MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c17336d7c543eef6427833e8a3f419dd02c7cd2fd7665725732c35e61a354f2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c17336d7c543eef6427833e8a3f419dd02c7cd2fd7665725732c35e61a354f2c
SHA3-384 hash: 7f7291df776043587cbb9fa4a4a0c38c08e2924f155eb75aa9fbefc27cde868338f9e596e7dd226920ca7d41c6ef4532
SHA1 hash: da91afcff5c44bc3b8e23bb2028d1197f24e9a32
MD5 hash: c8133efa393bd6bd0996529f980b50e2
humanhash: sodium-king-two-saturn
File name:c8133efa393bd6bd0996529f980b50e2
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:364'032 bytes
First seen:2023-07-26 18:40:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 90bb6a3da0583450c6f11becc85dcf42 (2 x Stealc, 1 x Smoke Loader)
ssdeep 3072:9VKHrjUKLo8E2thrmrGWmSwwU09SrsM5ECw3P5kspmmlwlGvPGT1lTUM:3KXUKLo8ljimuSr5TImspmmljv+HT
Threatray 1'958 similar samples on MalwareBazaar
TLSH T1D474B74383A1BD44E9258B729E2FC6F8760DF6518F4D7B66A128AF1F04B62B2D173710
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0010d09010101000 (1 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
291
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
c8133efa393bd6bd0996529f980b50e2
Verdict:
Malicious activity
Analysis date:
2023-07-26 18:41:53 UTC
Tags:
loader smoke trojan
Link:
https://app.any.run/tasks/89940bdb-33c5-4235-ba2b-ca5040e5e96d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/434526/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c17336d7c543eef6427833e8a3f419dd02c7cd2fd7665725732c35e61a354f2c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/52c738a0-8365-4465-8e46-1d3ee82c8725
Result
Threat name:
BlackGuard, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1280623
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to register a low level keyboard hook
Creates a thread in another existing process (thread injection)
Creates executable files without a name
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Opens network shares
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected BlackGuard
Yara detected Costura Assembly Loader
Yara detected SmokeLoader
Yara detected ZipBomb
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1280623 Sample: KvVXVfYvlF.exe Startdate: 26/07/2023 Architecture: WINDOWS Score: 100 102 Found malware configuration 2->102 104 Malicious sample detected (through community Yara rule) 2->104 106 Antivirus detection for URL or domain 2->106 108 10 other signatures 2->108 11 KvVXVfYvlF.exe 2->11         started        14 scjgjjw 2->14         started        16 scjgjjw 2->16         started        process3 signatures4 122 Detected unpacking (changes PE section rights) 11->122 124 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 11->124 126 Maps a DLL or memory area into another process 11->126 18 explorer.exe 10 10 11->18 injected 128 Machine Learning detection for dropped file 14->128 130 Checks if the current machine is a virtual machine (disk enumeration) 14->130 132 Creates a thread in another existing process (thread injection) 14->132 process5 dnsIp6 76 oshi.at 5.253.86.15, 443, 49726 HOSTSLICK-GERMANYNL Cyprus 18->76 78 transfer.sh 144.76.136.153, 443, 49718, 49732 HETZNER-ASDE Germany 18->78 80 stalagmijesarl.com 194.50.153.31, 49708, 49709, 49710 GAZ-IS-ASRU United Kingdom 18->80 62 C:\Users\user\AppData\Roaming\scjgjjw, PE32 18->62 dropped 64 C:\Users\user\AppData\Local\Temp\10D6.exe, PE32 18->64 dropped 66 C:\Users\user\...\scjgjjw:Zone.Identifier, ASCII 18->66 dropped 110 System process connects to network (likely due to code injection or exploit) 18->110 112 Benign windows process drops PE files 18->112 114 Injects code into the Windows Explorer (explorer.exe) 18->114 116 3 other signatures 18->116 23 10D6.exe 8 18->23         started        27 .exe 18->27         started        30 .exe 18->30         started        32 9 other processes 18->32 file7 signatures8 process9 dnsIp10 72 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 23->72 dropped 74 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 23->74 dropped 120 Contains functionality to register a low level keyboard hook 23->120 34 cmd.exe 2 23->34         started        86 ipwhois.app 27->86 88 ipwhois.app 30->88 file11 signatures12 process13 process14 36 build.exe 34->36         started        41 7z.exe 34->41         started        43 7z.exe 3 34->43         started        45 13 other processes 34->45 dnsIp15 82 194.50.153.136, 49735, 49746, 49757 GAZ-IS-ASRU United Kingdom 36->82 84 ipwhois.app 195.201.57.90, 443, 49736, 49737 HETZNER-ASDE Germany 36->84 68 C:\ProgramData\.exe, PE32 36->68 dropped 118 Creates executable files without a name 36->118 47 .exe 36->47         started        52 cmd.exe 36->52         started        70 C:\Users\user\AppData\Local\...\build.exe, PE32 41->70 dropped file16 signatures17 process18 dnsIp19 90 192.168.2.1 unknown unknown 47->90 92 ipwhois.app 47->92 58 C:\Users\user\...\DotNetZip-xuslvzta.tmp, Zip 47->58 dropped 60 C:\Users\user\AppData\Local\...\Cookies, SQLite 47->60 dropped 94 Antivirus detection for dropped file 47->94 96 Tries to steal Mail credentials (via file / registry access) 47->96 98 Machine Learning detection for dropped file 47->98 100 3 other signatures 47->100 54 conhost.exe 52->54         started        56 timeout.exe 52->56         started        file20 signatures21 process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c17336d7c543eef6427833e8a3f419dd02c7cd2fd7665725732c35e61a354f2c/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-07-26 18:41:06 UTC
File Type:
PE (Exe)
Extracted files:
85
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yfztnv6fipxpmqtygpukh5az3ubmptjp25tfojltfq26mgrvj4wa._file
Verdict:
malicious
Similar samples:
29f23979e3b541ca8955fcbd3a0f9cadbdf92c0df65ba495eeb98bd1e154bc6d
Smoke Loader
2a7ccf835cd47e53b218d02824e1db7194aa045271d10a049647528a865c723f
Smoke Loader
375f623741fe071117c32d8e027f9a705ab54586b12ee5504a56d2205e95b38c
Smoke Loader
5daea8830b5fd8f3902061a5ebe366f9b313ec1eeca2af1a497573f1043818b8
Smoke Loader
680fa23ffd5f8185eb50f54932becc71d2d3b51b39033f853c4ea2e8737e34f0
Smoke Loader
6ecd0653e1f6a054b1f6c69a12ea5cf149b86a65a9379ad81233211dbce3bf65
Smoke Loader
6fab6bd5ade42ca49925d745d9d1a388d7636194b0f0fa5128f3eea913c13b6f
Smoke Loader
86b001e3eb278c3caf88e10955df68b9dc4c6290ded07d884efda572b6f1fc3d
Smoke Loader
8afd72197f13d7016291b5799cb9e680146d09b9b06661bb0de3f7972ef56fdc
Smoke Loader
f24b3812d45263f6998aa5e2edfd61f5919d81a6916c52e7d4d0d1c53a050afe
Smoke Loader
+ 1'948 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader family:vidar botnet:https://t.me/rifbef734frbe43jfef botnet:summ backdoor evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/230726-xa8jeafc93/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Executes dropped EXE
Loads dropped DLL
Themida packer
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
SmokeLoader
Vidar
Malware Config
C2 Extraction:
http://stalagmijesarl.com/
http://ukdantist-sarl.com/
http://cpcorprotationltd.com/
https://t.me/rifbef734frbe43jfef
https://t.me/dastantim
https://steamcommunity.com/profiles/76561199529242058
Unpacked files
SH256 hash:
48b6a4785f1dc9f33c51c2e588c7f9edf76e551cff8759ac5622cf995330ff14
MD5 hash:
d9cde58139fef6bf75141230f9662d97
SHA1 hash:
68ac6ee1b78dfa15bfe49229640a0929438029af
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/568488d0-cb99-4c3a-a2ae-364e77fbde92/
Parent samples :
dfa65f33e16205d8c072ba1fb3d0f419f0af2e25f1c251d2b1ef83dd822dc476
aa4938085915798a5b6a03db3a04f6b2927d108db0bfac32ca66462f6a406c36
e4ff3d138daf42cc71613a0b2b9131e672ab42e3fc8f12779efa2f882985c40c
240e33c28d618ba23fc7489c03dcc40e3e3d2c84ef959db800321d1946d3dbcf
65640ae45f81e5a0367d374193b9a7958e7e2cba9b4f7e448cd2545a70c2880e
b78d66de4f94fd68a2fa5181f8b2a865d43f44fba0efbff7dd3a8215ce153891
b2c3517bb90933390df4eb01c6ba36f2a519a69b5bcee703f4889b8336cb7027
5ecd711693f12b243e84e97975eaf2f981016a7cf004841dceb7b9d720bc1f6d
a6e56a741e9aa67f861b574964a4999eb77ca586abf079c1891ca09c7900c713
2f526d3756e8f59616b5f69c9527d4751594ea82464c971eaadfc04216d0b27a
14a81d39c1a2260f7dde336245ab276a3416319e8bea2740107f8da6b5baecc2
57058dda63d287fb506d12c043fe1eb07abcaacb703fb2f8120edefb815bd1a8
9e4e8a3c08c71e24a113731d9b3c6221c79a0d82e9ab0b510e4240257b4d0eee
954a8d78e97e2bb65568d4c5d692a2a9975a330eaa7fae20e4620d18ccbb5881
bfe83b5436233b54ba7808d535042708313d5ec62aece600d943798f5c62efda
fc5c1ed9df3db079ed9b1714c11b5fd8edd6f69498fe6150303ae160884d3c04
e59ad322f3178a7905a9a3c623e7b5d8132080ddc9d2d3797d64939a23611a00
e93e6d9ed58c2476607f4352c2fb03b5247276f5be99840b0db4d546457f20e5
c862c9ce5cc849f7e292a61984c11b3a61a137f71ce19b3e72b653932602a0fc
8c3f095428d5283ec57391611e24689e88aa93e0a6868d6994d2e26761740ce3
455cd1baccbf9b3abc59454a6d80ee72c2db5cb6ffb73a5102b5a1e6eb78599e
45395f6fad7289cb0f9599ed1f578140d5280f1769957c4bba4fb5f6798a41bf
d347eea452c0cd8f233db473bc2889ef05049a6bffef49184120c9d302fa74e6
cb5834ff88fd8e818ddd26ae5e6a080be8b5e17ee4238df66080175a5cf802eb
2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5
eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771
26ee5ecb55714d302e8adcc345fc373abf5eb3189c854922cfca7c3c5c7018fe
ef04fe325737cad04ca603cf3a72a71b86bc51786b696972e243cbd0612538b1
e58ebdf4702cc16c7b5626d7e5a169fda32ecb3df251c9f087c8ad7ad6897672
799c6f0780b063a98ca67e217ac920733e5ed59742300658a747457ef30a3ed8
a5cb5558a1fb53b177fd0a683da3e93c4c0149588c7b06b5b8f5570896bd79bc
5b6d6c1bf6cfc3f0c4b792a2416d52588c22701fc9484c7c0a40bfb75ced4c4e
fc70465d07b9f3eb64e7f5ada2c047cd54b1a10b2790264456c0f76a798b50fc
fd831bc88d1c08c8b8a2e3756569b8fc3c143d516f4a72ec6fbf3c456c6209bb
2cc7483f686c00278ce3dcda694baca322bfbe70e8cf4ec5dd8ec0f31a955625
c17336d7c543eef6427833e8a3f419dd02c7cd2fd7665725732c35e61a354f2c
2c43ca2ea57631cdd00d46b6d292ca82922c239c1ad400a4714134fed8f2a50e
4f2680a213e3345c83f3f0adc9bcf75af76e50eed035b2c54f54b071e115f694
b2f12a3ef735f92b67cf807fb8be7df8400c065318ad3b0f8cd144738db7b96b
SH256 hash:
c17336d7c543eef6427833e8a3f419dd02c7cd2fd7665725732c35e61a354f2c
MD5 hash:
c8133efa393bd6bd0996529f980b50e2
SHA1 hash:
da91afcff5c44bc3b8e23bb2028d1197f24e9a32
Link:
https://www.unpac.me/results/568488d0-cb99-4c3a-a2ae-364e77fbde92/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c17336d7c543/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c17336d7c543eef6427833e8a3f419dd02c7cd2fd7665725732c35e61a354f2c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe c17336d7c543eef6427833e8a3f419dd02c7cd2fd7665725732c35e61a354f2c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2690430/
Cape
Cape
https://www.capesandbox.com/analysis/434526/

Comments


Avatar
zbet commented on 2023-07-26 18:40:03 UTC

url : hxxp://89.208.104.62/govno.exe