MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb7b2ae51a3cde01e9b5adb92aa9262ceb6fb9b499061b921550805dc1670419. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb7b2ae51a3cde01e9b5adb92aa9262ceb6fb9b499061b921550805dc1670419
SHA3-384 hash: 8225987cff46bd052d1730d1c94c8c8db3a83ea84768e2eba51a08a36fd067848b9a78f80a0619f39d24b891ca1ca94c
SHA1 hash: 9ca59eec41c922241d75d70ec4639cbe75871ab1
MD5 hash: be441fb89f8fb2e714845db8968a8450
humanhash: massachusetts-september-november-cat
File name:file.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:295'936 bytes
First seen:2023-05-27 02:14:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bd191f6a78cc98a8bbe61db18ad8e9a2 (5 x Glupteba, 4 x Smoke Loader, 3 x ArkeiStealer)
ssdeep 3072:5QQIwraBlqt2Gi7/6v63y1EvBSLKVX9hBvwRYTo57a8vMxKX5AL9qNT:OQIwr5tXM+636EvBKKVNh91PPxL
Threatray 5'464 similar samples on MalwareBazaar
TLSH T1E4543A1392E17D90E9264B739E2ECAE8771DF6548F09776522186EEF08F01B2D573382
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 1343032302220300 (1 x Smoke Loader)
Reporter Chainskilabs
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
255
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2023-05-27 02:16:16 UTC
Tags:
loader smoke trojan
Link:
https://app.any.run/tasks/b35c34ac-db8b-4215-8192-f5530ba07f97

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/392345/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Sending a custom TCP request
Creating a file
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
Creating a window
Sending an HTTP GET request
Delayed reading of the file
Running batch commands
Query of malicious DNS domain
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mokes packed xpack
Link:
https://www.filescan.io/uploads/647167a704bcf8bc554038ab/reports/afd24acc-3534-4aa1-8178-8ba0b1b9bf47/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/cb7b2ae51a3cde01e9b5adb92aa9262ceb6fb9b499061b921550805dc1670419
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b219f0b9-c7f2-4775-9634-94f41e51cb27
Result
Threat name:
Amadey, Djvu, Fabookie, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1243645
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found ransom note / readme
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Writes a notice file (html or txt) to demand a ransom
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Djvu Ransomware
Yara detected Fabookie
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 876653 Sample: file.exe Startdate: 27/05/2023 Architecture: WINDOWS Score: 100 129 Found malware configuration 2->129 131 Malicious sample detected (through community Yara rule) 2->131 133 Antivirus detection for URL or domain 2->133 135 14 other signatures 2->135 11 file.exe 2->11         started        14 2A86.exe 2->14         started        16 egirdhv 2->16         started        18 mnolyk.exe 2->18         started        process3 signatures4 165 Detected unpacking (changes PE section rights) 11->165 167 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 11->167 169 Maps a DLL or memory area into another process 11->169 20 explorer.exe 15 43 11->20 injected 171 Multi AV Scanner detection for dropped file 14->171 173 Detected unpacking (overwrites its own PE header) 14->173 175 Machine Learning detection for dropped file 14->175 181 2 other signatures 14->181 25 2A86.exe 14->25         started        177 Checks if the current machine is a virtual machine (disk enumeration) 16->177 179 Creates a thread in another existing process (thread injection) 16->179 process5 dnsIp6 115 80.66.203.53 UKFASTGB United Kingdom 20->115 117 217.174.148.28 TELEPOINTBG Bulgaria 20->117 119 12 other IPs or domains 20->119 83 C:\Users\user\AppData\Roaming\rvirdhv, PE32 20->83 dropped 85 C:\Users\user\AppData\Roaming\egirdhv, PE32 20->85 dropped 87 C:\Users\user\AppData\Local\Temp\FF94.exe, PE32 20->87 dropped 95 16 other malicious files 20->95 dropped 137 System process connects to network (likely due to code injection or exploit) 20->137 139 Benign windows process drops PE files 20->139 141 Deletes itself after installation 20->141 145 2 other signatures 20->145 27 6CD3.exe 5 20->27         started        31 51FB.exe 20->31         started        33 2A86.exe 20->33         started        35 7 other processes 20->35 89 C:\Users\user\_readme.txt, ASCII 25->89 dropped 91 C:\Users\user\...\ChromeSetup.exe.vatq (copy), MS-DOS 25->91 dropped 93 C:\Users\user\Downloads\ChromeSetup.exe, MS-DOS 25->93 dropped 97 4 other malicious files 25->97 dropped 143 Modifies existing user documents (likely ransomware behavior) 25->143 file7 signatures8 process9 file10 109 C:\Users\user\AppData\Local\Temp\aafg31.exe, PE32+ 27->109 dropped 111 C:\Users\user\AppData\Local\...\XandETC.exe, PE32+ 27->111 dropped 113 C:\Users\user\AppData\Local\...113ewPlayer.exe, PE32 27->113 dropped 191 Antivirus detection for dropped file 27->191 193 Multi AV Scanner detection for dropped file 27->193 195 Machine Learning detection for dropped file 27->195 37 NewPlayer.exe 27->37         started        41 aafg31.exe 13 27->41         started        44 XandETC.exe 27->44         started        46 XandETC.exe 27->46         started        197 Detected unpacking (changes PE section rights) 31->197 199 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 31->199 201 Maps a DLL or memory area into another process 31->201 207 2 other signatures 31->207 203 Detected unpacking (overwrites its own PE header) 33->203 205 Injects a PE file into a foreign processes 33->205 48 2A86.exe 33->48         started        50 7562.exe 12 35->50         started        52 conhost.exe 35->52         started        54 E53B.exe 35->54         started        56 2 other processes 35->56 signatures11 process12 dnsIp13 99 C:\Users\user\AppData\Local\...\mnolyk.exe, PE32 37->99 dropped 147 Antivirus detection for dropped file 37->147 149 Multi AV Scanner detection for dropped file 37->149 151 Machine Learning detection for dropped file 37->151 58 mnolyk.exe 37->58         started        121 103.100.211.218 HKKFGL-AS-APHKKwaifongGroupLimitedHK Hong Kong 41->121 123 154.221.31.191 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 41->123 127 3 other IPs or domains 41->127 153 Tries to harvest and steal browser information (history, passwords, etc) 41->153 101 C:\Program Files101otepad\Chrome\updater.exe, PE32+ 46->101 dropped 155 Adds a directory exclusion to Windows Defender 46->155 103 C:\Users\user\AppData\Local\...\2A86.exe, PE32 48->103 dropped 62 icacls.exe 48->62         started        125 162.0.217.254 ACPCA Canada 50->125 file14 signatures15 process16 file17 105 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 58->105 dropped 107 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32+ 58->107 dropped 183 Antivirus detection for dropped file 58->183 185 Multi AV Scanner detection for dropped file 58->185 187 Creates an undocumented autostart registry key 58->187 189 2 other signatures 58->189 64 rundll32.exe 58->64         started        66 cmd.exe 58->66         started        68 schtasks.exe 58->68         started        signatures18 process19 process20 70 rundll32.exe 64->70         started        73 conhost.exe 66->73         started        75 cmd.exe 66->75         started        77 cacls.exe 66->77         started        81 4 other processes 66->81 79 conhost.exe 68->79         started        signatures21 157 System process connects to network (likely due to code injection or exploit) 70->157 159 Tries to steal Instant Messenger accounts or passwords 70->159 161 Tries to harvest and steal ftp login credentials 70->161 163 Tries to harvest and steal browser information (history, passwords, etc) 70->163
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb7b2ae51a3cde01e9b5adb92aa9262ceb6fb9b499061b921550805dc1670419/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Suspicious
First seen:
2023-05-27 02:15:05 UTC
File Type:
PE (Exe)
Extracted files:
56
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zn5svzi2htpad2nvvw4svkjgftvw7onutedbxeqvkcaf3qlhaqmq._file
Verdict:
malicious
Similar samples:
0ba63ada2388f13e0e3bdfa0fd9165363e22bf4b74299d3c3e38154858e0702f
Smoke Loader
478bd4b9c09586ef6c80ff69bec832acec92bcc6050b300973bc33537bd8ed76
Smoke Loader
75a01b4c88fec9cd0f81f510360056a86aab4e3776919f7aaaaa7d20a7c6127f
Smoke Loader
83ae51213d394416faf63b7bcf557504d3840d66119ab79549e6bf24ae94a57e
Smoke Loader
86c6f92f4c539af101ee62858e2b0299342a97087f9e938775ccf0aa098fedfc
Smoke Loader
a214f32ddf5faff1a241365cd23186698ffc3c91042b12584e4bcbb324c2a069
Smoke Loader
a4222ea2dec639a850eff45a80cea109bc4469c5c9173e44e1c0e3a1707c8bbb
Smoke Loader
d46fec4abba46efe6663f19c2d9963a612f4ff25023c0dc6fc5bb559f106859d
Smoke Loader
+ 5'454 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:djvu family:smokeloader family:vidar botnet:e44c96dfdf315ccf17cdd4b93cfe6e48 botnet:pub1 backdoor discovery persistence ransomware stealer trojan
Link:
https://tria.ge/reports/230527-cpkexaab82/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Modifies file permissions
Downloads MZ/PE file
Amadey
Detected Djvu ransomware
Djvu Ransomware
SmokeLoader
Vidar
Malware Config
C2 Extraction:
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
http://toobussy.com/tmp/
http://wuc11.com/tmp/
http://ladogatur.ru/tmp/
http://kingpirate.ru/tmp/
http://zexeq.com/raud/get.php
http://zexeq.com/lancer/get.php
45.9.74.80/0bjdn2Z/index.php
https://steamcommunity.com/profiles/76561199508624021
https://t.me/looking_glassbot
Gathering data
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cb7b2ae51a3c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb7b2ae51a3cde01e9b5adb92aa9262ceb6fb9b499061b921550805dc1670419

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe cb7b2ae51a3cde01e9b5adb92aa9262ceb6fb9b499061b921550805dc1670419

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/392345/
  
URLhaus
https://urlhaus.abuse.ch/url/2479364/

Comments