MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed46b52239426cb32b842b98ba300bf93877abbda5284ebcb514f4953cd02acc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed46b52239426cb32b842b98ba300bf93877abbda5284ebcb514f4953cd02acc
SHA3-384 hash: 9fb3e59a30c80b000f5cca73541f282a62e4ebfc7bbd1d8c2192ff1a2d9b4e5d1a8b5a7aaf7eeb2e5c020abdfb3cbd22
SHA1 hash: 0d2c007931d10f6d57ff8502243ee529dd21b6cd
MD5 hash: b4c6296ca3e557e491f9478553095d95
humanhash: neptune-indigo-chicken-skylark
File name:b4c6296ca3e557e491f9478553095d95.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:565'760 bytes
First seen:2023-11-11 07:44:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:UMrFy9010NA0H7Gae/4IC50pCCHGN0PLvYMXiYQbDL6jhFh:xy0iaaewIsgCQGIgYDNhj
TLSH T1DEC41243AAE98072E4B1577068FB03970B39BCA15D7C836F376A585F5CB2A906931337
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Searching for the browser window
DNS request
Sending a custom TCP request
Behavior that indicates a threat
Reading critical registry keys
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
91%
Tags:
advpack anti-vm autoit CAB control explorer greyware installer keylogger lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/654f31012546bd423f166508/reports/5d942b26-8514-41bd-979c-949d0adcbf64/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ed46b52239426cb32b842b98ba300bf93877abbda5284ebcb514f4953cd02acc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/03a0fe9a-46e9-458b-9bec-79510eedf197
Result
Threat name:
Glupteba, RedLine, SmokeLoader, zgRAT
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1341040
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to modify clipboard data
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Encrypted powershell cmdline option found
Found API chain indicative of sandbox detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Phishing site detected (based on logo match)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Stop multiple services
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Costura Assembly Loader
Yara detected Glupteba
Yara detected PersistenceViaHiddenTask
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1341040 Sample: 9qOVIQzg7G.exe Startdate: 11/11/2023 Architecture: WINDOWS Score: 100 152 Multi AV Scanner detection for domain / URL 2->152 154 Found malware configuration 2->154 156 Malicious sample detected (through community Yara rule) 2->156 158 22 other signatures 2->158 11 9qOVIQzg7G.exe 1 4 2->11         started        15 Settings.exe 2->15         started        17 TypeId.exe 2->17         started        19 2 other processes 2->19 process3 file4 120 C:\Users\user\AppData\Local\...\3Ul04xO.exe, PE32 11->120 dropped 122 C:\Users\user\AppData\Local\...\1KW09yk7.exe, PE32 11->122 dropped 204 Binary is likely a compiled AutoIt script file 11->204 21 3Ul04xO.exe 11->21         started        24 1KW09yk7.exe 12 11->24         started        206 Antivirus detection for dropped file 15->206 208 Multi AV Scanner detection for dropped file 15->208 210 Machine Learning detection for dropped file 15->210 26 conhost.exe 19->26         started        signatures5 process6 signatures7 170 Antivirus detection for dropped file 21->170 172 Multi AV Scanner detection for dropped file 21->172 174 Machine Learning detection for dropped file 21->174 182 5 other signatures 21->182 28 explorer.exe 6 21 21->28 injected 176 Binary is likely a compiled AutoIt script file 24->176 178 Found API chain indicative of sandbox detection 24->178 180 Contains functionality to modify clipboard data 24->180 33 chrome.exe 9 24->33         started        35 chrome.exe 24->35         started        37 chrome.exe 24->37         started        39 7 other processes 24->39 process8 dnsIp9 132 103.152.79.123 TWIDC-AS-APTWIDCLimitedHK unknown 28->132 134 185.174.136.219 SUPERSERVERSDATACENTERRU Russian Federation 28->134 140 8 other IPs or domains 28->140 124 C:\Users\user\AppData\Roaming\sbsddre, PE32 28->124 dropped 126 C:\Users\user\AppData\Local\Temp\F4FC.exe, PE32+ 28->126 dropped 128 C:\Users\user\AppData\Local\Temp42B.exe, PE32 28->128 dropped 130 7 other malicious files 28->130 dropped 212 System process connects to network (likely due to code injection or exploit) 28->212 214 Benign windows process drops PE files 28->214 216 Adds a directory exclusion to Windows Defender 28->216 218 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->218 41 E42B.exe 28->41         started        45 9D6C.exe 8 9 28->45         started        48 12AE.exe 28->48         started        54 4 other processes 28->54 136 192.168.2.8 unknown unknown 33->136 138 239.255.255.250 unknown Reserved 33->138 50 chrome.exe 33->50         started        56 2 other processes 33->56 58 2 other processes 35->58 52 chrome.exe 37->52         started        60 7 other processes 39->60 file10 signatures11 process12 dnsIp13 112 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 41->112 dropped 114 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 41->114 dropped 116 C:\Users\user\AppData\...\InstallSetup5.exe, PE32 41->116 dropped 118 C:\...\31839b57a4f11171d6abc8bbc4451ee4.exe, PE32 41->118 dropped 184 Antivirus detection for dropped file 41->184 186 Multi AV Scanner detection for dropped file 41->186 188 Machine Learning detection for dropped file 41->188 190 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 41->190 62 toolspub2.exe 41->62         started        65 31839b57a4f11171d6abc8bbc4451ee4.exe 41->65         started        67 latestX.exe 41->67         started        78 3 other processes 41->78 142 176.123.9.142 ALEXHOSTMD Moldova Republic of 45->142 192 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 45->192 194 Found many strings related to Crypto-Wallets (likely being stolen) 45->194 196 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 45->196 198 Tries to harvest and steal browser information (history, passwords, etc) 45->198 70 conhost.exe 45->70         started        200 Modifies the context of a thread in another process (thread injection) 48->200 202 Injects a PE file into a foreign processes 48->202 72 12AE.exe 48->72         started        144 104.244.42.129 TWITTERUS United States 50->144 146 104.244.42.133 TWITTERUS United States 50->146 150 77 other IPs or domains 50->150 148 194.49.94.11 EQUEST-ASNL unknown 54->148 74 cmd.exe 54->74         started        76 conhost.exe 54->76         started        80 4 other processes 54->80 file14 signatures15 process16 file17 220 Multi AV Scanner detection for dropped file 62->220 222 Detected unpacking (changes PE section rights) 62->222 224 Machine Learning detection for dropped file 62->224 226 Injects a PE file into a foreign processes 62->226 82 toolspub2.exe 62->82         started        228 Detected unpacking (overwrites its own PE header) 65->228 230 Found Tor onion address 65->230 232 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 65->232 85 cmd.exe 65->85         started        102 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 67->102 dropped 104 C:\Windows\System32\drivers\etc\hosts, ASCII 67->104 dropped 234 Modifies the hosts file 67->234 236 Adds a directory exclusion to Windows Defender 67->236 106 C:\Users\user\AppData\Local\...\TypeId.exe, PE32+ 72->106 dropped 87 36B2.exe 74->87         started        90 conhost.exe 74->90         started        108 C:\Users\user\AppData\Local\Temp\Broom.exe, PE32 78->108 dropped 92 Broom.exe 78->92         started        signatures18 process19 file20 160 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 82->160 162 Maps a DLL or memory area into another process 82->162 164 Checks if the current machine is a virtual machine (disk enumeration) 82->164 166 Creates a thread in another existing process (thread injection) 82->166 94 conhost.exe 85->94         started        96 fodhelper.exe 85->96         started        98 fodhelper.exe 85->98         started        100 fodhelper.exe 85->100         started        110 C:\Users\user\AppData\...\Settings.exe, PE32+ 87->110 dropped 168 Multi AV Scanner detection for dropped file 92->168 signatures21 process22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ed46b52239426cb32b842b98ba300bf93877abbda5284ebcb514f4953cd02acc
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ed46b52239426cb32b842b98ba300bf93877abbda5284ebcb514f4953cd02acc/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-11-11 07:45:04 UTC
File Type:
PE (Exe)
Extracted files:
63
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5vdlkirzijwlgk4efomlumal7e4hpk55uuue5pfvct2jkpgqflga._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor persistence trojan
Link:
https://tria.ge/reports/231111-jld72sde67/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
AutoIT Executable
Adds Run key to start application
Executes dropped EXE
Downloads MZ/PE file
SmokeLoader
Malware Config
C2 Extraction:
http://5.42.92.190/fks/index.php
Unpacked files
SH256 hash:
2a8c03a7dacb892a459871c65238bfc6e2c971b993505437fbca9cc5175304df
MD5 hash:
8581a9a941a62b4bc3099918feb2bfdb
SHA1 hash:
91145f12c9f3e9b430deed77c98d25f7907cd069
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/bef4cb30-6a59-4d4a-b765-272e520b2343/
SH256 hash:
46d73000badea343d2cb0847c368847c37606303018f3c4978d01873e0b4fb82
MD5 hash:
91df744d778858b578e9e1200e3644ae
SHA1 hash:
0ad8bc6a8b89368b135918e95f1e6b49150192f1
Link:
https://www.unpac.me/results/bef4cb30-6a59-4d4a-b765-272e520b2343/
Parent samples :
dd49ae56ccd5824fe4f6b62ed6b3b3466a40e56163c23adee63b9b26d96b09c5
afa1a1360224b51648fe7c1cb3233199f0c9c41605d0a7107dfc050ec4d6c733
3e7af42c2132ad7ca46675fcc364bbfff19ed9a9b6e7c1416215334bcc1e6a27
30befd088724719df66035cff6175ec647a4e80ec049eb84ba0a769e08c9e60c
SH256 hash:
ed46b52239426cb32b842b98ba300bf93877abbda5284ebcb514f4953cd02acc
MD5 hash:
b4c6296ca3e557e491f9478553095d95
SHA1 hash:
0d2c007931d10f6d57ff8502243ee529dd21b6cd
Link:
https://www.unpac.me/results/bef4cb30-6a59-4d4a-b765-272e520b2343/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ed46b5223942/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ed46b52239426cb32b842b98ba300bf93877abbda5284ebcb514f4953cd02acc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe ed46b52239426cb32b842b98ba300bf93877abbda5284ebcb514f4953cd02acc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2729439/
  
Delivery method
Distributed via web download

Comments