MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0
SHA3-384 hash: a832fe180573d52a77dd655adbb91a539ced66b7411b39cc0280c44d00ce4d3e023c63fc2e5933b1b1f94b6e455c458c
SHA1 hash: b026d3a0c0e46ae59d302d16d5ea189e8f469f9e
MD5 hash: 3bc91c80e89a1e1029e8f2296cc08d8c
humanhash: coffee-white-don-alabama
File name:3bc91c80e89a1e1029e8f2296cc08d8c
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:837'632 bytes
First seen:2022-11-27 07:34:57 UTC
Last seen:2022-11-27 09:33:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'648 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 24576:A17r0U376CZ1S4Sjnw58kaJTbk0VkFg/IyXt:qdSFw5RykoX
Threatray 15'210 similar samples on MalwareBazaar
TLSH T1F805E02476A7BE72D25CDE31C1C271183FF18F095532FA06DEBB32A51E023A56D93689
TrID 59.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.6% (.SCR) Windows screen saver (13097/50/3)
8.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
371
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
219c1d87426d8ed8b3e62176d1291f80.exe
Verdict:
Malicious activity
Analysis date:
2022-11-27 07:20:54 UTC
Tags:
loader trojan rat redline
Link:
https://app.any.run/tasks/7dbbbd32-b832-4535-8529-35f2d5f91cc8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/338971/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.22799.31078.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Searching for synchronization primitives
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6383132a559d07a06f47b7f0/reports/23fc3ec3-7b44-4bd8-bd2e-2309c8209c97/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/00c2c8d4-ea1c-44bb-8a05-d1fcd0704592
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1121841
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 754558 Sample: H32Mnb3sB8.exe Startdate: 27/11/2022 Architecture: WINDOWS Score: 100 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus detection for URL or domain 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 6 other signatures 2->45 8 H32Mnb3sB8.exe 3 2->8         started        11 vjuebcu 3 2->11         started        process3 file4 35 C:\Users\user\AppData\...\H32Mnb3sB8.exe.log, ASCII 8->35 dropped 14 H32Mnb3sB8.exe 8->14         started        17 H32Mnb3sB8.exe 8->17         started        61 Multi AV Scanner detection for dropped file 11->61 63 Machine Learning detection for dropped file 11->63 65 Injects a PE file into a foreign processes 11->65 19 vjuebcu 11->19         started        signatures5 process6 signatures7 67 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 14->67 69 Maps a DLL or memory area into another process 14->69 71 Checks if the current machine is a virtual machine (disk enumeration) 14->71 21 explorer.exe 3 14->21 injected 73 Creates a thread in another existing process (thread injection) 19->73 process8 dnsIp9 37 akmedia.in 192.185.150.20, 49699, 80 UNIFIEDLAYER-AS-1US United States 21->37 31 C:\Users\user\AppData\Roaming\vjuebcu, PE32 21->31 dropped 33 C:\Users\user\...\vjuebcu:Zone.Identifier, ASCII 21->33 dropped 47 System process connects to network (likely due to code injection or exploit) 21->47 49 Benign windows process drops PE files 21->49 51 Injects code into the Windows Explorer (explorer.exe) 21->51 53 3 other signatures 21->53 26 explorer.exe 24 21->26         started        29 explorer.exe 21->29         started        file10 signatures11 process12 signatures13 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->55 57 Tries to steal Mail credentials (via file / registry access) 26->57 59 Tries to harvest and steal browser information (history, passwords, etc) 26->59
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-11-26 19:39:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
23 of 41 (56.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5bp3v3gn5nj3hbz2rngunnzxjhshlp5t5lazmfd5yftz3orlo2qa._file
Verdict:
malicious
Similar samples:
130f08f0223deb0d2b724fd6eb60f066401e417d2ecb5cb17117f83eb4a13d9a
Smoke Loader
1bf88fc065b95903f75a4a8ad6eea6573752e93697229a347279322238c4b8fc
Smoke Loader
22d7e40c7ecc7fabf7f7b562e2d476dd0697e0f0482ce646de7771b44c29b1e9
Smoke Loader
51e0e7e4fe62c83990f3f6d6e276f8bed4fd4a0cb8c50eb69fff6d57368e7d11
Smoke Loader
69defd1bc9aa9202f2bd5187af27b602533f6845285a8a2625143bf58b0233a2
Smoke Loader
73bf13b3d4db23b0b06b7880d674cefe66499fcc9b7874a0cf7b0d1d9400725f
Smoke Loader
b51e3ccc7561b37b397226d4474acaecf3f0590ff0cc9d64fbd85a67fb9ba82a
Smoke Loader
+ 15'200 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/221127-jensxaab53/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Detects Smokeloader packer
SmokeLoader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f6b20bae-013d-4b42-9f16-34e37be40d8c
Unpacked files
SH256 hash:
a9ed9095cef97315168bf1f0af4245ad23323d2d66a990892a87cfab0cafb5cd
MD5 hash:
f6d1cf88131a88b4eeaf3d3fbd872253
SHA1 hash:
d121d444a4f257c5cd0ac27c0c1341a19fd1cae1
Link:
https://www.unpac.me/results/4325e5a1-c505-4ad4-987d-da0328a6cd46/
SH256 hash:
a327516357b9fa1a75753b3fbd0030e13f374be7cefcdf983d0b731f278b0c59
MD5 hash:
404efdeb9931733904da07f96fabeb72
SHA1 hash:
7ce363cd612f1d9a90b33ec196c4d0a49cdaee02
Link:
https://www.unpac.me/results/4325e5a1-c505-4ad4-987d-da0328a6cd46/
SH256 hash:
b309e86dc3ed1154d52c261bab87bd2525da8ed04333c98d67b9a26b5f09b895
MD5 hash:
e93696908950607833c336f7783f97a8
SHA1 hash:
7508f5587eb1fa5b61085899c873182709e45e33
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/4325e5a1-c505-4ad4-987d-da0328a6cd46/
Parent samples :
e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0
e27879b1cbd53ab565e049393da99ed5efa099a5eaf1e2595d44bdaea1d60ddf
3ca5c084c426778531369c1ee21d484c4979187ba10b886d29f3a37dd2e1c050
b309e86dc3ed1154d52c261bab87bd2525da8ed04333c98d67b9a26b5f09b895
SH256 hash:
e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0
MD5 hash:
3bc91c80e89a1e1029e8f2296cc08d8c
SHA1 hash:
b026d3a0c0e46ae59d302d16d5ea189e8f469f9e
Link:
https://www.unpac.me/results/4325e5a1-c505-4ad4-987d-da0328a6cd46/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e85fbaeccdeb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2434493/
Cape
Cape
https://www.capesandbox.com/analysis/338971/

Comments


Avatar
zbet commented on 2022-11-27 07:34:58 UTC

url : hxxp://167.88.170.23/s101.exe