MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483
SHA3-384 hash:	9fde8ce6722dae2fc82a8dd244b73334571550a79a920fba1ca5b376d52dac58958a24ed03ab0ef3448adf4d0b1cd300
SHA1 hash:	a2519bbfcd1c1c4f5558df52caa038ce4cb97448
MD5 hash:	8d497ad51a5e074060134dcb2d49786c
humanhash:	queen-moon-lion-delaware
File name:	8d497ad51a5e074060134dcb2d49786c.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	273'408 bytes
First seen:	2024-02-29 09:59:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a24ea59447df74f26ce8c1567f650e9c (4 x Smoke Loader, 1 x Stealc, 1 x Socks5Systemz)
ssdeep	3072:LBhoLytqNiryGxcInMp3/ZaBesq5GBrPKWZlhy8paIYWLXfag5Z34zT+yx:IERryGfnC/sM5irPK6hjtYCyQ34zT
TLSH	T1FA44D01276A2D0F3C56704315C60CAF82A7B7C368AB7A55B33943FBF2E316A07A56351
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 15.9% (.EXE) Win32 Executable (generic) (4504/4/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.1% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	2b2316120a020610 (1 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

397

Origin country :

Vendor Threat Intelligence

Malware family:

smoke

ID:

File name:

dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483.exe

Verdict:

Malicious activity

Analysis date:

2024-02-29 10:06:51 UTC

Tags:

loader smoke smokeloader

Link:

https://app.any.run/tasks/b80b6d86-b5b0-4cf1-923d-9df46f4c7212

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

azorult fingerprint packed

Link:

https://www.filescan.io/uploads/65e055a460cf7d7d92ae5f9b/reports/407fb4ff-b8a3-42c5-aa13-9b56edf85c7f/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/516e356e-b87c-4382-9a46-9afba3625c4e

Result

Threat name:

LummaC, SmokeLoader

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1400826

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Potential thread-based time evasion detected

Query firmware table information (likely to detect VMs)

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected LummaC Stealer

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483

Detection:

smokeloader

Link:

https://mwdb.cert.pl/sample/dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2024-02-28 01:29:03 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3vasbflsrf3rgmdt5gfv3dllbg5gl5xxqq7usvtd3gxrhenbqsbq._file

Verdict:

malicious

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader botnet:pub3 backdoor trojan

Link:

https://tria.ge/reports/240229-l1m5lsdh85/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

Deletes itself

SmokeLoader

Malware Config

C2 Extraction:

http://kamsmad.com/tmp/index.php
http://souzhensil.ru/tmp/index.php
http://teplokub.com.ua/tmp/index.php

Unpacked files

SH256 hash:

df5a1e9c0c3f1dbc8cbec976d6d0285bbf380f7f88f7c3c039a7ae9dac1080bb

MD5 hash:

8528f444addc16ef1d588ca2eb5daac9

SHA1 hash:

00afbaca5ced65838c671568d7e1f6a05d6bb428

Detections:

SmokeLoaderStage2

win_smokeloader_a2

Link:

https://www.unpac.me/results/022afae8-f839-497c-bb88-fb24a5366e1f/

SH256 hash:

dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483

MD5 hash:

8d497ad51a5e074060134dcb2d49786c

SHA1 hash:

a2519bbfcd1c1c4f5558df52caa038ce4cb97448

Link:

https://www.unpac.me/results/022afae8-f839-497c-bb88-fb24a5366e1f/

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/dd4120957289/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

exe dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2749986/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample