MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fabf60ba606f708c842b3cd143642c0ec9ac49b67678742b031abfe7e5f08ef8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fabf60ba606f708c842b3cd143642c0ec9ac49b67678742b031abfe7e5f08ef8
SHA3-384 hash: f3f7b3cec879dc8f3d9f8f5e73f813cd3179d1c9919d458484230f4ee4311747ad4b912291f3375d0bd999562a2dcea9
SHA1 hash: 5a88eb75d4226284c9981deabc57eff4973558bd
MD5 hash: 3a7b566758d8acb435ec76fd3845017d
humanhash: juliet-five-snake-carpet
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:199'680 bytes
First seen:2023-02-27 16:38:55 UTC
Last seen:2023-02-27 18:30:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7f54b7f04db8fcc4bbf55d4720df1540 (5 x Smoke Loader, 1 x TeamBot, 1 x RedLineStealer)
ssdeep 3072:D0+OBqQXG7KHdscF3E7deC2tlsRjzWtwbos5CeCrCIonZCXuy:oTBq8G8dscFvC4lRakcFYJoAT
Threatray 64 similar samples on MalwareBazaar
TLSH T18914AF127290EC70E15E1A324D29C6F5262EFD618EE4AA9B33743B6F1D701D0B5F2B16
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 916a6a6a6a6a6a60 (21 x Smoke Loader, 21 x RedLineStealer, 6 x Tofsee)
Reporter andretavare5
Tags:exe Smoke Loader


Avatar
andretavare5
Sample downloaded from https://aldawaa-alshafi.com/systems/index.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-02-27 16:58:58 UTC
Tags:
trojan loader smoke
Link:
https://app.any.run/tasks/9b61ed61-1d6b-43d5-b711-38f82e617fd5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/370361/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.25428.28223.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Creating a process from a recently created file
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
greyware packed shell32.dll
Link:
https://www.filescan.io/uploads/63fcdca7874679b6f447cfa0/reports/7ca32aee-ce92-4df0-9905-447405bc810b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/fabf60ba606f708c842b3cd143642c0ec9ac49b67678742b031abfe7e5f08ef8
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e821843c-ec39-4062-a101-d8aa3bb2e8ff
Result
Threat name:
DanaBot, SmokeLoader, SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1183357
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Yara detected SmokeLoader
Yara detected SystemBC
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 816191 Sample: file.exe Startdate: 27/02/2023 Architecture: WINDOWS Score: 100 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 6 other signatures 2->57 8 file.exe 2->8         started        11 jjcbggd 2->11         started        13 jjcbggd 2->13         started        15 7279.exe 2->15         started        process3 signatures4 73 Detected unpacking (changes PE section rights) 8->73 75 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->75 77 Maps a DLL or memory area into another process 8->77 17 explorer.exe 3 9 8->17 injected 79 Multi AV Scanner detection for dropped file 11->79 81 Machine Learning detection for dropped file 11->81 83 Checks if the current machine is a virtual machine (disk enumeration) 11->83 85 Creates a thread in another existing process (thread injection) 13->85 process5 dnsIp6 43 lidiacarmeli.com.br 50.87.145.5, 443, 49735 UNIFIEDLAYER-AS-1US United States 17->43 45 186.182.55.44, 49719, 49720, 49724 TechtelLMDSComunicacionesInteractivasSAAR Argentina 17->45 47 7 other IPs or domains 17->47 33 C:\Users\user\AppData\Roaming\jjcbggd, PE32 17->33 dropped 35 C:\Users\user\AppData\Local\Temp\8444.exe, PE32 17->35 dropped 37 C:\Users\user\AppData\Local\Temp\7279.exe, PE32 17->37 dropped 39 2 other malicious files 17->39 dropped 59 System process connects to network (likely due to code injection or exploit) 17->59 61 Benign windows process drops PE files 17->61 63 Deletes itself after installation 17->63 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->65 22 15E7.exe 17->22         started        26 8444.exe 1 17->26         started        29 7279.exe 17->29         started        file7 signatures8 process9 dnsIp10 49 149.248.14.222, 443, 49738, 49739 AS-CHOOPAUS United States 22->49 67 Detected unpacking (changes PE section rights) 22->67 69 Detected unpacking (overwrites its own PE header) 22->69 71 Machine Learning detection for dropped file 22->71 41 C:\Users\user\AppData\...\Qruhaepdediwhf.dll, PE32 26->41 dropped 31 rundll32.exe 1 26->31         started        file11 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fabf60ba606f708c842b3cd143642c0ec9ac49b67678742b031abfe7e5f08ef8/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-02-27 16:39:07 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
18 of 25 (72.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7k7wbotan5yizbblhtiugzbmb3e2ysnwoz4hikyddk76pzpqr34a._file
Verdict:
malicious
Similar samples:
1a1edade2fc59167610f92c9f423bf4df1af060c6182989d809530ecc5aad868
Smoke Loader
1eb7a816779280c50611ed971bd5d8d5f4684e0250546e564c18f75275abd4fe
Smoke Loader
31125dd90470955ca70e23ae2c3fd372db8b991a7c92bfb49d442b67539602c3
Smoke Loader
6a8f93fd4c43ad910a3da45df4c707fbc0a6ceab00ca9fd4e75beb7f6635d5f9
Smoke Loader
9d3d6ad79ab83ec2a4ba703bfe1ad6d098c3b1c0d7d4662e4d843fec2f24f2cd
Smoke Loader
c8a5519db64b4918c2e21b13c8fd75ea10ab0d05d49b241807e881dac9ef05a1
Smoke Loader
e5aa90130202683bcbfeec97bef643e0559cdf1332346f48a2909c5dbea521b9
Smoke Loader
e70f8956bd13f465a6b0e702df192de250580a8e80f8b0377de8ff83cd0340d5
Smoke Loader
f4e5103746728e49e2aad05ffc1f61d58a9f61071a822642779d5980d001e54f
Smoke Loader
f9f10b8b0aed6a31f1eefd83533af5d0712b3c17efab92d5d71b0b4b93790d33
Smoke Loader
+ 54 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/230227-t5yqxaed6t/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Program crash
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Detects Smokeloader packer
SmokeLoader
Malware Config
C2 Extraction:
http://vispik.at/tmp/
http://ekcentric.com/tmp/
http://hbeat.ru/tmp/
http://mordo.ru/tmp/
Unpacked files
SH256 hash:
10865df90c9008bcf408b793320729db7c09cd648c34f3dd87bb28e88f73f99e
MD5 hash:
8046419f924eafabb7ecf216e291b613
SHA1 hash:
bb646c4d7dfcae4a1e280aef21e11c0b36cf8ef0
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/616d317b-cd91-4bc4-8980-81b856752c1f/
Parent samples :
74d9950fb4a58f99306f9310d3bb295f865f164e16f2f53b6baec947ee5cfca5
fabf60ba606f708c842b3cd143642c0ec9ac49b67678742b031abfe7e5f08ef8
fec7e6d8626bf8373fbefecbdca920aa2b30ce8b94e65a78e16f042bbc9ab3e0
820a71a15a01014165c73cb5ce0dfe7f44fb6c9016b88e7a360c0e20530e7f95
47ffcfc1a0233a7bcb0b4fc36d47f20d6c1293977cf489a6c39aed02f361af2c
fae6162b4e70c2dfda2bc89d93f1eff42cefcc0b5222959413dee0dd0d7d830f
SH256 hash:
fabf60ba606f708c842b3cd143642c0ec9ac49b67678742b031abfe7e5f08ef8
MD5 hash:
3a7b566758d8acb435ec76fd3845017d
SHA1 hash:
5a88eb75d4226284c9981deabc57eff4973558bd
Link:
https://www.unpac.me/results/616d317b-cd91-4bc4-8980-81b856752c1f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fabf60ba606f708c842b3cd143642c0ec9ac49b67678742b031abfe7e5f08ef8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/370361/

Comments