MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fea97bcd0bcd24fae553aa9152a410e3e6064edbd8011c3b2d9fcee40cc430f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fea97bcd0bcd24fae553aa9152a410e3e6064edbd8011c3b2d9fcee40cc430f8
SHA3-384 hash: 8eaa87e6dcb52542530ff61c1a112910d81bf35be593f7f88d41fbc2ed49949e2973ed09c7bcbb3a2b2feecccd103f6b
SHA1 hash: 431e2589473738aef637916ce6a73b333d9ee4ec
MD5 hash: 1f58a22f2b80d9ab1a0cf3bb911dec5c
humanhash: wolfram-mexico-minnesota-neptune
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:1'047'040 bytes
First seen:2022-09-07 19:43:13 UTC
Last seen:2022-09-10 15:19:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1efe015ade03f54dd6d9b2ccea28b970 (268 x RedLineStealer, 256 x Amadey, 2 x GuLoader)
ssdeep 24576:nyCkX0z0kmccRv6Xj7FRsxALq9eLY4IxrV5XOBaQ+:yCk/Zcc8Xj7FRhLueF8pA
TLSH T1FB2512966BD84133D9A4177004FE03221B34FC815B79E3AB3A55745A7CB2EC4AA3137B
TrID 72.7% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
6.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.8% (.EXE) Win64 Executable (generic) (10523/12/4)
1.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 086070f8f8f9304c (1 x Smoke Loader)
Reporter andretavare5
Tags:exe Smoke Loader


Avatar
andretavare5
Sample downloaded from https://vk.com/doc523958404_646063423?hash=POihMq5rjJqflkuNoE1iRMWnRw79yrtjRtaRyyj9Fjs&dl=GUZDGOJVHA2DANA:1662579675:jflVy8ypSL8h2VRinnRbWngDjZVJkOWg6hcIlfY9Vhw&api=1&no_preview=1#Adan

Intelligence

File Origin
# of uploads :
18
# of downloads :
353
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-09-07 19:44:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/24aad751-1670-46c2-814b-2dbd7a627dab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308577/
Detection(s):
SecuriteInfo.com.Trojan.BAT.Agent.2852.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Creating a file in the system32 subdirectories
DNS request
Creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/36977/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
advpack.dll anti-vm packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6318f4fdd06d9bc4c7a8eef7/reports/9e04422e-4397-4c14-abb4-3972464afcfa/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1a5355a3-c692-473b-9bdf-d68d0a178e84
Result
Threat name:
GhostRat, Phoenix Miner, RedLine, SmokeL
Create hunting rule
Detection:
malicious
Classification:
troj.evad.expl.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1066732
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
DLL reload attack detected
Drops PE files with a suspicious file extension
Drops PE files with benign system names
Found API chain indicative of debugger detection
Found API chain indicative of sandbox detection
Found stalling execution ending in API Sleep call
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Obfuscated command line found
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected GhostRat
Yara detected Phoenix Miner
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 699264 Sample: file.exe Startdate: 07/09/2022 Architecture: WINDOWS Score: 100 127 www.icodeps.com 2->127 129 lGxEwtOKfrKglVqu.lGxEwtOKfrKglVqu 2->129 131 18 other IPs or domains 2->131 163 Snort IDS alert for network traffic 2->163 165 Multi AV Scanner detection for domain / URL 2->165 167 Malicious sample detected (through community Yara rule) 2->167 169 13 other signatures 2->169 15 file.exe 1 5 2->15         started        17 svchost.exe 2->17         started        19 rundll32.exe 2->19         started        21 svchost.exe 2->21         started        signatures3 process4 process5 23 cmd.exe 1 15->23         started        26 Robocopy.exe 3 1 15->26         started        28 WerFault.exe 17->28         started        signatures6 185 Obfuscated command line found 23->185 187 Uses ping.exe to sleep 23->187 189 Drops PE files with a suspicious file extension 23->189 191 Uses ping.exe to check the status of other devices and networks 23->191 30 cmd.exe 2 23->30         started        34 conhost.exe 23->34         started        36 PING.EXE 1 23->36         started        38 conhost.exe 26->38         started        process7 file8 125 C:\Users\user\AppData\Local\...\Very.exe.pif, PE32 30->125 dropped 205 Obfuscated command line found 30->205 207 Uses ping.exe to sleep 30->207 40 Very.exe.pif 1 30->40         started        44 tasklist.exe 1 30->44         started        46 tasklist.exe 1 30->46         started        48 4 other processes 30->48 signatures9 process10 file11 103 C:\Users\user\AppData\Local\...\pzCfDAY.dll, PE32 40->103 dropped 195 DLL reload attack detected 40->195 197 Found stalling execution ending in API Sleep call 40->197 199 Found API chain indicative of debugger detection 40->199 201 6 other signatures 40->201 50 Very.exe.pif 47 40->50         started        signatures12 process13 dnsIp14 133 host-coin-file-17.com 95.161.129.111, 49778, 80 TIERA-ASRU Russian Federation 50->133 135 toffle.co 162.241.102.58, 443, 49799, 49800 UNIFIEDLAYER-AS-1US United States 50->135 137 6 other IPs or domains 50->137 95 C:\Users\user\AppData\Local\Temp\...\WndPau, PE32 50->95 dropped 97 C:\Users\user\AppData\Local\Temp\...\MkHZoJ, PE32 50->97 dropped 99 C:\Users\user\AppData\Local\Temp\...\fNxPAs, PE32 50->99 dropped 101 12 other files (8 malicious) 50->101 dropped 54 WndPau 1 50->54         started        57 NZxAEa 50->57         started        59 fNxPAs 50->59         started        61 2 other processes 50->61 file15 process16 dnsIp17 171 Antivirus detection for dropped file 54->171 173 Multi AV Scanner detection for dropped file 54->173 175 Machine Learning detection for dropped file 54->175 177 Drops PE files with benign system names 54->177 65 WndPau 1 54->65         started        68 conhost.exe 54->68         started        179 Injects a PE file into a foreign processes 57->179 70 NZxAEa 57->70         started        181 Sample uses process hollowing technique 59->181 147 iplogger.org 148.251.234.83, 443, 49798, 49812 HETZNER-ASDE Germany 61->147 113 C:\Users\user\AppData\Local\...\MkHZoJ.tmp, PE32 61->113 dropped 183 Obfuscated command line found 61->183 72 MkHZoJ.tmp 61->72         started        file18 signatures19 process20 dnsIp21 153 Injects a PE file into a foreign processes 65->153 76 WndPau 1 5 65->76         started        155 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 70->155 157 Maps a DLL or memory area into another process 70->157 159 Checks if the current machine is a virtual machine (disk enumeration) 70->159 161 Creates a thread in another existing process (thread injection) 70->161 80 explorer.exe 70->80 injected 139 d2l7sw81k13yby.cloudfront.net 13.224.103.92, 443, 49794, 49817 AMAZON-02US United States 72->139 141 aka.ms 104.73.150.198, 443, 49795 AKAMAI-ASUS United States 72->141 105 C:\Users\user\...\xmrBridge.dll (copy), PE32+ 72->105 dropped 107 C:\Users\user\...\unins000.exe (copy), PE32 72->107 dropped 109 C:\Users\user\...\nvrtc64_100_0.dll (copy), PE32+ 72->109 dropped 111 31 other files (none is malicious) 72->111 dropped 83 vc_redist.x64.exe 72->83         started        file22 signatures23 process24 dnsIp25 143 94.26.226.51, 49779, 49780, 49784 PTC-YEMENNETYE Russian Federation 76->143 145 blackhk1.beget.tech 5.101.153.227, 49787, 49788, 49789 BEGET-ASRU Russian Federation 76->145 115 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32+ 76->115 dropped 117 C:\Users\user\AppData\Roaming\...\msedge.exe, PE32+ 76->117 dropped 119 C:\Users\user\AppData\...\131H11H8FG12E2E.exe, PE32+ 76->119 dropped 85 cmd.exe 76->85         started        87 131H11H8FG12E2E.exe 76->87         started        121 C:\Users\user\AppData\Roaming\fhsdwsb, PE32 80->121 dropped 149 Benign windows process drops PE files 80->149 151 Hides that the sample has been downloaded from the Internet (zone.identifier) 80->151 90 msedge.exe 80->90         started        123 C:\Windows\Temp\...\vc_redist.x64.exe, PE32 83->123 dropped file26 signatures27 process28 signatures29 92 msedge.exe 85->92         started        193 Multi AV Scanner detection for dropped file 87->193 process30 signatures31 203 Multi AV Scanner detection for dropped file 92->203
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fea97bcd0bcd24fae553aa9152a410e3e6064edbd8011c3b2d9fcee40cc430f8/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-09-07 19:44:09 UTC
File Type:
PE (Exe)
Extracted files:
50
AV detection:
11 of 26 (42.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=72uxxtilzuspvzktvkivfjaq4ptamtw33aaryoznt7hoidgegd4a._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220908-fwslmsdgb4/
Behaviour
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
15135961fafa7e850eaf85b3cd5b17886429df51f592f50730c0926466c2029e
MD5 hash:
476334f67f1098c85131720cf1fa89a2
SHA1 hash:
4b90c56e4d27933f0fc114e41796ab629e98ebe9
Link:
https://www.unpac.me/results/d4b7c863-bc1d-4441-8946-a282abe9ae17/
SH256 hash:
fea97bcd0bcd24fae553aa9152a410e3e6064edbd8011c3b2d9fcee40cc430f8
MD5 hash:
1f58a22f2b80d9ab1a0cf3bb911dec5c
SHA1 hash:
431e2589473738aef637916ce6a73b333d9ee4ec
Link:
https://www.unpac.me/results/d4b7c863-bc1d-4441-8946-a282abe9ae17/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fea97bcd0bcd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fea97bcd0bcd24fae553aa9152a410e3e6064edbd8011c3b2d9fcee40cc430f8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/308577/
  
URLhaus
https://urlhaus.abuse.ch/url/2296678/

Comments