MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5b4a032661a477c9397cf02cf946a3d321099bd876fd29f5352335b67f9a564. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5b4a032661a477c9397cf02cf946a3d321099bd876fd29f5352335b67f9a564
SHA3-384 hash: e5fba959ed5be4a09df365a0cb073bfa8673d7538e07df0b7d1e8615a141890669558aa9e9f5e142991ba62f4e51a03b
SHA1 hash: 682523706a1cd9d7e53f77413a6217b803c8ee9e
MD5 hash: 5fefb8203422194dd4684515c0ed6cd9
humanhash: one-sierra-oklahoma-early
File name:01867799.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:297'472 bytes
First seen:2023-05-27 08:55:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bd191f6a78cc98a8bbe61db18ad8e9a2 (5 x Glupteba, 4 x Smoke Loader, 3 x ArkeiStealer)
ssdeep 3072:TOQTwP/BcZtTUr7bLTZV7xyQ763vjDACpH+4Nzn7sKX5At95k:6QTwPQtcHHxVYvjca+4z70t
Threatray 110 similar samples on MalwareBazaar
TLSH T14654390392E17D94E9264B3B9E2EC6E8771DF6548F1D77662218AAEF04F11B2C173381
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 520a22420a021200 (1 x Smoke Loader)
Reporter Neiki
Tags:Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
01867799.exe
Verdict:
Malicious activity
Analysis date:
2023-05-27 08:58:02 UTC
Tags:
loader smoke trojan
Link:
https://app.any.run/tasks/07382a1f-c06d-46cf-b693-660387aa1aae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/392446/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a window
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Query of malicious DNS domain
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mokes packed xpack
Link:
https://www.filescan.io/uploads/6471c5a2ce72cac205743bdb/reports/0944caef-0d3e-4c8f-89f9-83f3130384f4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c5b4a032661a477c9397cf02cf946a3d321099bd876fd29f5352335b67f9a564
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5a46b3a3-ef27-459e-8c2d-89c7cd4880ba
Result
Threat name:
Babuk, Clipboard Hijacker, Djvu, SmokeLo
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1243758
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found ransom note / readme
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes a notice file (html or txt) to demand a ransom
Writes to foreign memory regions
Yara detected Babuk Ransomware
Yara detected Clipboard Hijacker
Yara detected Djvu Ransomware
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 876769 Sample: 01867799.exe Startdate: 27/05/2023 Architecture: WINDOWS Score: 100 107 zexeq.com 2->107 109 colisumy.com 2->109 111 2 other IPs or domains 2->111 165 Snort IDS alert for network traffic 2->165 167 Multi AV Scanner detection for domain / URL 2->167 169 Found malware configuration 2->169 171 17 other signatures 2->171 14 01867799.exe 2->14         started        17 varbswv 2->17         started        19 166B.exe 2->19         started        21 varbswv 2->21         started        signatures3 process4 signatures5 201 Detected unpacking (changes PE section rights) 14->201 203 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 14->203 205 Maps a DLL or memory area into another process 14->205 207 Creates a thread in another existing process (thread injection) 14->207 23 explorer.exe 11 35 14->23 injected 209 Multi AV Scanner detection for dropped file 17->209 211 Machine Learning detection for dropped file 17->211 213 Checks if the current machine is a virtual machine (disk enumeration) 17->213 215 Detected unpacking (overwrites its own PE header) 19->215 217 Injects a PE file into a foreign processes 19->217 28 166B.exe 19->28         started        30 WerFault.exe 21->30         started        process6 dnsIp7 113 shsplatform.co.uk 80.66.203.53 UKFASTGB United Kingdom 23->113 115 speedlab.com.eg 217.174.148.28, 443, 49727, 49733 TELEPOINTBG Bulgaria 23->115 121 10 other IPs or domains 23->121 83 C:\Users\user\AppData\Roaming\varbswv, PE32 23->83 dropped 85 C:\Users\user\AppData\Roaming\ssrbswv, PE32 23->85 dropped 87 C:\Users\user\AppData\Local\Temp\F761.exe, PE32 23->87 dropped 89 11 other malicious files 23->89 dropped 187 System process connects to network (likely due to code injection or exploit) 23->187 189 Benign windows process drops PE files 23->189 191 Deletes itself after installation 23->191 193 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->193 32 166B.exe 23->32         started        35 F761.exe 23->35         started        37 E849.exe 23->37         started        39 5 other processes 23->39 117 api.2ip.ua 28->117 119 192.168.2.1 unknown unknown 30->119 file8 signatures9 process10 signatures11 141 Detected unpacking (changes PE section rights) 32->141 143 Detected unpacking (overwrites its own PE header) 32->143 145 Machine Learning detection for dropped file 32->145 147 Writes a notice file (html or txt) to demand a ransom 32->147 41 166B.exe 1 15 32->41         started        149 Injects a PE file into a foreign processes 35->149 45 F761.exe 13 35->45         started        151 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 37->151 153 Maps a DLL or memory area into another process 37->153 155 Checks if the current machine is a virtual machine (disk enumeration) 37->155 157 Creates a thread in another existing process (thread injection) 37->157 159 Multi AV Scanner detection for dropped file 39->159 161 Writes to foreign memory regions 39->161 47 C25B.exe 39->47         started        49 166B.exe 39->49         started        51 WerFault.exe 39->51         started        53 WerFault.exe 39->53         started        process12 dnsIp13 123 api.2ip.ua 162.0.217.254, 443, 49725, 49728 ACPCA Canada 41->123 93 C:\Users\user\AppData\Local\...\166B.exe, PE32 41->93 dropped 55 166B.exe 41->55         started        58 icacls.exe 41->58         started        60 F761.exe 45->60         started        file14 process15 signatures16 185 Injects a PE file into a foreign processes 55->185 62 166B.exe 55->62         started        67 F761.exe 60->67         started        process17 dnsIp18 129 zexeq.com 95.107.163.44, 49732, 49745, 80 ASC-AL-ASAL Albania 62->129 131 colisumy.com 62->131 133 api.2ip.ua 62->133 95 C:\Users\user\AppData\Local\...\build3.exe, PE32 62->95 dropped 97 C:\Users\user\AppData\Local\...\build2.exe, PE32 62->97 dropped 99 C:\Users\user\AppData\Local\...\build3[1].exe, PE32 62->99 dropped 105 6 other malicious files 62->105 dropped 163 Modifies existing user documents (likely ransomware behavior) 62->163 69 build2.exe 62->69         started        72 build3.exe 62->72         started        135 187.209.146.8, 49747, 80 UninetSAdeCVMX Mexico 67->135 137 211.53.230.67 LGDACOMLGDACOMCorporationKR Korea Republic of 67->137 139 2 other IPs or domains 67->139 101 C:\Users\user\AppData\Local\...\build3.exe, PE32 67->101 dropped 103 C:\Users\user\AppData\Local\...\build2.exe, PE32 67->103 dropped file19 signatures20 process21 file22 173 Multi AV Scanner detection for dropped file 69->173 175 Detected unpacking (changes PE section rights) 69->175 177 Detected unpacking (overwrites its own PE header) 69->177 179 Machine Learning detection for dropped file 69->179 75 build2.exe 69->75         started        91 C:\Users\user\AppData\Roaming\...\mstsca.exe, PE32 72->91 dropped 181 Antivirus detection for dropped file 72->181 183 Uses schtasks.exe or at.exe to add and modify task schedules 72->183 79 schtasks.exe 72->79         started        signatures23 process24 dnsIp25 125 t.me 149.154.167.99, 443, 49752 TELEGRAMRU United Kingdom 75->125 127 78.47.34.59, 30303, 49753 HETZNER-ASDE Germany 75->127 195 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 75->195 197 Tries to harvest and steal browser information (history, passwords, etc) 75->197 199 Tries to steal Crypto Currency Wallets 75->199 81 conhost.exe 79->81         started        signatures26 process27
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c5b4a032661a477c9397cf02cf946a3d321099bd876fd29f5352335b67f9a564/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-05-27 08:56:05 UTC
File Type:
PE (Exe)
Extracted files:
56
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yw2kamtgdjdxze4xz4bm7fdkhuzbbgn5q5x5fh2tkizvwz7zuvsa._file
Verdict:
malicious
Similar samples:
366256d8bc860722ec6e477fab7cd6df2fb642516264988c240935b27b1379d4
Smoke Loader
3a67b0ab2662d759bfcaa276c5f65effbc1030f94f8ec0531ca5ab18e1aa9cbc
Smoke Loader
3c5aecd6a2e3b0699df8b04e5bc904733af2646f70f14241d7378c86faedbe16
Smoke Loader
3cb96ac6bb492a4aca87a578b439037b08a099feb4203ec99d5aebfcea6a3f7b
Smoke Loader
660c744497e3c7a2c24c94ace034bcda802af3a1bbaaa156828380647e058260
Smoke Loader
a41f46ef947c9ff3b1e5625e6cf5799e776a55e48f54f7fffe19e08e826de99a
Smoke Loader
a9baac6fc608e54c488768a8c6908b8c0f73353771e6442792d3ada09c5520d6
Smoke Loader
dee582a9de9d3898828df531fbaf1ee6d67bee111d5087241716d7af02777777
Smoke Loader
dfafc19065140674c7b3e3ffe533f121fe6b2fe1ffb9c0a2dfc15a9d030a0630
Smoke Loader
e5e2ef8cf7f3d9e07325520999ed8dc6b1e1bb97ad78ff9b21156c4ffa8dce4d
Smoke Loader
+ 100 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:djvu family:smokeloader family:vidar botnet:e44c96dfdf315ccf17cdd4b93cfe6e48 botnet:pub1 backdoor discovery persistence ransomware stealer trojan
Link:
https://tria.ge/reports/230527-kv1m3sbf9y/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Modifies file permissions
Downloads MZ/PE file
Amadey
Detected Djvu ransomware
Djvu Ransomware
SmokeLoader
Vidar
Malware Config
C2 Extraction:
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
http://toobussy.com/tmp/
http://wuc11.com/tmp/
http://ladogatur.ru/tmp/
http://kingpirate.ru/tmp/
http://zexeq.com/raud/get.php
http://zexeq.com/lancer/get.php
45.9.74.80/0bjdn2Z/index.php
https://steamcommunity.com/profiles/76561199508624021
https://t.me/looking_glassbot
Gathering data
Malware family:
STOP
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c5b4a032661a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c5b4a032661a477c9397cf02cf946a3d321099bd876fd29f5352335b67f9a564

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe c5b4a032661a477c9397cf02cf946a3d321099bd876fd29f5352335b67f9a564

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2479364/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/392446/

Comments