MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0
SHA3-384 hash: 395ed78560ae5e36dbd4c0540132f1a1b69b8a2b2c1ede819d1ccf9dd0b2b5e8cf4b2ab0cef5b641408e3086f32d7511
SHA1 hash: 5d0f447f4ccc89d7d79c0565372195240cdfa25f
MD5 hash: 9769c181ecef69544bbb2f974b8c0e10
humanhash: victor-michigan-carpet-beryllium
File name:9769c181ecef69544bbb2f974b8c0e10.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:287'744 bytes
First seen:2023-06-19 11:28:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 493c0587242c6f974644a1959b9764db (2 x GCleaner, 1 x SystemBC, 1 x Smoke Loader)
ssdeep 3072:Z5SXIMALRKEttgCWAbi1D1fJmxIV0BN3omE9MA5yXsztcJe9:GIMpEtCCWAbiBRmE9o6
Threatray 2'169 similar samples on MalwareBazaar
TLSH T16F544A03D2E17C61ED26CB768E2FC6E87B1EF5504F49BBA722089A2F05B11B2D173251
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 13434302020a0a40 (1 x Smoke Loader)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
309
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
9769c181ecef69544bbb2f974b8c0e10.exe
Verdict:
Malicious activity
Analysis date:
2023-06-19 11:29:04 UTC
Tags:
loader smoke trojan stealer ransomware rat redline
Link:
https://app.any.run/tasks/e821e1f5-8234-4c7d-8190-c6ff4cc75917

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400395/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Creating a process from a recently created file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/91558/overview
Behaviour
MalwareBazaar
SystemUptime
CPUID_Instruction
MeasuringTime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed smokeloader
Link:
https://www.filescan.io/uploads/64903c0068ccfa51b7d810fc/reports/fb44bbbd-2634-4132-9318-f300b8f58516/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6eea6529-6568-4f31-afe3-50f94408f06e
Result
Threat name:
Phobos, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1257717
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Creates files in the recycle bin to hide itself
Creates files inside the volume driver (system volume information)
Deletes itself after installation
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the startup folder
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May disable shadow drive data (uses vssadmin)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sigma detected: Delete shadow copy via WMIC
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses bcdedit to modify the Windows boot settings
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Phobos
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 890738 Sample: bgqaip0Ock.exe Startdate: 19/06/2023 Architecture: WINDOWS Score: 100 88 serverlogs37.xyz 2->88 118 Found malware configuration 2->118 120 Malicious sample detected (through community Yara rule) 2->120 122 Antivirus detection for URL or domain 2->122 124 13 other signatures 2->124 13 bgqaip0Ock.exe 2->13         started        16 ethctjc 2->16         started        18 ethctjc 2->18         started        20 wbengine.exe 2->20         started        signatures3 process4 signatures5 142 Detected unpacking (changes PE section rights) 13->142 144 Contains functionality to inject code into remote processes 13->144 146 Injects a PE file into a foreign processes 13->146 22 bgqaip0Ock.exe 13->22         started        148 Multi AV Scanner detection for dropped file 16->148 150 Machine Learning detection for dropped file 16->150 25 ethctjc 16->25         started        27 ethctjc 18->27         started        152 Creates files inside the volume driver (system volume information) 20->152 process6 signatures7 134 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 22->134 136 Maps a DLL or memory area into another process 22->136 138 Checks if the current machine is a virtual machine (disk enumeration) 22->138 29 explorer.exe 12 14 22->29 injected 140 Creates a thread in another existing process (thread injection) 25->140 process8 dnsIp9 90 admhexlogs25.xyz 159.253.18.136, 49710, 49712, 49714 PAGM-ASEE Estonia 29->90 92 serverlogs37.xyz 5.45.127.9, 49709, 49711, 49713 PAGM-ASEE Estonia 29->92 72 C:\Users\user\AppData\Roaming\ethctjc, PE32 29->72 dropped 74 C:\Users\user\AppData\Local\Temp\D6FF.exe, PE32+ 29->74 dropped 76 C:\Users\user\AppData\Local\Temp\9F1A.exe, PE32 29->76 dropped 78 2 other malicious files 29->78 dropped 154 System process connects to network (likely due to code injection or exploit) 29->154 156 Benign windows process drops PE files 29->156 158 Performs DNS queries to domains with low reputation 29->158 160 4 other signatures 29->160 34 9F1A.exe 4 29->34         started        37 D6FF.exe 29->37         started        39 explorer.exe 6 29->39         started        41 16 other processes 29->41 file10 signatures11 process12 signatures13 100 Multi AV Scanner detection for dropped file 34->100 102 Detected unpacking (changes PE section rights) 34->102 104 Detected unpacking (overwrites its own PE header) 34->104 106 Drops PE files to the startup folder 34->106 43 9F1A.exe 1 34->43         started        108 Antivirus detection for dropped file 37->108 110 Machine Learning detection for dropped file 37->110 112 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->112 114 Tries to steal Mail credentials (via file / registry access) 39->114 116 Tries to harvest and steal browser information (history, passwords, etc) 39->116 45 powershell.exe 3 41->45         started        process14 process15 47 9F1A.exe 43->47         started        51 conhost.exe 45->51         started        file16 80 C:\Users\user\AppData\Roaming\...\9F1A.exe, PE32 47->80 dropped 82 C:\Users\user\AppData\Local\9F1A.exe, PE32 47->82 dropped 84 C:\ProgramData\Microsoft\Windows\...\9F1A.exe, PE32 47->84 dropped 86 desktop.ini.id[72C...rexsdata.pro].8base, data 47->86 dropped 94 Creates files in the recycle bin to hide itself 47->94 96 Creates autostart registry keys with suspicious names 47->96 98 Infects executable files (exe, dll, sys, html) 47->98 53 cmd.exe 47->53         started        56 cmd.exe 47->56         started        signatures17 process18 signatures19 126 May disable shadow drive data (uses vssadmin) 53->126 128 Deletes shadow drive data (may be related to ransomware) 53->128 130 Uses netsh to modify the Windows network and firewall settings 53->130 132 3 other signatures 53->132 58 conhost.exe 53->58         started        60 vssadmin.exe 53->60         started        62 WMIC.exe 53->62         started        70 3 other processes 53->70 64 conhost.exe 56->64         started        66 netsh.exe 56->66         started        68 netsh.exe 56->68         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2023-06-19 07:14:21 UTC
File Type:
PE (Exe)
Extracted files:
42
AV detection:
28 of 37 (75.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4fbpj2hlh62dep5to4jy6u63m3r6n3e6qkjq6szd3wi2l555ixia._file
Verdict:
malicious
Similar samples:
02a2eb47b6d8711c8a76cf30e0835a91ae9289540cfc9091ce837b809932c507
Smoke Loader
0c26ec308dc78ef090ebec907e1eb15d6dfdc28a85fa27e0a945fc5354a3e5f9
Smoke Loader
3e1b698626a7363a16f4c6c7aae8e5cad191be0ffb9c501c455abc259913655c
Smoke Loader
6ba6ba1ad5f6525a76e854affad5bb28d1e59c93bd26d88a9cf1da7b84ed3b27
Smoke Loader
93c048fa590c3fc63003ccec29071f13aebda830c4094430445fd996d8cca072
Smoke Loader
b0034b180eb42ba4e2dd14c964d84e50a4074b12c957496837e9bf002b34709b
Smoke Loader
b1a03e848235832237fff6c73ddfb785968b66ee3683c2dc1ec1e6be516ac461
Smoke Loader
b92797965358585eadbe928c2b8531c5575caa87cbcef1171a48f1941a10b740
Smoke Loader
e2890e9fa0e086c87f866ebcf6b83fed7029cc9221ecc19318af45a8608a11e8
Smoke Loader
e7b2ce3363313b6bcc7651b591e5fe8280f0ca40bd1e7652f6376cc3100cc441
Smoke Loader
+ 2'159 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:phobos family:smokeloader backdoor collection evasion persistence ransomware spyware stealer trojan
Link:
https://tria.ge/reports/230619-nljvraee91/
Behaviour
Checks SCSI registry key(s)
Interacts with shadow copies
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
outlook_office_path
outlook_win_path
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Drops desktop.ini file(s)
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Blocklisted process makes network request
Deletes backup catalog
Downloads MZ/PE file
Modifies Windows Firewall
Deletes shadow copies
Modifies boot configuration data using bcdedit
Renames multiple (472) files with added filename extension
Phobos
SmokeLoader
Malware Config
C2 Extraction:
http://serverlogs37.xyz/statweb255/
http://servblog757.xyz/statweb255/
http://dexblog45.xyz/statweb255/
http://admlogs.online/statweb255/
http://blogstat355.xyz/statweb255/
http://blogstatserv25.xyz/statweb255/
Unpacked files
SH256 hash:
b368d3dc26fa29edafd85dc4ff92c5e86b20e00111bce8cd3c3180fa67ab16b8
MD5 hash:
80e5ac72038eb2403ef581f71a937e67
SHA1 hash:
692011097ce7e77c52cb41809bf6977d5c49f799
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/0933b6fb-0ce4-4058-99fc-b4074e239e88/
SH256 hash:
e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0
MD5 hash:
9769c181ecef69544bbb2f974b8c0e10
SHA1 hash:
5d0f447f4ccc89d7d79c0565372195240cdfa25f
Link:
https://www.unpac.me/results/0933b6fb-0ce4-4058-99fc-b4074e239e88/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e142f4e8eb3f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2666219/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/400395/

Comments