MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2ee33a7a4d96b608f35b98c659f1e65642f4036353140ac2fd0ff5152eb4964. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2ee33a7a4d96b608f35b98c659f1e65642f4036353140ac2fd0ff5152eb4964
SHA3-384 hash: 33a6001c1a992f7886d16b619f303d69b8b382cab9c7925e6f78e2a65b30d4fec4eb4e8f26157178628c5c7afd8ed6b8
SHA1 hash: f12921fead53f540793ae3ceec9ddd9d2cbf576b
MD5 hash: 6d06917a4f1ce19595f45d652cc3f5f1
humanhash: video-autumn-stream-sierra
File name:6d06917a4f1ce19595f45d652cc3f5f1
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:165'376 bytes
First seen:2024-03-06 09:04:43 UTC
Last seen:2024-03-06 10:28:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c6d19c8fbbcd0c83570e7dbd10119e65 (2 x RiseProStealer, 2 x Smoke Loader)
ssdeep 3072:diZUCzlE+mKEYsBqbVj0Mx96KuuW58v7gyCXLO2Vf:d6UCz3SWVP96KM5CIO2F
TLSH T1E4F3AE0072E2C075F362E53459B4C3B34A3ABE725B7785BB2795263E0E72EF04965362
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 3370ccd2c4f033da (1 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
417
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
e2ee33a7a4d96b608f35b98c659f1e65642f4036353140ac2fd0ff5152eb4964.exe
Verdict:
Malicious activity
Analysis date:
2024-03-06 09:08:28 UTC
Tags:
loader smoke smokeloader
Link:
https://app.any.run/tasks/db8eba38-8949-447f-8f76-bf1d2cc8a00e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.6223.8336.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Connection attempt to an infection source
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint
Link:
https://www.filescan.io/uploads/65e831bfd8af30e1b84982a8/reports/766a35f6-2680-4ec9-835d-04f45c5def78/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/e2ee33a7a4d96b608f35b98c659f1e65642f4036353140ac2fd0ff5152eb4964
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8ad90bae-d721-4295-a204-9ccbc9e8df7b
Result
Threat name:
LummaC, Babuk, Clipboard Hijacker, Djvu,
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1403881
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found ransom note / readme
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Bypass UAC via Fodhelper.exe
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
UAC bypass detected (Fodhelper)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes a notice file (html or txt) to demand a ransom
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Babuk Ransomware
Yara detected Clipboard Hijacker
Yara detected Djvu Ransomware
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1403881 Sample: dmDeFvntUL.exe Startdate: 06/03/2024 Architecture: WINDOWS Score: 100 121 valowaves.com 2->121 123 trypokemon.com 2->123 125 9 other IPs or domains 2->125 167 Snort IDS alert for network traffic 2->167 169 Multi AV Scanner detection for domain / URL 2->169 171 Found malware configuration 2->171 173 19 other signatures 2->173 15 dmDeFvntUL.exe 2->15         started        18 ashdbdd 2->18         started        20 mstsca.exe 2->20         started        22 E030.exe 2->22         started        signatures3 process4 signatures5 193 Detected unpacking (changes PE section rights) 15->193 195 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->195 197 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->197 209 3 other signatures 15->209 24 explorer.exe 75 14 15->24 injected 199 Antivirus detection for dropped file 18->199 201 Multi AV Scanner detection for dropped file 18->201 203 Machine Learning detection for dropped file 18->203 205 Detected unpacking (overwrites its own PE header) 20->205 207 Injects a PE file into a foreign processes 20->207 29 mstsca.exe 20->29         started        31 E030.exe 22->31         started        process6 dnsIp7 131 dildefotokopi.com 185.195.254.134 VEGANET-TELEKOMTR Turkey 24->131 133 m2reg.ulm.ac.id 103.23.232.80, 49752, 80 UNLAM-AS-IDUniversitasLambungMangkuratID Indonesia 24->133 137 5 other IPs or domains 24->137 103 C:\Users\user\AppData\Roaming\ashdbdd, PE32 24->103 dropped 105 C:\Users\user\AppData\Local\Temp030.exe, PE32 24->105 dropped 107 C:\Users\user\AppData\Local\Temp\5880.exe, PE32 24->107 dropped 109 2 other malicious files 24->109 dropped 179 System process connects to network (likely due to code injection or exploit) 24->179 181 Benign windows process drops PE files 24->181 183 Deletes itself after installation 24->183 185 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->185 33 E030.exe 24->33         started        36 5880.exe 24->36         started        38 21C.exe 24->38         started        42 4 other processes 24->42 40 schtasks.exe 29->40         started        135 sajdfue.com 190.224.203.37, 49748, 49749, 49751 TelecomArgentinaSAAR Argentina 31->135 file8 signatures9 process10 signatures11 141 Antivirus detection for dropped file 33->141 143 Detected unpacking (changes PE section rights) 33->143 145 Detected unpacking (overwrites its own PE header) 33->145 163 2 other signatures 33->163 44 E030.exe 1 15 33->44         started        147 UAC bypass detected (Fodhelper) 36->147 149 Machine Learning detection for dropped file 36->149 151 Found Tor onion address 36->151 153 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 36->153 48 cmd.exe 36->48         started        155 Multi AV Scanner detection for dropped file 38->155 157 Writes to foreign memory regions 38->157 165 2 other signatures 38->165 50 conhost.exe 40->50         started        159 Uses cmd line tools excessively to alter registry or file data 42->159 161 Injects a PE file into a foreign processes 42->161 52 conhost.exe 42->52         started        54 reg.exe 1 1 42->54         started        56 E030.exe 42->56         started        58 3 other processes 42->58 process12 dnsIp13 139 api.2ip.ua 104.21.65.24, 443, 49729, 49740 CLOUDFLARENETUS United States 44->139 119 C:\Users\user\AppData\Local\...030.exe, PE32 44->119 dropped 60 E030.exe 44->60         started        63 icacls.exe 44->63         started        65 fodhelper.exe 48->65         started        67 conhost.exe 48->67         started        69 fodhelper.exe 48->69         started        71 fodhelper.exe 48->71         started        file14 process15 signatures16 191 Injects a PE file into a foreign processes 60->191 73 E030.exe 26 60->73         started        77 5880.exe 65->77         started        process17 file18 111 C:\Users\user\AppData\Local\...\build3[1].exe, PE32 73->111 dropped 113 C:\Users\user\AppData\Local\...\build2[1].exe, PE32 73->113 dropped 115 C:\Users\user\AppData\Local\...\build3.exe, PE32 73->115 dropped 117 8 other malicious files 73->117 dropped 187 Modifies existing user documents (likely ransomware behavior) 73->187 79 build2.exe 73->79         started        82 build3.exe 73->82         started        189 Found Tor onion address 77->189 84 powershell.exe 77->84         started        signatures19 process20 signatures21 211 Antivirus detection for dropped file 79->211 213 Multi AV Scanner detection for dropped file 79->213 215 Detected unpacking (changes PE section rights) 79->215 217 Injects a PE file into a foreign processes 79->217 86 build2.exe 79->86         started        219 Detected unpacking (overwrites its own PE header) 82->219 221 Machine Learning detection for dropped file 82->221 223 Uses schtasks.exe or at.exe to add and modify task schedules 82->223 91 build3.exe 82->91         started        93 conhost.exe 84->93         started        process22 dnsIp23 127 88.99.127.167, 49756, 49757, 49759 HETZNER-ASDE Germany 86->127 129 steamcommunity.com 184.85.65.125, 443, 49755 AKAMAI-ASUS United States 86->129 99 C:\Users\user\AppData\Local\...\sqlm[1].dll, PE32 86->99 dropped 175 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 86->175 177 Tries to harvest and steal browser information (history, passwords, etc) 86->177 101 C:\Users\user\AppData\Roaming\...\mstsca.exe, PE32 91->101 dropped 95 schtasks.exe 91->95         started        file24 signatures25 process26 process27 97 conhost.exe 95->97         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e2ee33a7a4d96b608f35b98c659f1e65642f4036353140ac2fd0ff5152eb4964
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e2ee33a7a4d96b608f35b98c659f1e65642f4036353140ac2fd0ff5152eb4964/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2024-03-06 09:05:06 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4lxdhj5e3fvwbdzvxggglhy6mvsc6qbwguyublbp2d7vcuxljfsa._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:djvu family:glupteba family:smokeloader family:vidar family:zgrat botnet:e2da5861d01d391b927839bbec00e666 botnet:tfd5 backdoor discovery dropper evasion infostealer loader persistence ransomware rat rootkit stealer trojan upx
Link:
https://tria.ge/reports/240306-k16raagg96/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Manipulates WinMonFS driver.
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
UPX packed file
Windows security modification
Downloads MZ/PE file
Modifies Windows Firewall
DcRat
Detect Vidar Stealer
Detect ZGRat V1
Detected Djvu ransomware
Djvu Ransomware
Glupteba
Glupteba payload
SmokeLoader
Vidar
Windows security bypass
ZGRat
Malware Config
C2 Extraction:
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
http://sajdfue.com/test1/get.php
https://steamcommunity.com/profiles/76561199649267298
https://t.me/uprizin
Unpacked files
SH256 hash:
8920c744aebda5cd6304ea1aa88b1a051a5e34a3d5d7d2dab182ef9cb0aec361
MD5 hash:
9f6f0abfef1cad87fbdd302b790ab0be
SHA1 hash:
1e93fbaadbd9d880dd0dde3623b6f16233aa7811
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/582cedd5-9ad3-400c-ae4b-8c8e19408b61/
Parent samples :
f4488ed8da62e7e849070788bcf45eb70f4a2461333918b9b9087f8bbe8d2a22
b8a974ff0066513b4fac4f6a256a39933af90a9df9b03d6234d1a4bf88b7b0e8
a5da18a9350a63a4d2ec54da2d3e49bf4277307209979bfad54538eff856bf9c
078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164
7c94ffaf6d76f18ce6bfc6039f9252a4b71d79e483d822aeab0de9b3189b6d0e
b1f57f9e13e75717674eeca314a042ac3e0816f17e7743c361e0be7f45bf9897
d3dc74a3bca3cc38943b90bd7b33dffd683d0bcf20bd507404185e595909d11f
e2ee33a7a4d96b608f35b98c659f1e65642f4036353140ac2fd0ff5152eb4964
8bc3990f004b22558934ae39d088d52e4359509f5d7be8542dbdc8cc05ee7e78
741a4adf79d60db1ff4d13e84129beffe78d2fd0be9e58b3b076052b121ad1b6
SH256 hash:
e2ee33a7a4d96b608f35b98c659f1e65642f4036353140ac2fd0ff5152eb4964
MD5 hash:
6d06917a4f1ce19595f45d652cc3f5f1
SHA1 hash:
f12921fead53f540793ae3ceec9ddd9d2cbf576b
Link:
https://www.unpac.me/results/582cedd5-9ad3-400c-ae4b-8c8e19408b61/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e2ee33a7a4d9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e2ee33a7a4d96b608f35b98c659f1e65642f4036353140ac2fd0ff5152eb4964

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe e2ee33a7a4d96b608f35b98c659f1e65642f4036353140ac2fd0ff5152eb4964

(this sample)

  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleOutputCharacterA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleAliasExesLengthA
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::MoveFileExA
KERNEL32.dll::ReplaceFileW
KERNEL32.dll::GetFileAttributesA

Comments


Avatar
zbet commented on 2024-03-06 09:04:44 UTC

url : hxxp://galandskiyher5.com/downloads/toolspub5.exe