MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c38267836dde53953018c962a372e8e74153f97932418b682fc653ecfcb7bece. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c38267836dde53953018c962a372e8e74153f97932418b682fc653ecfcb7bece
SHA3-384 hash: 354786512c09fe604a668cf1b0d953e4e8824f2bcee412de93bd1d3d5951ed51e2bf88274712f24481591a18296a616a
SHA1 hash: 82a02d6e00de00074b48ba3cc76424a6efe3e6ab
MD5 hash: 3d8207e1ce6762ff10db118bee3bd99b
humanhash: spaghetti-high-alanine-july
File name:01860199.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:289'280 bytes
First seen:2023-05-28 08:41:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2d9ed3462f8a74bfd1231e2e9de56b43 (2 x Smoke Loader, 2 x GCleaner, 1 x RedLineStealer)
ssdeep 3072:1nsNTcFBW0dKNogILXJ6WPLpjHysySMX3YpCUtn5grTtiFmAevZ:qNTcddpgInDtHMn3frTti9
Threatray 55 similar samples on MalwareBazaar
TLSH T1E7542A1392A13C90F9264B769E1FC6E8B65EF5708F197B69325CBA1F0872172C273B11
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000488090148400 (1 x Smoke Loader)
Reporter Neiki
Tags:Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
01860199.exe
Verdict:
Malicious activity
Analysis date:
2023-05-28 08:42:41 UTC
Tags:
loader smoke trojan
Link:
https://app.any.run/tasks/3ba90e2d-f3d8-449e-8ad9-0a2b461db143

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/392750/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Searching for synchronization primitives
Creating a window
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Deleting a recently created file
Launching cmd.exe command interpreter
Query of malicious DNS domain
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed xpack
Link:
https://www.filescan.io/uploads/6473139f551c737d52c06f49/reports/0414c71e-f2d7-4d3b-af3a-c5f5b15f2d00/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c38267836dde53953018c962a372e8e74153f97932418b682fc653ecfcb7bece
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e736cc6c-eed9-4c27-83d3-67d8c90c95fc
Result
Threat name:
Amadey, Babuk, Clipboard Hijacker, Djvu,
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1243988
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found ransom note / readme
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes a notice file (html or txt) to demand a ransom
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Babuk Ransomware
Yara detected Clipboard Hijacker
Yara detected Djvu Ransomware
Yara detected Fabookie
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 876998 Sample: 01860199.exe Startdate: 28/05/2023 Architecture: WINDOWS Score: 100 124 zexeq.com 2->124 126 colisumy.com 2->126 128 2 other IPs or domains 2->128 188 Snort IDS alert for network traffic 2->188 190 Multi AV Scanner detection for domain / URL 2->190 192 Found malware configuration 2->192 194 20 other signatures 2->194 14 01860199.exe 2->14         started        17 hwgujdv 2->17         started        19 D804.exe 2->19         started        21 mstsca.exe 2->21         started        signatures3 process4 signatures5 228 Detected unpacking (changes PE section rights) 14->228 230 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 14->230 232 Maps a DLL or memory area into another process 14->232 23 explorer.exe 6 50 14->23 injected 28 D804.exe 14->28         started        234 Multi AV Scanner detection for dropped file 17->234 236 Checks if the current machine is a virtual machine (disk enumeration) 17->236 238 Creates a thread in another existing process (thread injection) 17->238 240 Detected unpacking (overwrites its own PE header) 19->240 242 Injects a PE file into a foreign processes 19->242 30 D804.exe 13 19->30         started        process6 dnsIp7 136 shsplatform.co.uk 80.66.203.53 UKFASTGB United Kingdom 23->136 138 speedlab.com.eg 217.174.148.28, 443, 49701, 49723 TELEPOINTBG Bulgaria 23->138 148 9 other IPs or domains 23->148 106 C:\Users\user\AppData\Roaming\hwgujdv, PE32 23->106 dropped 108 C:\Users\user\AppData\Roaming\ewgujdv, PE32 23->108 dropped 110 C:\Users\user\AppData\Local\Temp\F4F7.exe, PE32 23->110 dropped 112 20 other malicious files 23->112 dropped 198 System process connects to network (likely due to code injection or exploit) 23->198 200 Benign windows process drops PE files 23->200 202 Deletes itself after installation 23->202 204 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->204 32 D804.exe 23->32         started        35 3C54.exe 23->35         started        38 F4F7.exe 23->38         started        40 7 other processes 23->40 140 api.2ip.ua 28->140 142 211.59.14.90, 49714, 80 SKB-ASSKBroadbandCoLtdKR Korea Republic of 30->142 144 zexeq.com 30->144 146 api.2ip.ua 30->146 file8 signatures9 process10 file11 160 Detected unpacking (changes PE section rights) 32->160 162 Detected unpacking (overwrites its own PE header) 32->162 164 Machine Learning detection for dropped file 32->164 166 Writes a notice file (html or txt) to demand a ransom 32->166 42 D804.exe 1 15 32->42         started        92 C:\Users\user\AppData\Local\Temp\aafg31.exe, PE32+ 35->92 dropped 94 C:\Users\user\AppData\Local\...\XandETC.exe, PE32+ 35->94 dropped 96 C:\Users\user\AppData\Local\...96ewPlayer.exe, PE32 35->96 dropped 168 Antivirus detection for dropped file 35->168 170 Multi AV Scanner detection for dropped file 35->170 46 NewPlayer.exe 35->46         started        49 aafg31.exe 35->49         started        51 XandETC.exe 35->51         started        172 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 38->172 174 Maps a DLL or memory area into another process 38->174 176 Checks if the current machine is a virtual machine (disk enumeration) 38->176 178 Creates a thread in another existing process (thread injection) 38->178 180 Injects a PE file into a foreign processes 40->180 53 B46F.exe 40->53         started        55 A170.exe 40->55         started        57 913F.exe 40->57         started        59 WerFault.exe 4 10 40->59         started        signatures12 process13 dnsIp14 150 api.2ip.ua 162.0.217.254, 443, 49702, 49707 ACPCA Canada 42->150 152 192.168.2.1 unknown unknown 42->152 114 C:\Users\user\AppData\Local\...\D804.exe, PE32 42->114 dropped 61 D804.exe 42->61         started        64 icacls.exe 42->64         started        116 C:\Users\user\AppData\Local\...\mnolyk.exe, PE32 46->116 dropped 244 Multi AV Scanner detection for dropped file 46->244 66 mnolyk.exe 46->66         started        154 jp.imgjeoighw.com 103.100.211.218, 49720, 80 HKKFGL-AS-APHKKwaifongGroupLimitedHK Hong Kong 49->154 156 ss.apjeoighw.com 154.221.31.191 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 49->156 158 6 other IPs or domains 49->158 file15 signatures16 process17 file18 218 Injects a PE file into a foreign processes 61->218 69 D804.exe 61->69         started        88 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 66->88 dropped 90 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32+ 66->90 dropped 220 Antivirus detection for dropped file 66->220 222 Multi AV Scanner detection for dropped file 66->222 224 Creates an undocumented autostart registry key 66->224 226 Machine Learning detection for dropped file 66->226 signatures19 process20 dnsIp21 130 zexeq.com 175.119.10.231, 49711, 49721, 80 SKB-ASSKBroadbandCoLtdKR Korea Republic of 69->130 132 123.140.161.243, 49713, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 69->132 134 2 other IPs or domains 69->134 98 C:\Users\user\AppData\Local\...\build3[1].exe, PE32 69->98 dropped 100 C:\Users\user\AppData\Local\...\build2[1].exe, PE32 69->100 dropped 102 C:\Users\user\AppData\Local\...\build3.exe, PE32 69->102 dropped 104 8 other malicious files 69->104 dropped 196 Modifies existing user documents (likely ransomware behavior) 69->196 74 build2.exe 69->74         started        77 build3.exe 69->77         started        file22 signatures23 process24 file25 206 Multi AV Scanner detection for dropped file 74->206 208 Detected unpacking (changes PE section rights) 74->208 210 Detected unpacking (overwrites its own PE header) 74->210 212 Machine Learning detection for dropped file 74->212 80 build2.exe 74->80         started        118 C:\Users\user\AppData\Roaming\...\mstsca.exe, PE32 77->118 dropped 214 Antivirus detection for dropped file 77->214 216 Uses schtasks.exe or at.exe to add and modify task schedules 77->216 84 schtasks.exe 77->84         started        signatures26 process27 dnsIp28 120 t.me 149.154.167.99 TELEGRAMRU United Kingdom 80->120 122 188.34.154.187 HETZNER-ASDE Germany 80->122 182 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 80->182 184 Tries to harvest and steal browser information (history, passwords, etc) 80->184 186 Tries to steal Crypto Currency Wallets 80->186 86 conhost.exe 84->86         started        signatures29 process30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c38267836dde53953018c962a372e8e74153f97932418b682fc653ecfcb7bece/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-05-28 08:41:05 UTC
File Type:
PE (Exe)
Extracted files:
52
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yobgpa3n3zjzkmayzfrkg4xi45avh6lzgjayw2bpyzj6z7fxx3ha._file
Verdict:
malicious
Similar samples:
0297db387476575d1e8dea19a04f088af54732b9053404734901585e97ef23be
Smoke Loader
25f17d615e6ccbf3de2297fe28ba2c78b8db878d5609cf70baf4202e5fea90eb
Smoke Loader
34d81fa01e7570ee734e04e8d2be5c2d54c3a343ad3340b26105627b6124a2db
Smoke Loader
380c81695a2340dbaf8d0427188536d1eddfca4ee41a5aa7d23eb8a91d617c4c
Smoke Loader
5f428b2b1406374ebf442b695dd4c5ae14d68d58a4946092100a0471e3c6cf3b
Smoke Loader
6cbb3fe987652c86b25b99d155e18d4880bc4d542b7d1007f1f3dc85342d8403
Smoke Loader
a4bb9762185f053519b66a792b63b2d207c8861facbfdb8b3d25b051367eed97
Smoke Loader
b3fbcfd775b7c9bfc5b58f5df13eb8fbeb4844d98756f8fca41b63f060ae5132
Smoke Loader
e4b3318cffd6cad2d36ae53107f6d8fd7aab47b596ab83711a89ecc290bda6a3
Smoke Loader
f4e57d6160cc7f2ad503c3b1627cb5176ccc6e20490399b3700cdf7eeef8beec
Smoke Loader
+ 45 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:djvu family:smokeloader family:vidar botnet:e44c96dfdf315ccf17cdd4b93cfe6e48 botnet:pub1 backdoor discovery persistence ransomware stealer trojan
Link:
https://tria.ge/reports/230528-klez1sef75/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Executes dropped EXE
Modifies file permissions
Downloads MZ/PE file
Amadey
Detected Djvu ransomware
Djvu Ransomware
SmokeLoader
Vidar
Malware Config
C2 Extraction:
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
http://toobussy.com/tmp/
http://wuc11.com/tmp/
http://ladogatur.ru/tmp/
http://kingpirate.ru/tmp/
http://zexeq.com/raud/get.php
http://zexeq.com/lancer/get.php
45.9.74.80/0bjdn2Z/index.php
https://steamcommunity.com/profiles/76561199508624021
https://t.me/looking_glassbot
Gathering data
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c38267836dde/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c38267836dde53953018c962a372e8e74153f97932418b682fc653ecfcb7bece

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe c38267836dde53953018c962a372e8e74153f97932418b682fc653ecfcb7bece

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/392750/
  
URLhaus
https://urlhaus.abuse.ch/url/2479364/
  
Delivery method
Distributed via web download

Comments