MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df00495c90fb232caa1ae4a5cbaf9ab7460f8bc05fe56286eaa89e82500f0d05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df00495c90fb232caa1ae4a5cbaf9ab7460f8bc05fe56286eaa89e82500f0d05
SHA3-384 hash: 96fb187bd612b628f1a28ea449d472cc20f37d5907aefcd54fa0f21efb4c57b647ef5509f3a88b61dd94c58ff4fb3db2
SHA1 hash: e847116021531b7c6698d0139a71df35063a4f44
MD5 hash: 9dfb568692c3817a381c171965d30e1c
humanhash: pennsylvania-red-helium-arkansas
File name:9dfb568692c3817a381c171965d30e1c
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:279'552 bytes
First seen:2023-09-15 12:31:29 UTC
Last seen:2023-09-15 14:40:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ed59ec9c2e7c8ef8d97dbc8b84b56759 (4 x Stealc, 4 x Smoke Loader, 3 x RedLineStealer)
ssdeep 3072:K/oB7ISXgMoBYQe1+MGnohWMj/67N2RlZlINHebymvjoU5mN3vcI:BBxXgMoqQA+kNjSJ2R7lwiymLoCI
Threatray 1'455 similar samples on MalwareBazaar
TLSH T166549F12B3D0E871D5264A338D29CAF4E62DFD61FE64679B23187F2F09B02E18572752
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0018182711180800 (1 x Amadey, 1 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
312
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
9dfb568692c3817a381c171965d30e1c
Verdict:
Malicious activity
Analysis date:
2023-09-15 12:34:09 UTC
Tags:
loader smoke
Link:
https://app.any.run/tasks/85fc2b76-c8d5-4631-80f4-5beda978b729

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/448842/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.28601.32054.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware lolbin packed shell32
Link:
https://www.filescan.io/uploads/65044ec59bae8a378558788e/reports/38be01db-082b-458b-a4d1-d3f803bcb669/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/df00495c90fb232caa1ae4a5cbaf9ab7460f8bc05fe56286eaa89e82500f0d05
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d7a144a3-ecf6-498c-bcab-399c47b93e39
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1308935
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1308935 Sample: 9y3UsbwMtH.exe Startdate: 15/09/2023 Architecture: WINDOWS Score: 100 26 Multi AV Scanner detection for domain / URL 2->26 28 Found malware configuration 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 5 other signatures 2->32 6 9y3UsbwMtH.exe 2->6         started        9 guitevb 2->9         started        process3 signatures4 34 Detected unpacking (changes PE section rights) 6->34 36 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 6->36 38 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 6->38 46 2 other signatures 6->46 11 explorer.exe 5 3 6->11 injected 40 Multi AV Scanner detection for dropped file 9->40 42 Machine Learning detection for dropped file 9->42 44 Maps a DLL or memory area into another process 9->44 process5 dnsIp6 20 187.212.185.70, 49717, 49724, 49725 UninetSAdeCVMX Mexico 11->20 22 186.182.55.44, 49764, 80 TechtelLMDSComunicacionesInteractivasSAAR Argentina 11->22 24 10 other IPs or domains 11->24 16 C:\Users\user\AppData\Roaming\guitevb, PE32 11->16 dropped 18 C:\Users\user\...\guitevb:Zone.Identifier, ASCII 11->18 dropped 48 System process connects to network (likely due to code injection or exploit) 11->48 50 Benign windows process drops PE files 11->50 52 Deletes itself after installation 11->52 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->54 file7 signatures8
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/df00495c90fb232caa1ae4a5cbaf9ab7460f8bc05fe56286eaa89e82500f0d05/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-09-15 12:32:05 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=34aesxeq7mrszkq24ss4xl42w5da7c6al7swfbxkvcpieuapbucq._file
Verdict:
malicious
Similar samples:
15b5e85db3255b5984baeefc6baea2fbe1bacb772b3002bbd69df33fdb57833a
Smoke Loader
2de6754a429fb1bf67e370615ec3c27d10ff20749b3df395c16726e964f4ae72
Smoke Loader
2f994415631983bba52382aaf836e8679fbdfa77a05d3e6647fab9ef725e55b6
Smoke Loader
34f122f1f2078367b52f59c04bdce076617445442f95c62b96ec104e8ee733df
Smoke Loader
34f4adf3311c95f94e81cbc03d336101fb497ba01eca33e6c4656b9e56514563
Smoke Loader
86706e3bf9afefd55a0c2d7d98c163ca63e1eb4214951f789fbb596973ae7a6e
Smoke Loader
8df6ff949de778a20deb98bd90e21d9e9449045b73f75cd62c051957997882bb
Smoke Loader
9f78f23917333e4e4ee095e36f159d24d29117296c458b748831d4c0ede6b938
Smoke Loader
ee1e789a40e3cc8ff607726cbe0a8b72b86a51e933787a7074ac6c0b58bc59c7
Smoke Loader
f432f9cb89ee9ea1704bf3d33c85f19483a4258f4277b126201930dff9d119f5
Smoke Loader
+ 1'445 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:stealc botnet:pub4 backdoor infostealer spyware stealer trojan
Link:
https://tria.ge/reports/230915-pql2caed84/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Deletes itself
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
RedLine
RedLine payload
SmokeLoader
Stealc
Malware Config
C2 Extraction:
http://taibi.at/tmp/
http://01stroy.ru/tmp/
http://mal-net.com/tmp/
http://gromograd.ru/tmp/
http://kingpirate.ru/tmp/
http://85.209.11.51
Gathering data
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/df00495c90fb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/df00495c90fb232caa1ae4a5cbaf9ab7460f8bc05fe56286eaa89e82500f0d05

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe df00495c90fb232caa1ae4a5cbaf9ab7460f8bc05fe56286eaa89e82500f0d05

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2711885/
Cape
Cape
https://www.capesandbox.com/analysis/448842/

Comments


Avatar
zbet commented on 2023-09-15 12:31:30 UTC

url : hxxps://ig-alajman.com/tmp/index.php