MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eaf9fcf210002cf39af2e76d18880bef6954079b1e6107c4bce5ac7d2b0e0dec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eaf9fcf210002cf39af2e76d18880bef6954079b1e6107c4bce5ac7d2b0e0dec
SHA3-384 hash: a4fd09654843cb80ba980de2f230a94b28e05086f22bb5bced43567d5f99bfe071c81eaff7dbaae4e250bd33c1d5ba87
SHA1 hash: d05cb69ea15f94f8789d403435f9cfc3a62d7b6e
MD5 hash: 5551eee868fbb9d59dd922efa25790bf
humanhash: spring-music-butter-four
File name:5551eee868fbb9d59dd922efa25790bf
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:220'160 bytes
First seen:2023-09-18 13:25:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a43f06494f4b57894e755b6728f01152 (3 x Stealc, 2 x RedLineStealer, 2 x Gozi)
ssdeep 3072:hAXEvLIoSX79i+7y6WLvlZ1nDIUGifKGBzYPVav57IKTJc4:KEvLqX79UlLfdEWKyHIKT
Threatray 1'537 similar samples on MalwareBazaar
TLSH T13424CE2135A2D0B2D5A74135883CDAE4BA7BB8735A754D8B33683B7F7D303919B66302
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 08181a3440808000 (1 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
297
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5551eee868fbb9d59dd922efa25790bf
Verdict:
Suspicious activity
Analysis date:
2023-09-18 13:26:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f984ca73-cca3-470e-af8f-ae4638f639f5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/449359/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/65084fee83a0c6425df85d19/reports/a9828e3a-59bb-4e32-80fa-18f8b70c2c9b/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/eaf9fcf210002cf39af2e76d18880bef6954079b1e6107c4bce5ac7d2b0e0dec
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/81cd019a-e3d1-424d-bd8a-c2e28410457b
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1310043
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes memory attributes in foreign processes to executable or writable
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hijacks the control flow in another process
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1310043 Sample: rGL4xRXYRq.exe Startdate: 18/09/2023 Architecture: WINDOWS Score: 100 66 Snort IDS alert for network traffic 2->66 68 Multi AV Scanner detection for domain / URL 2->68 70 Found malware configuration 2->70 72 6 other signatures 2->72 9 rGL4xRXYRq.exe 2->9         started        12 vfecjaw 2->12         started        14 msiexec.exe 2->14         started        process3 signatures4 106 Detected unpacking (changes PE section rights) 9->106 108 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->108 110 Maps a DLL or memory area into another process 9->110 120 2 other signatures 9->120 16 explorer.exe 3 8 9->16 injected 112 Antivirus detection for dropped file 12->112 114 Multi AV Scanner detection for dropped file 12->114 116 Machine Learning detection for dropped file 12->116 118 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->118 process5 dnsIp6 60 nebraska-pizza.com 45.61.136.186, 443, 49741, 49742 AS40676US United States 16->60 62 192.168.2.1 unknown unknown 16->62 52 C:\Users\user\AppData\Roaming\vfecjaw, PE32 16->52 dropped 54 C:\Users\user\AppData\Local\Temp\F38B.exe, PE32+ 16->54 dropped 56 C:\Users\user\AppData\Local\Temp\D656.exe, PE32+ 16->56 dropped 58 C:\Users\user\...\vfecjaw:Zone.Identifier, ASCII 16->58 dropped 74 System process connects to network (likely due to code injection or exploit) 16->74 76 Benign windows process drops PE files 16->76 78 Injects code into the Windows Explorer (explorer.exe) 16->78 80 3 other signatures 16->80 21 F38B.exe 1 14 16->21         started        24 D656.exe 14 16->24         started        26 explorer.exe 16->26         started        28 7 other processes 16->28 file7 signatures8 process9 dnsIp10 82 Multi AV Scanner detection for dropped file 21->82 84 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->84 86 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 21->86 31 cmd.exe 21->31         started        88 Tries to harvest and steal browser information (history, passwords, etc) 24->88 90 Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes) 24->90 33 cmd.exe 24->33         started        92 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 26->92 94 Hijacks the control flow in another process 26->94 96 Changes memory attributes in foreign processes to executable or writable 26->96 104 2 other signatures 26->104 64 nebraska-pizza.com 28->64 98 System process connects to network (likely due to code injection or exploit) 28->98 100 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->100 102 Tries to steal Mail credentials (via file / registry access) 28->102 35 conhost.exe 28->35         started        37 WMIC.exe 28->37         started        39 WMIC.exe 28->39         started        41 5 other processes 28->41 signatures11 process12 process13 43 WMIC.exe 31->43         started        46 conhost.exe 31->46         started        48 WMIC.exe 31->48         started        50 6 other processes 31->50 signatures14 122 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 43->122 124 Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes) 43->124
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/eaf9fcf210002cf39af2e76d18880bef6954079b1e6107c4bce5ac7d2b0e0dec/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-09-18 13:26:09 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5l47z4qqaawphgxs45wrrcal55uvib43dzqqprf44wwh2kyobxwa._file
Verdict:
malicious
Similar samples:
0ab54468721453d7237df27d4dd6383366edb5cc3bfab9a20d48a2416ca2aed8
Smoke Loader
570b78e257dd735efb0c0dd74b76954645421f7c1f4d98995595150e3e21da31
Smoke Loader
8113159e0ac7c44fb49f3231ea9541e2d9ce9fd06dee9887037349e3370e6e73
Smoke Loader
9e6ce673dc161fc54b110782f18ec9bb3690b9ccdde494196ccb5bb0381dfa94
Smoke Loader
bae93cf5e0de35c574ae5c2d78ae5f7929c1f944e885624009972146f85eb1e7
Smoke Loader
bfe83b5436233b54ba7808d535042708313d5ec62aece600d943798f5c62efda
Smoke Loader
d896e1c6f1124eb8cf19f29d2dec8d35203cfd4ea36636549e178a1a06de10db
Smoke Loader
eeda861f847c8e1965617979471e1983b9fa1838fb804e4d67c7c22b36b9b462
Smoke Loader
+ 1'527 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:0023 backdoor collection evasion spyware stealer trojan
Link:
https://tria.ge/reports/230918-qph4qshe6z/
Behaviour
Checks SCSI registry key(s)
Enumerates processes with tasklist
Gathers network information
Gathers system information
Modifies Internet Explorer settings
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Deletes itself
Executes dropped EXE
Reads user/profile data of web browsers
Modifies Windows Firewall
SmokeLoader
Malware Config
C2 Extraction:
https://nebraska-pizza.com/search.php
https://alaska-ships.com/search.php
Unpacked files
SH256 hash:
3bf4a00c575053d20d95b78eaa4e389fa83599501f0147ce7c36098f3d7de522
MD5 hash:
56dd145d3bc536592246ec52f9e544fe
SHA1 hash:
e7de1e42f73aa8457f88eb2f6334d379a4126e6b
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/b6f5150a-744a-4dd2-86e0-ba6d2403f697/
Parent samples :
570b78e257dd735efb0c0dd74b76954645421f7c1f4d98995595150e3e21da31
eaf9fcf210002cf39af2e76d18880bef6954079b1e6107c4bce5ac7d2b0e0dec
ee7042c2f270f30b2b966f6b74fc0b73688201f7383b0c939724fc8e8a0ba330
9cfcac8bcae24c1abf6ba88298ba8182e92f0e8a2917086f4bc6c57614444f21
9cd51e10e0654c87d3e1ebcd86f93f90e6314c6f8538f25d9c8a15ac48827c9b
77001b2295a241e528cb83f69879f3137f1ff9fd33b9d4d5bf2f879c6b67f69c
SH256 hash:
eaf9fcf210002cf39af2e76d18880bef6954079b1e6107c4bce5ac7d2b0e0dec
MD5 hash:
5551eee868fbb9d59dd922efa25790bf
SHA1 hash:
d05cb69ea15f94f8789d403435f9cfc3a62d7b6e
Link:
https://www.unpac.me/results/b6f5150a-744a-4dd2-86e0-ba6d2403f697/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eaf9fcf21000/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eaf9fcf210002cf39af2e76d18880bef6954079b1e6107c4bce5ac7d2b0e0dec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe eaf9fcf210002cf39af2e76d18880bef6954079b1e6107c4bce5ac7d2b0e0dec

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2712313/
Cape
Cape
https://www.capesandbox.com/analysis/449359/

Comments


Avatar
zbet commented on 2023-09-18 13:25:53 UTC

url : hxxp://66.85.156.93/ku923.exe