MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd3e1831de588644e2706fa76f1b8bdd13e575cd648b6db24ddc4c9016ab978b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd3e1831de588644e2706fa76f1b8bdd13e575cd648b6db24ddc4c9016ab978b
SHA3-384 hash: cf9baf0e03c24664c4aba35065173a7d70689ed4ded18e38cf5b3d906ca7ccc67c93ccf77ee96018e11e921d3a907233
SHA1 hash: c6cefe5f43a66008d8add311f68a9b35b90d436d
MD5 hash: 90bb9361d179d99c57620e4c9b43c68a
humanhash: north-leopard-low-vermont
File name:90bb9361d179d99c57620e4c9b43c68a.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:177'664 bytes
First seen:2023-03-17 09:23:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4b2faf5e2157c756cf2fd31d6cfd3d44 (4 x Stop, 4 x Smoke Loader, 4 x Rhadamanthys)
ssdeep 3072:gXkXJHykwmY6FRW77HrL5qYuiJaSe0QyICfOtuvm/hVgdJB:rXJSQc7LL5qYuiJEZCfq/hwJ
Threatray 62 similar samples on MalwareBazaar
TLSH T11D048D0393F5BC64F5164B719E2EC6F47A5EF4138E69AF6B22185E2F08702B2C56E311
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 149ad0e448426262 (1 x Smoke Loader)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
90bb9361d179d99c57620e4c9b43c68a.exe
Verdict:
Malicious activity
Analysis date:
2023-03-17 09:30:11 UTC
Tags:
loader smoke trojan
Link:
https://app.any.run/tasks/59af612f-4728-43d4-bff5-66779bbc4aaf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/375031/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Creating a process from a recently created file
Query of malicious DNS domain
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mokes packed
Link:
https://www.filescan.io/uploads/641431b4c65d1ebf04c0f627/reports/f2f91893-a41c-4d1f-a4f3-32bd6629adef/overview
Verdict:
Malicious
Labled as:
Mikey.Generic
Link:
https://www.hybrid-analysis.com/sample/cd3e1831de588644e2706fa76f1b8bdd13e575cd648b6db24ddc4c9016ab978b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/83269dc1-f475-4870-93b4-e60a824158f7
Result
Threat name:
Aurora, DanaBot, RedLine, SmokeLoader, S
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1195659
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara Aurora Stealer
Yara detected DanaBot stealer dll
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Stealc
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 828557 Sample: o9yHH9sxKX.exe Startdate: 17/03/2023 Architecture: WINDOWS Score: 100 82 Snort IDS alert for network traffic 2->82 84 Multi AV Scanner detection for domain / URL 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 11 other signatures 2->88 10 o9yHH9sxKX.exe 2->10         started        13 tgertsg 2->13         started        15 3BBF.exe 2->15         started        process3 signatures4 118 Detected unpacking (changes PE section rights) 10->118 120 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 10->120 122 Maps a DLL or memory area into another process 10->122 124 Creates a thread in another existing process (thread injection) 10->124 17 explorer.exe 6 19 10->17 injected 126 Multi AV Scanner detection for dropped file 13->126 128 Machine Learning detection for dropped file 13->128 130 Checks if the current machine is a virtual machine (disk enumeration) 13->130 process5 dnsIp6 70 vispik.at 186.182.55.44, 49698, 49700, 49710 TechtelLMDSComunicacionesInteractivasSAAR Argentina 17->70 72 175.119.10.231, 49709, 49713, 49717 SKB-ASSKBroadbandCoLtdKR Korea Republic of 17->72 74 6 other IPs or domains 17->74 58 C:\Users\user\AppData\Roaming\tgertsg, PE32 17->58 dropped 60 C:\Users\user\AppData\Local\Temp\97E5.exe, PE32 17->60 dropped 62 C:\Users\user\AppData\Local\Temp\9074.exe, PE32 17->62 dropped 64 3 other malicious files 17->64 dropped 90 System process connects to network (likely due to code injection or exploit) 17->90 92 Benign windows process drops PE files 17->92 94 Deletes itself after installation 17->94 96 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->96 22 9074.exe 15 4 17->22         started        27 58DD.exe 17->27         started        29 97E5.exe 1 17->29         started        31 3BBF.exe 17->31         started        file7 signatures8 process9 dnsIp10 78 i.ibb.co 162.19.58.161, 443, 49729 CENTURYLINK-US-LEGACY-QWESTUS United States 22->78 66 C:\Users\user\AppData\Roaming\...\build.exe, PE32+ 22->66 dropped 98 Multi AV Scanner detection for dropped file 22->98 100 Machine Learning detection for dropped file 22->100 102 Writes to foreign memory regions 22->102 114 2 other signatures 22->114 33 build.exe 22->33         started        36 InstallUtil.exe 22->36         started        80 azqewrtynuytcdrxrszaesxcdtfvbgu.shop 104.21.30.119 CLOUDFLARENETUS United States 27->80 104 Antivirus detection for dropped file 27->104 106 Detected unpacking (creates a PE file in dynamic memory) 27->106 108 Tries to steal Mail credentials (via file / registry access) 27->108 116 2 other signatures 27->116 38 conhost.exe 27->38         started        68 C:\Users\user\AppData\...\Wtoahoepfise.dll, PE32 29->68 dropped 110 Detected unpacking (changes PE section rights) 29->110 112 Detected unpacking (overwrites its own PE header) 29->112 40 rundll32.exe 2 29->40         started        file11 signatures12 process13 dnsIp14 76 138.201.198.8 HETZNER-ASDE Germany 33->76 42 cmd.exe 33->42         started        44 cmd.exe 33->44         started        46 WMIC.exe 33->46         started        process15 process16 48 conhost.exe 42->48         started        50 WMIC.exe 42->50         started        52 conhost.exe 44->52         started        54 WMIC.exe 44->54         started        56 conhost.exe 46->56         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd3e1831de588644e2706fa76f1b8bdd13e575cd648b6db24ddc4c9016ab978b/
Threat name:
Win32.Trojan.Vidar
Create hunting rule
Status:
Malicious
First seen:
2023-03-17 08:34:12 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zu7bqmo6lcdejytqn6tw6g4l3uj6k5onmsfw3msn3rgjafvls6fq._file
Verdict:
malicious
Similar samples:
23954824513cf2158577a1800118aabb54c45d1c088f71d7cdd841fbe6362d24
Smoke Loader
49505420a8e71e6bd97c5ff658cb43239fd664eb750824cfed812ff1474b7b7d
Smoke Loader
611555ad45f406141e18bf4a8611d2a8028d7f637090c1e95b99882884a1656b
Smoke Loader
8aaf85bcec3a7e54eef06a739e05b0efddaeb65da693951b7b9d2c46e7faf25f
Smoke Loader
92a5b282a453a1d71a1d800a95018b6248da4a8cdcc58e82c56266be169cc98c
Smoke Loader
b6d2705e905238bb509c107378f5c3e1ec13b6a207cc445ed1320f83ea9e3b1b
Smoke Loader
ba22d964e19050f18e2616497d28864c3f3e7e4f6769b6b55020002af356fd52
Smoke Loader
c66e87a025b4ccb8f93a1540b999fabf9beb16c455cbbfd189e133ab642e83e2
Smoke Loader
d4607fe27527413aa9685e2ecbce8df78b2c2538ccc5703442f7757a100c1362
Smoke Loader
f896c9f10c5ce22dcbbb83f7bc74d99f563ebba6b0ad639e0494b7dd71d9beea
Smoke Loader
+ 52 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:pub4 backdoor trojan
Link:
https://tria.ge/reports/230317-lc29mafd62/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
SmokeLoader
Malware Config
C2 Extraction:
http://vispik.at/tmp/
http://ekcentric.com/tmp/
http://hbeat.ru/tmp/
http://mordo.ru/tmp/
Unpacked files
SH256 hash:
93aa95fb6ff1197842539ad7d33661578c19614b641bc01b1339e9c74e8f6077
MD5 hash:
79e11ad9206a0e4207a1916c41d485e3
SHA1 hash:
7b2e2d5c564fe560f76bf3db8ce91acef6db1b3e
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/7af577e6-60ff-4a55-8e4f-7538efb8820e/
Parent samples :
8d817b65185a02fb3050ec898ba6dc15f88e97428402de127d0fe79e6480421d
e9abf1a9ce327a916ba7191b471e3039d5e50093fe7346944a83d020e89da470
3358510dd07f7a0f84f6b8ff788bf5fb661c2259ebff3696c964f928a166a58c
e6ac1fe76c5644ac4f6624ffd984aebf33708da63cd425e58218eac16b9500c3
b3c1c51816ed1e710c16b9979424f6e048de948320e1560664f02b7fd68a1c70
bfa7f935ce2d538f08ef9b71990ff857c855ae47f402010207533a85831b0d69
d0c09c00990cc693789f83e8dfb4d3e7db62a583d246cea22b2c6bb3a2c3e6f0
9b6da424a0f27a420231b67553454bf11d1283164fd176d688ddd43f2a6c4dfc
35c8d963860e8a3b6f74aae074eeae71dbcd50f4ac55e72f4509f15eb45e6f09
6fcfc6e9c3504129087f399f02026f0857e51702803c00e15c16a98d94414974
86d03866f50e32545514b56e8fc46122c136d24e80954b7f6291b870a1e2a5ac
e5147ae13310b2b93da17d2800a21956788671c907f7dd19a3918c0b9fcc051b
a55fb5f4931b56a67accf6b1e95d17bb96a3e12b5a960816c60dfd06bb440d9c
ba22d964e19050f18e2616497d28864c3f3e7e4f6769b6b55020002af356fd52
cd3e1831de588644e2706fa76f1b8bdd13e575cd648b6db24ddc4c9016ab978b
92a5b282a453a1d71a1d800a95018b6248da4a8cdcc58e82c56266be169cc98c
1b47e6ab6638a2d79d7a5f80627f4e96a7169b8083c6d69fb8f32ee6efcc2aa5
8566c357f42e4e6f442564c63c376540b4e4d0ee72d38f83a3de84a83931a6ce
49d393dd5011f729861bba497ebc7a0fc1312dff59820659e922bf109dd66ac3
84f201911eea13e0a46afa437f7a5942a1d70afab17edcb4fe65680d1599f602
SH256 hash:
cd3e1831de588644e2706fa76f1b8bdd13e575cd648b6db24ddc4c9016ab978b
MD5 hash:
90bb9361d179d99c57620e4c9b43c68a
SHA1 hash:
c6cefe5f43a66008d8add311f68a9b35b90d436d
Link:
https://www.unpac.me/results/7af577e6-60ff-4a55-8e4f-7538efb8820e/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cd3e1831de58/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd3e1831de588644e2706fa76f1b8bdd13e575cd648b6db24ddc4c9016ab978b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe cd3e1831de588644e2706fa76f1b8bdd13e575cd648b6db24ddc4c9016ab978b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2571667/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/375031/

Comments