MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea3c57beba44f6c55a756624401781f91ff6ad81d2070e9a1ed7e777f8596902. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea3c57beba44f6c55a756624401781f91ff6ad81d2070e9a1ed7e777f8596902
SHA3-384 hash: 1f8311dd017d68a6fb3cc22ab25b39c6213d9eb969b327bbc3c1e3d513addb95a651b3d03060df28f5d3ea97975bd3e0
SHA1 hash: 224f8753dc51e988d032b0e691b5be6bf2fb7295
MD5 hash: 799bd744fd2f36cd35af2ad698e40924
humanhash: west-fanta-mars-moon
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:293'376 bytes
First seen:2023-10-08 11:02:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 58b4037134287758faa5dc792dc5432b (4 x Smoke Loader, 2 x Tofsee, 1 x StrelaStealer)
ssdeep 3072:KcSqvr6krxBWX0I/ehSK/cJn0Bff/cKgwXbOTRse50qYQKSc/a9:8qveMWEuehSK/cJAXVXbOB5p
Threatray 330 similar samples on MalwareBazaar
TLSH T12B548E02A3E1AC21E5264E329E2DD1E4663EFDA1CDE9779B33587F1F08711E1C662712
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 70d0ddd0d0d9d2dd (3 x Smoke Loader, 1 x Gozi, 1 x RedLineStealer)
Reporter andretavare5
Tags:exe Smoke Loader


Avatar
andretavare5
Sample downloaded from https://admiretourism.com/tmp/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
308
Origin country :
US US
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-10-08 11:17:07 UTC
Tags:
loader smoke
Link:
https://app.any.run/tasks/01309aba-0cca-4475-8205-59ae1dbc179b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen21.37421.9038.1498.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Sending a custom TCP request
Query of malicious DNS domain
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/65228c679b16696e9f965a13/reports/abbdfe09-ca99-4cda-9976-aa075cb365f9/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/ea3c57beba44f6c55a756624401781f91ff6ad81d2070e9a1ed7e777f8596902
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8d36d42a-9127-43bf-b973-ade15f94f32e
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1321700
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ea3c57beba44f6c55a756624401781f91ff6ad81d2070e9a1ed7e777f8596902/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-10-08 11:03:05 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5i6fppv2it3mkwtvmyseaf4b7ep7nlmb2idq5gq627txp6czneba._file
Verdict:
malicious
Similar samples:
20876118000c7880a81dfcd768d92e7eed8b057ebb6b7996b70861b4e40af7ab
Smoke Loader
2ccc5bfb0096bb4869d51df3a095fed92c32e9d871132b696446cb491176d842
Smoke Loader
2fe8dd9df4b9740d580524591e85cf9f1f40dc4db0157c7ec4ff23a424338779
Smoke Loader
4dbfaea634739b44fe148e93d5d3d2881d79c96c9fb0fc715e1094162b8ebc31
Smoke Loader
558760eccb29978844276bb55fe1c6e7151786df8061388d73c7307a25ec51e3
Smoke Loader
712cf06bcef3ff8dccd7d96981de689bd1913610594ea2475aa99eee31654837
Smoke Loader
7ab5dac00d4e698d60fb5cd5da0abfdf1a3655af3bac10c3c986ae2647cf24a5
Smoke Loader
aa10e20d78fa075a2a3ee02a138bc3064a16d1ce77f279c8c114b20942324a13
Smoke Loader
b8fd1ed186575e539a94041165f7311eff6ba492fd55bb5a14b73fdac1362517
Smoke Loader
d470a81085a310f279d1c9df12ded798ca6e747ceec0b7e70051dcf1b229815f
Smoke Loader
+ 320 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:pub2 backdoor trojan
Link:
https://tria.ge/reports/231008-m5n35sdg63/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Uses Task Scheduler COM API
Deletes itself
SmokeLoader
Malware Config
C2 Extraction:
http://gudintas.at/tmp/
http://pik96.ru/tmp/
http://rosatiauto.com/tmp/
http://kingpirate.ru/tmp/
Unpacked files
SH256 hash:
998d2214e55d69906d35ca50879fff88e9bf0e224e8395800c7422f437ae1bf1
MD5 hash:
cd1261de6639744c3a586541d26cff78
SHA1 hash:
6d34c6fa4706035c67bf50a593790a33383c91da
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/1e08c0d5-128e-445e-9034-c4b4365fd7a5/
Parent samples :
2fe8dd9df4b9740d580524591e85cf9f1f40dc4db0157c7ec4ff23a424338779
ea3c57beba44f6c55a756624401781f91ff6ad81d2070e9a1ed7e777f8596902
63051a26214380ad54dde0ce6d6568050a9dda22f2f3f52616c355ee0edf4eda
f9deeaaba4135cc9417f0a39a0b2860c88f91015cdee2dc8649f59800c5ef673
73bf87821c4d157431ad75b465ce9f61486b12e8e3e86505c49a19348a3146d5
17ba75bcbbc244b204a9f2d3981df4c3161f53b47f167a1b953eba08e7a4a394
SH256 hash:
ea3c57beba44f6c55a756624401781f91ff6ad81d2070e9a1ed7e777f8596902
MD5 hash:
799bd744fd2f36cd35af2ad698e40924
SHA1 hash:
224f8753dc51e988d032b0e691b5be6bf2fb7295
Link:
https://www.unpac.me/results/1e08c0d5-128e-445e-9034-c4b4365fd7a5/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ea3c57beba44/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea3c57beba44f6c55a756624401781f91ff6ad81d2070e9a1ed7e777f8596902

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:pe_no_import_table
Create hunting rule
Author:qux
Description:Detects exe does not have import table
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2718062/

Comments