MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d024915bbd2ed71435889c76a76d9e31bebd0a9cfb83e8e380676c1678d1c5a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d024915bbd2ed71435889c76a76d9e31bebd0a9cfb83e8e380676c1678d1c5a5
SHA3-384 hash: 3a8fcb301f57ec039494b919714b90ca52063200b05935a6772fb53efbea73136bfb2865cf2ecc41fca0a73fe33656d9
SHA1 hash: 2ea997b5445209d345b6783329be5736cacfd452
MD5 hash: e2838cf5ea5e9546c4b831932acf4416
humanhash: jupiter-delta-undress-glucose
File name:e2838cf5ea5e9546c4b831932acf4416.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:2'705'408 bytes
First seen:2023-12-08 17:52:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:4niCY3Ci+1wI4x4AzinxMc4aAsbPyiGYRTMDOw264l8E+ci:CViRNKmGrLD9RAD7qv
TLSH T113C533037EF84100EB75277149F71B7B02267DB28EBA413B379BC45548A2FC4A5E672A
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
308
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/463699/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Downloader.Crifi-10009295-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Creating a file
Replacing files
Launching a process
Launching a service
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Sending a UDP request
Forced system process termination
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Stealing user critical data
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
91%
Tags:
advpack anti-vm autoit CAB control explorer greyware installer keylogger lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/657358003636548f37437521/reports/cdfd339e-499b-42aa-bcdd-b848c9ba4443/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d024915bbd2ed71435889c76a76d9e31bebd0a9cfb83e8e380676c1678d1c5a5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/da127adc-18c2-4621-bb09-9fdefaef2ab0
Result
Threat name:
LummaC Stealer, PrivateLoader, PureLog S
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1356440
Signature
.NET source code contains potential unpacker
Adds extensions / path to Windows Defender exclusion list (Registry)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Exclude list of file types from scheduled, custom, and real-time scanning
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected LummaC Stealer
Yara detected PrivateLoader
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1356440 Sample: Etu1wbYYky.exe Startdate: 08/12/2023 Architecture: WINDOWS Score: 100 136 ipinfo.io 2->136 158 Snort IDS alert for network traffic 2->158 160 Found malware configuration 2->160 162 Malicious sample detected (through community Yara rule) 2->162 164 17 other signatures 2->164 13 Etu1wbYYky.exe 1 4 2->13         started        17 OfficeTrackerNMP131.exe 10 501 2->17         started        19 OfficeTrackerNMP131.exe 2->19         started        21 11 other processes 2->21 signatures3 process4 file5 116 C:\Users\user\AppData\Local\...\kL4Lp31.exe, PE32 13->116 dropped 118 C:\Users\user\AppData\Local\...\6xC4Pl8.exe, PE32 13->118 dropped 210 Binary is likely a compiled AutoIt script file 13->210 23 kL4Lp31.exe 1 4 13->23         started        120 C:\...\3WDMEkGn7mk45w9W5XBDArOUjDM1JayC.zip, Zip 17->120 dropped 212 Antivirus detection for dropped file 17->212 214 Multi AV Scanner detection for dropped file 17->214 216 Tries to steal Mail credentials (via file / registry access) 17->216 226 5 other signatures 17->226 27 WerFault.exe 17->27         started        218 Found many strings related to Crypto-Wallets (likely being stolen) 19->218 220 Disables Windows Defender (deletes autostart) 19->220 222 Tries to harvest and steal browser information (history, passwords, etc) 19->222 224 Machine Learning detection for dropped file 21->224 29 WerFault.exe 21->29         started        31 WerFault.exe 21->31         started        signatures6 process7 file8 100 C:\Users\user\AppData\Local\...\cj2wu33.exe, PE32 23->100 dropped 102 C:\Users\user\AppData\Local\...\5jh2OB2.exe, PE32 23->102 dropped 168 Antivirus detection for dropped file 23->168 170 Multi AV Scanner detection for dropped file 23->170 172 Machine Learning detection for dropped file 23->172 33 cj2wu33.exe 1 4 23->33         started        signatures9 process10 file11 84 C:\Users\user\AppData\Local\...\jd1zC47.exe, PE32 33->84 dropped 86 C:\Users\user\AppData\Local\...\4qO302sC.exe, PE32 33->86 dropped 148 Antivirus detection for dropped file 33->148 150 Multi AV Scanner detection for dropped file 33->150 152 Machine Learning detection for dropped file 33->152 37 jd1zC47.exe 1 4 33->37         started        signatures12 process13 file14 96 C:\Users\user\AppData\Local\...\3TA07as.exe, PE32 37->96 dropped 98 C:\Users\user\AppData\Local\...\1Pt37YH8.exe, PE32 37->98 dropped 166 Multi AV Scanner detection for dropped file 37->166 41 3TA07as.exe 37->41         started        44 1Pt37YH8.exe 11 508 37->44         started        signatures15 process16 dnsIp17 174 Multi AV Scanner detection for dropped file 41->174 176 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 41->176 178 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 41->178 186 3 other signatures 41->186 48 explorer.exe 41->48 injected 144 193.233.132.51, 49729, 49730, 49732 FREE-NET-ASFREEnetEU Russian Federation 44->144 146 ipinfo.io 34.117.59.81, 443, 49731, 49733 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 44->146 122 C:\Users\user\AppData\...\FANBooster131.exe, PE32 44->122 dropped 124 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 44->124 dropped 126 C:\ProgramData\...\OfficeTrackerNMP131.exe, PE32 44->126 dropped 128 2 other malicious files 44->128 dropped 180 Tries to steal Mail credentials (via file / registry access) 44->180 182 Found many strings related to Crypto-Wallets (likely being stolen) 44->182 184 Found stalling execution ending in API Sleep call 44->184 188 7 other signatures 44->188 53 schtasks.exe 1 44->53         started        55 schtasks.exe 1 44->55         started        57 WerFault.exe 44->57         started        file18 signatures19 process20 dnsIp21 130 185.196.8.238 SIMPLECARRER2IT Switzerland 48->130 132 185.172.128.19, 49753, 80 NADYMSS-ASRU Russian Federation 48->132 134 81.19.131.34, 49750, 80 IVC-ASRU Russian Federation 48->134 88 C:\Users\user\AppData\Local\Temp\D7CE.exe, PE32+ 48->88 dropped 90 C:\Users\user\AppData\Local\Temp\CE67.exe, PE32 48->90 dropped 92 C:\Users\user\AppData\Local\Temp\CB39.exe, PE32 48->92 dropped 94 5 other malicious files 48->94 dropped 154 System process connects to network (likely due to code injection or exploit) 48->154 156 Benign windows process drops PE files 48->156 59 CB39.exe 48->59         started        63 1238.exe 48->63         started        65 D7CE.exe 48->65         started        71 3 other processes 48->71 67 conhost.exe 53->67         started        69 conhost.exe 55->69         started        file22 signatures23 process24 dnsIp25 104 C:\Users\user\AppData\Roaming\...\File2.exe, PE32 59->104 dropped 106 C:\Users\user\AppData\Roaming\...\File1.exe, PE32 59->106 dropped 198 Multi AV Scanner detection for dropped file 59->198 200 Machine Learning detection for dropped file 59->200 74 File2.exe 59->74         started        78 File1.exe 59->78         started        80 conhost.exe 59->80         started        108 C:\Users\user\AppData\Local\Temp\tuc3.exe, PE32 63->108 dropped 110 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 63->110 dropped 112 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 63->112 dropped 114 2 other malicious files 63->114 dropped 202 Antivirus detection for dropped file 63->202 82 InstallSetup9.exe 63->82         started        204 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 65->204 206 Modifies the context of a thread in another process (thread injection) 65->206 208 Injects a PE file into a foreign processes 65->208 138 77.105.132.87 PLUSTELECOM-ASRU Russian Federation 71->138 file26 signatures27 process28 dnsIp29 140 176.123.7.190, 32927, 49755 ALEXHOSTMD Moldova Republic of 74->140 190 Multi AV Scanner detection for dropped file 74->190 192 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 74->192 194 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 74->194 196 2 other signatures 74->196 142 176.123.10.211, 47430, 49754 ALEXHOSTMD Moldova Republic of 78->142 signatures30
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d024915bbd2ed71435889c76a76d9e31bebd0a9cfb83e8e380676c1678d1c5a5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d024915bbd2ed71435889c76a76d9e31bebd0a9cfb83e8e380676c1678d1c5a5/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2023-12-08 08:38:29 UTC
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2asjcw55f3lrinmitr3ko3m6gg7l2cu47ob6ry4am5wbm6grywsq._file
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:risepro family:smokeloader backdoor loader persistence spyware stealer trojan
Link:
https://tria.ge/reports/231208-wfsvgadbe3/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
AutoIT Executable
Drops file in System32 directory
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
PrivateLoader
RisePro
SmokeLoader
Malware Config
C2 Extraction:
193.233.132.51
http://81.19.131.34/fks/index.php
Unpacked files
SH256 hash:
7a38c5667eb03f23c5dc5455d7c0d79b7093a2676fbf1c40bdb64c0a6bb6b531
MD5 hash:
fe14125ddb3f8c15d60acef053cc049a
SHA1 hash:
e6a88fc45c9244b5b2079a7fa49cef64e86a01ac
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/c68a47e8-8f6f-4e71-81ee-19028cb2c381/
SH256 hash:
3bca611dead53539a9d839033a1161b824105c39da9ce672eb4ad23e38f17bff
MD5 hash:
e8286bbb3d7880e492e28db2e5146e21
SHA1 hash:
4c35aaa1493570193522655365a796089c5ebb9f
Link:
https://www.unpac.me/results/c68a47e8-8f6f-4e71-81ee-19028cb2c381/
SH256 hash:
d024915bbd2ed71435889c76a76d9e31bebd0a9cfb83e8e380676c1678d1c5a5
MD5 hash:
e2838cf5ea5e9546c4b831932acf4416
SHA1 hash:
2ea997b5445209d345b6783329be5736cacfd452
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/c68a47e8-8f6f-4e71-81ee-19028cb2c381/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d024915bbd2e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d024915bbd2ed71435889c76a76d9e31bebd0a9cfb83e8e380676c1678d1c5a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe d024915bbd2ed71435889c76a76d9e31bebd0a9cfb83e8e380676c1678d1c5a5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2738241/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/463699/

Comments