MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f22080ba8d304becef252dae72f45b78841466cabbf878fe5f9e711ac096ea8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 19


Intelligence 19 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f22080ba8d304becef252dae72f45b78841466cabbf878fe5f9e711ac096ea8f
SHA3-384 hash: 8c2404e53e50909962dbae77beadd8fbf92a0a10a6462085b967bfbf8f4f24b84f33a8f8bfb80297427f2ee9a88d1a7a
SHA1 hash: 0682ffa31cbba67f0e6869d8c60fdc9d72b247fc
MD5 hash: fafd28186d04937efe68034121ed871a
humanhash: west-vermont-wolfram-network
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:1'656'320 bytes
First seen:2023-10-25 22:47:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:IizXioj2JVbiOsj9nGNMDM7flde7k++H8uC:BXjIdPsj9nGX7dde7k+CC
TLSH T17975230357D84432D9B62BB054F70743263A7E556EA8C7AF570ABC490D72AC4D83A73B
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter andretavare5
Tags:exe Smoke Loader


Avatar
andretavare5
Sample downloaded from http://109.107.182.2/race/bus50.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
340
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-10-25 22:56:51 UTC
Tags:
stealc stealer redline amadey botnet trojan loader smoke sinkhole opendir
Link:
https://app.any.run/tasks/43ddf8f4-6b50-43dc-af95-2f1b35fa4c06

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/456396/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Sending a custom TCP request
Launching a service
Сreating synchronization primitives
Creating a file
Creating a window
Launching cmd.exe command interpreter
Running batch commands
Blocking the Windows Defender launch
Disabling the operating system update service
Forced shutdown of a system process
Unauthorized injection to a system process
Enabling autorun by creating a file
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/65399b23bc703e36b08d6c16/reports/12f13f09-5b70-4128-ab33-987984405681/overview
Verdict:
Malicious
Labled as:
Dropper/Generic.X2198
Link:
https://www.hybrid-analysis.com/sample/f22080ba8d304becef252dae72f45b78841466cabbf878fe5f9e711ac096ea8f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0b566718-2ff2-4658-ae0f-34995318a295
Result
Threat name:
Amadey, Babadeda, Mystic Stealer, RedLin
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1332263
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies windows update settings
PE file has a writeable .text section
Phishing site detected (based on logo match)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1332263 Sample: file.exe Startdate: 26/10/2023 Architecture: WINDOWS Score: 100 197 Found malware configuration 2->197 199 Malicious sample detected (through community Yara rule) 2->199 201 Antivirus detection for URL or domain 2->201 203 17 other signatures 2->203 14 file.exe 1 4 2->14         started        17 svchost.exe 2->17         started        20 explothe.exe 2->20         started        process3 dnsIp4 169 C:\Users\user\AppData\Local\...\ym2sJ24.exe, PE32 14->169 dropped 171 C:\Users\user\AppData\Local\...\7Sh0AO15.exe, PE32 14->171 dropped 22 ym2sJ24.exe 1 4 14->22         started        173 23.77.240.155 AKAMAI-ASUS United States 17->173 175 127.0.0.1 unknown unknown 17->175 file5 process6 file7 145 C:\Users\user\AppData\Local\...\Zm1Ev63.exe, PE32 22->145 dropped 147 C:\Users\user\AppData\Local\...\6Hx5li2.exe, PE32 22->147 dropped 225 Antivirus detection for dropped file 22->225 227 Machine Learning detection for dropped file 22->227 26 Zm1Ev63.exe 1 4 22->26         started        30 6Hx5li2.exe 22->30         started        signatures8 process9 file10 165 C:\Users\user\AppData\Local\...\bZ7Uv10.exe, PE32 26->165 dropped 167 C:\Users\user\AppData\Local\...\5Hv8xK9.exe, PE32 26->167 dropped 259 Antivirus detection for dropped file 26->259 261 Machine Learning detection for dropped file 26->261 32 bZ7Uv10.exe 1 4 26->32         started        36 5Hv8xK9.exe 26->36         started        signatures11 process12 file13 119 C:\Users\user\AppData\Local\...\vF1mk31.exe, PE32 32->119 dropped 121 C:\Users\user\AppData\Local\...\4rG579hI.exe, PE32 32->121 dropped 193 Antivirus detection for dropped file 32->193 195 Machine Learning detection for dropped file 32->195 38 vF1mk31.exe 1 4 32->38         started        41 4rG579hI.exe 32->41         started        123 C:\Users\user\AppData\Local\...\explothe.exe, PE32 36->123 dropped 44 explothe.exe 36->44         started        signatures14 process15 dnsIp16 149 C:\Users\user\AppData\Local\...\HM6AU50.exe, PE32 38->149 dropped 151 C:\Users\user\AppData\Local\...\3rk26mf.exe, PE32 38->151 dropped 47 3rk26mf.exe 38->47         started        50 HM6AU50.exe 1 4 38->50         started        53 Oz2GJ1On.exe 38->53         started        243 Antivirus detection for dropped file 41->243 245 Writes to foreign memory regions 41->245 247 Allocates memory in foreign processes 41->247 249 Injects a PE file into a foreign processes 41->249 55 AppLaunch.exe 41->55         started        58 AppLaunch.exe 41->58         started        187 77.91.124.1 ECOTEL-ASRU Russian Federation 44->187 153 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 44->153 dropped 155 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 44->155 dropped 251 Creates an undocumented autostart registry key 44->251 253 Uses schtasks.exe or at.exe to add and modify task schedules 44->253 60 schtasks.exe 44->60         started        62 cmd.exe 44->62         started        64 rundll32.exe 44->64         started        file17 signatures18 process19 dnsIp20 263 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 47->263 265 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 47->265 267 Maps a DLL or memory area into another process 47->267 271 2 other signatures 47->271 66 explorer.exe 78 33 47->66 injected 125 C:\Users\user\AppData\Local\...\2gD7277.exe, PE32 50->125 dropped 127 C:\Users\user\AppData\Local\...\1mV38cy9.exe, PE32 50->127 dropped 71 1mV38cy9.exe 50->71         started        73 2gD7277.exe 50->73         started        129 C:\Users\user\AppData\Local\...\2ui982bJ.exe, PE32 53->129 dropped 131 C:\Users\user\AppData\Local\...\1aP71bw7.exe, PE32 53->131 dropped 75 1aP71bw7.exe 53->75         started        185 77.91.124.86 ECOTEL-ASRU Russian Federation 55->185 269 Found many strings related to Crypto-Wallets (likely being stolen) 55->269 77 conhost.exe 60->77         started        79 Conhost.exe 60->79         started        81 conhost.exe 62->81         started        83 cmd.exe 62->83         started        85 5 other processes 62->85 file21 signatures22 process23 dnsIp24 179 5.42.65.80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 66->179 181 193.31.28.64 QUICKPACKETUS United Kingdom 66->181 183 6 other IPs or domains 66->183 133 C:\Users\user\AppData\Local\Temp\FF9E.exe, PE32 66->133 dropped 135 C:\Users\user\AppData\Local\Temp\F03B.exe, PE32 66->135 dropped 137 C:\Users\user\AppData\Local\TempCEF.exe, PE32 66->137 dropped 139 10 other malicious files 66->139 dropped 205 System process connects to network (likely due to code injection or exploit) 66->205 207 Benign windows process drops PE files 66->207 87 D403.exe 66->87         started        91 E75F.exe 66->91         started        93 D7BD.exe 66->93         started        102 3 other processes 66->102 209 Contains functionality to inject code into remote processes 71->209 211 Writes to foreign memory regions 71->211 213 Allocates memory in foreign processes 71->213 95 AppLaunch.exe 9 1 71->95         started        215 Injects a PE file into a foreign processes 73->215 97 AppLaunch.exe 12 73->97         started        100 AppLaunch.exe 73->100         started        217 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 77->217 219 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 77->219 file25 signatures26 process27 dnsIp28 157 C:\Users\user\AppData\Local\...\Qu3zm3mb.exe, PE32 87->157 dropped 159 C:\Users\user\AppData\Local\...\6PS68mQ.exe, PE32 87->159 dropped 229 Antivirus detection for dropped file 87->229 231 Machine Learning detection for dropped file 87->231 104 Qu3zm3mb.exe 87->104         started        233 Tries to harvest and steal browser information (history, passwords, etc) 91->233 235 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 95->235 237 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 95->237 239 Modifies windows update settings 95->239 241 2 other signatures 95->241 177 193.233.255.73 FREE-NET-ASFREEnetEU Russian Federation 97->177 108 chrome.exe 102->108         started        111 chrome.exe 102->111         started        113 conhost.exe 102->113         started        file29 signatures30 process31 dnsIp32 161 C:\Users\user\AppData\Local\...\Fc9PG7Fq.exe, PE32 104->161 dropped 163 C:\Users\user\AppData\Local\...\5Jp03OV.exe, PE32 104->163 dropped 255 Antivirus detection for dropped file 104->255 257 Machine Learning detection for dropped file 104->257 115 Fc9PG7Fq.exe 104->115         started        189 192.168.2.5 unknown unknown 108->189 191 239.255.255.250 unknown Reserved 108->191 file33 signatures34 process35 file36 141 C:\Users\user\AppData\Local\...\iW4Ox0uA.exe, PE32 115->141 dropped 143 C:\Users\user\AppData\Local\...\4GZ372Su.exe, PE32 115->143 dropped 221 Antivirus detection for dropped file 115->221 223 Machine Learning detection for dropped file 115->223 signatures37
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f22080ba8d304becef252dae72f45b78841466cabbf878fe5f9e711ac096ea8f
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f22080ba8d304becef252dae72f45b78841466cabbf878fe5f9e711ac096ea8f/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-10-25 22:48:05 UTC
File Type:
PE (Exe)
Extracted files:
226
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6iqiboungbf6z3zffwxhf5c3pccbizwkxp4hr7s7tzyrvqew5khq._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:dcrat family:glupteba family:redline family:smokeloader family:zgrat botnet:grome botnet:kinza botnet:up3 backdoor brand:google dropper evasion infostealer loader persistence phishing rat trojan
Link:
https://tria.ge/reports/231025-2q313shd5v/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Launches sc.exe
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Windows security modification
Downloads MZ/PE file
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Stops running service(s)
Modifies boot configuration data using bcdedit
Amadey
DcRat
Detect ZGRat V1
Detected google phishing page
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
SmokeLoader
ZGRat
Malware Config
C2 Extraction:
http://77.91.68.29/fks/
77.91.124.86:19084
http://77.91.124.1/theme/index.php
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
MD5 hash:
22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 hash:
db8326c4fad0064ce3020226e8556e7cce8ce04e
Link:
https://www.unpac.me/results/ae72e644-f7da-4be1-9cf6-443d303f5fdf/
Parent samples :
24b66c0d6f26f5de09b4cb7a2496bf87ad0ed9d45e846870dee70941b565bc3c
d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200
SH256 hash:
138699e7bfbc03b53e14685fbea929e4e1f46a062ce1f55a13da3a8e84c562aa
MD5 hash:
e53028f70038b6b60604682738a87d06
SHA1 hash:
5d131b67892827bdb1fbeb7b46891c8aaf23e80f
Link:
https://www.unpac.me/results/ae72e644-f7da-4be1-9cf6-443d303f5fdf/
SH256 hash:
18d0e2c9ac7a0cf3f1b7ec1e0e15a5aaf3f06559d8b781b51209bd22f5299922
MD5 hash:
763714db5d5572d385d0ca54e30218b8
SHA1 hash:
8992ce2ecf79185522c2a5bc8d14e832d87b340d
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/ae72e644-f7da-4be1-9cf6-443d303f5fdf/
Parent samples :
b3a9be6f7a4a9d8e6157bca4ad8d3db2aee399771de8437e2a73fc218b0d02ae
9ec941d56f1921bf9c08c3bddb3babffb3c300a13ae56577f8ef1d2d2649f927
7343863f781a33a5a871e981b4a9bcb5d5042cb7cf51d66aa61a583c95e39684
084b41ac048545f0787470d4026243539ffbacc28543776ef091df255d6567fc
f22080ba8d304becef252dae72f45b78841466cabbf878fe5f9e711ac096ea8f
SH256 hash:
7e8d69d0e2fc5558e543e346be416a8f154a2c08fab6565122ebc3c6c4f3ed18
MD5 hash:
9f3f5cd7384a1b3c82686f6bf15316cb
SHA1 hash:
a2e1b10d72635f7fcfcf19840c8ab198b45a6ba5
Detections:
Amadey
Create hunting rule
win_amadey_auto
Create hunting rule
Link:
https://www.unpac.me/results/ae72e644-f7da-4be1-9cf6-443d303f5fdf/
SH256 hash:
1ec98265a6e56451e98f05b6cc130b60f967267cf514b9d7df59647aff8226e8
MD5 hash:
42ee8cb4588f4b2872c94881c629f709
SHA1 hash:
a7f83b783595d08e50123511ed3d96eb34833dcf
Link:
https://www.unpac.me/results/ae72e644-f7da-4be1-9cf6-443d303f5fdf/
SH256 hash:
df5b2563f2e522673669ab8cfbb3122c63376d65c263463cb9aa10b90e590acf
MD5 hash:
c9f3722707f56ea6c827bd5eab132f94
SHA1 hash:
c8362fe7aa23294c9e736bed676009ff1d7aad79
Link:
https://www.unpac.me/results/ae72e644-f7da-4be1-9cf6-443d303f5fdf/
SH256 hash:
f22080ba8d304becef252dae72f45b78841466cabbf878fe5f9e711ac096ea8f
MD5 hash:
fafd28186d04937efe68034121ed871a
SHA1 hash:
0682ffa31cbba67f0e6869d8c60fdc9d72b247fc
Link:
https://www.unpac.me/results/ae72e644-f7da-4be1-9cf6-443d303f5fdf/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f22080ba8d30/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f22080ba8d304becef252dae72f45b78841466cabbf878fe5f9e711ac096ea8f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/456396/

Comments