1c230f9dbc30ee
cab8ce1b9026b804505c128b7da21af759db3007b134c1ab6e232ce27e0fd6f9
b6b2a535b20c12e6098f63029a4a1f235d0801815316cc2b8d170f27b3fd5b60
5d757b69732066527c841f7007486942fe0f339770121327053917bf6c05d7c5
f995e7b6121391a9214a3f3068a1d0ce7ccace5ff86a12bb51c8f9ae325b1d0a
dad740124ebdcd58237bdd5ad940020c5e0c2a8b0a6404a8c3c6213b67db2c97
06c38b5796bff69805533522e125de0e08a1636c5b15267ecaccd40074949abc
99da032df6087e2b3bfdda0d1d0fcc9f959b58eec7772e21203fc38348256108
71e23261246c3ba57e5fb9ea19556552182f753a2b3c3658f8c7f8c9831b545d
e499e8022dd2df0e3204a5fc7061b290c429ab845940efa4f782f988a9930317
805e284a572c89194c01a4b45018ebd84611a17324115a706ed490d92d30fb6f
cb9d1ebc73719f1434f92e6648b4815c01dadef4761f7cc4e91561ce34da6346
72eec8bbc11e7e184649111b6be19f254b54e1b1f955cf12b7bdcbe7a6c208c0
49b527dacc10e6d0e9d2924ecc4e59a8d727d5a2eb89aea324d303f4c8e7ba28
SH256 hash:
bd05f805a5d224f1b73f1cba33438777abe441c3c625109a5d3342be6e684b20
MD5 hash:
ce8a71360c7571d605225cfe72938290
SHA1 hash:
cef429bd50198b60ccc172dcec24db3bec543b2a
Link:
https://www.unpac.me/results/267894a1-0ec4-4380-a1a0-a3523f9f71bf/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bd05f805a5d2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd05f805a5d224f1b73f1cba33438777abe441c3c625109a5d3342be6e684b20

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe bd05f805a5d224f1b73f1cba33438777abe441c3c625109a5d3342be6e684b20

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2725854/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/479155/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleOutputCharacterA
KERNEL32.dll::ScrollConsoleScreenBufferA
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::GetConsoleProcessList
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::GetFileAttributesA

Comments