MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef04fe325737cad04ca603cf3a72a71b86bc51786b696972e243cbd0612538b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments

SHA256 hash:	ef04fe325737cad04ca603cf3a72a71b86bc51786b696972e243cbd0612538b1
SHA3-384 hash:	314c1d3b19b75331f4e5bb7e1a549be416945b08185539939794f7172306de489f0d4086821ea47cb0eada4872ee0110
SHA1 hash:	dc0bf40b9dd65c7d25829c9912591dd5118d3ae3
MD5 hash:	16c9fd8d675b5498e0ceff5bc4fec24e
humanhash:	high-spring-artist-lemon
File name:	16c9fd8d675b5498e0ceff5bc4fec24e.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	311'808 bytes
First seen:	2023-07-16 13:17:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	326441378ca815656cabd6c06990bf3c (3 x RedLineStealer, 2 x Smoke Loader, 1 x Stop)
ssdeep	3072:+yLxBCoraSJWXrPesHgcLfOiy3XaBdDqRmm2y1d2Z5CcwlgZDGW:TLxIAaSMXjBXbOi6wJmf1sOcFG
Threatray	4'847 similar samples on MalwareBazaar
TLSH	T1F5648443DAE17D48EA268B769E1FC6E8B70DF6908F4D7B653218DE1B00B1076D163A70
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0008082808090400 (1 x Smoke Loader)
Reporter	obfusor
Tags:	exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

314

Origin country :

Vendor Threat Intelligence

Malware family:

smoke

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-07-16 11:52:54 UTC

Tags:

loader smoke trojan amadey payload fabookie stealer ransomware stop vidar arkei rat redline

Link:

https://app.any.run/tasks/eb6516fa-d439-4f62-9df6-b3e49e7afbba

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

SmokeLoader

Link:

https://www.capesandbox.com/analysis/421789/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed xpack

Link:

https://www.filescan.io/uploads/64b3ee0cfd9e198dc114a1e7/reports/a9db1809-6c9e-47c5-a633-5be6f4542cb9/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ef04fe325737cad04ca603cf3a72a71b86bc51786b696972e243cbd0612538b1

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/17d5584b-4d23-4482-a725-fb05f4e93dc2

Result

Threat name:

RedLine, SmokeLoader

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1274036

Signature

.NET source code contains potential unpacker

Allocates memory in foreign processes

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Connects to many ports of the same IP (likely port scanning)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected RedLine Stealer

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ef04fe325737cad04ca603cf3a72a71b86bc51786b696972e243cbd0612538b1/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2023-07-16 12:11:27 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=54cp4msxg7fnatfgaphtu4vhdodlyulynnuws4xcipf5ayjfhcyq._file

Verdict:

malicious

Smoke Loader

1788b1a07815d0fe3a38efbb4a4706d9c4cff09ea145cef0e2b658217d95725c

Smoke Loader

57962d6e4dea092778ca4b98d68ee62d11a8cfa88fd7fd7b89cb97fba2193355

Smoke Loader

657d471a64624cd0e7e6d91374d75212b100bda987ac4425d3552224e2d2a33e

Smoke Loader

6fae76c5a5b11cf96e9f4577b8e3355807696e9462226f4826da83c0107be114

Smoke Loader

811dec9ec1252218598615343fe2e04a62a296e3f156778c4d168b4eec8a0bf0

Smoke Loader

88619945ae8c773480dbabbff8f1979fc94d406d3ec795780189260a2a8ed7e9

Smoke Loader

acd063c502b1957bdb4e19c2f677128ff3ba956940a702aa1760e1d2362ff0eb

Smoke Loader

bcabf922d0a9e5c729c6968b214202f2fa7c369198c09c9cb3bff57150a99aeb

Smoke Loader

fe6fe64afb9a16c6ed919933916fd39c31ad8628fb2e826e43764b235d511ab4

Smoke Loader

+ 4'837 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:lumma family:redline family:smokeloader botnet:cc botnet:summ backdoor discovery infostealer spyware stealer trojan

Link:

https://tria.ge/reports/230716-qjx1psga2t/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Program crash

Suspicious use of SetThreadContext

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Deletes itself

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Lumma Stealer

RedLine

RedLine payload

SmokeLoader

Malware Config

C2 Extraction:

http://stalagmijesarl.com/
http://ukdantist-sarl.com/
http://cpcorprotationltd.com/
94.228.169.160:43800

Unpacked files

SH256 hash:

48b6a4785f1dc9f33c51c2e588c7f9edf76e551cff8759ac5622cf995330ff14

MD5 hash:

d9cde58139fef6bf75141230f9662d97

SHA1 hash:

68ac6ee1b78dfa15bfe49229640a0929438029af

Detections:

SmokeLoaderStage2

win_smokeloader_a2

Link:

https://www.unpac.me/results/483979d3-de5c-4984-80ef-e895721eec67/

Parent samples :

dfa65f33e16205d8c072ba1fb3d0f419f0af2e25f1c251d2b1ef83dd822dc476
aa4938085915798a5b6a03db3a04f6b2927d108db0bfac32ca66462f6a406c36
e4ff3d138daf42cc71613a0b2b9131e672ab42e3fc8f12779efa2f882985c40c
240e33c28d618ba23fc7489c03dcc40e3e3d2c84ef959db800321d1946d3dbcf
65640ae45f81e5a0367d374193b9a7958e7e2cba9b4f7e448cd2545a70c2880e
b78d66de4f94fd68a2fa5181f8b2a865d43f44fba0efbff7dd3a8215ce153891
b2c3517bb90933390df4eb01c6ba36f2a519a69b5bcee703f4889b8336cb7027
5ecd711693f12b243e84e97975eaf2f981016a7cf004841dceb7b9d720bc1f6d
a6e56a741e9aa67f861b574964a4999eb77ca586abf079c1891ca09c7900c713
2f526d3756e8f59616b5f69c9527d4751594ea82464c971eaadfc04216d0b27a
14a81d39c1a2260f7dde336245ab276a3416319e8bea2740107f8da6b5baecc2
57058dda63d287fb506d12c043fe1eb07abcaacb703fb2f8120edefb815bd1a8
9e4e8a3c08c71e24a113731d9b3c6221c79a0d82e9ab0b510e4240257b4d0eee
954a8d78e97e2bb65568d4c5d692a2a9975a330eaa7fae20e4620d18ccbb5881
bfe83b5436233b54ba7808d535042708313d5ec62aece600d943798f5c62efda
fc5c1ed9df3db079ed9b1714c11b5fd8edd6f69498fe6150303ae160884d3c04
e59ad322f3178a7905a9a3c623e7b5d8132080ddc9d2d3797d64939a23611a00
e93e6d9ed58c2476607f4352c2fb03b5247276f5be99840b0db4d546457f20e5
c862c9ce5cc849f7e292a61984c11b3a61a137f71ce19b3e72b653932602a0fc
8c3f095428d5283ec57391611e24689e88aa93e0a6868d6994d2e26761740ce3
455cd1baccbf9b3abc59454a6d80ee72c2db5cb6ffb73a5102b5a1e6eb78599e
45395f6fad7289cb0f9599ed1f578140d5280f1769957c4bba4fb5f6798a41bf
d347eea452c0cd8f233db473bc2889ef05049a6bffef49184120c9d302fa74e6
cb5834ff88fd8e818ddd26ae5e6a080be8b5e17ee4238df66080175a5cf802eb
2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5
eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771
26ee5ecb55714d302e8adcc345fc373abf5eb3189c854922cfca7c3c5c7018fe
ef04fe325737cad04ca603cf3a72a71b86bc51786b696972e243cbd0612538b1
e58ebdf4702cc16c7b5626d7e5a169fda32ecb3df251c9f087c8ad7ad6897672
799c6f0780b063a98ca67e217ac920733e5ed59742300658a747457ef30a3ed8
a5cb5558a1fb53b177fd0a683da3e93c4c0149588c7b06b5b8f5570896bd79bc
5b6d6c1bf6cfc3f0c4b792a2416d52588c22701fc9484c7c0a40bfb75ced4c4e
fc70465d07b9f3eb64e7f5ada2c047cd54b1a10b2790264456c0f76a798b50fc
fd831bc88d1c08c8b8a2e3756569b8fc3c143d516f4a72ec6fbf3c456c6209bb
2cc7483f686c00278ce3dcda694baca322bfbe70e8cf4ec5dd8ec0f31a955625
c17336d7c543eef6427833e8a3f419dd02c7cd2fd7665725732c35e61a354f2c
2c43ca2ea57631cdd00d46b6d292ca82922c239c1ad400a4714134fed8f2a50e
4f2680a213e3345c83f3f0adc9bcf75af76e50eed035b2c54f54b071e115f694
b2f12a3ef735f92b67cf807fb8be7df8400c065318ad3b0f8cd144738db7b96b

SH256 hash:

ef04fe325737cad04ca603cf3a72a71b86bc51786b696972e243cbd0612538b1

MD5 hash:

16c9fd8d675b5498e0ceff5bc4fec24e

SHA1 hash:

dc0bf40b9dd65c7d25829c9912591dd5118d3ae3

Link:

https://www.unpac.me/results/483979d3-de5c-4984-80ef-e895721eec67/

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ef04fe325737/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ef04fe325737cad04ca603cf3a72a71b86bc51786b696972e243cbd0612538b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/421789/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample