MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff3bd8bcbd9f93c0b48fac3dad59735db9db2343da3126bc836a3134b563924d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff3bd8bcbd9f93c0b48fac3dad59735db9db2343da3126bc836a3134b563924d
SHA3-384 hash: 9b5d7a02c65c68fa679b7f76573c1560627e741a1147f3eef69a32e273bee009d1f1f30cdc0ec9cef8aed21e9b97ad3d
SHA1 hash: d98d8b5f5577f9d46cbcc3b73774ab3bc57e2466
MD5 hash: bb7917ed8063b9fd1cf3ea57fed87a5a
humanhash: speaker-kentucky-kitten-uncle
File name:bb7917ed8063b9fd1cf3ea57fed87a5a
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:818'912 bytes
First seen:2023-12-23 05:58:00 UTC
Last seen:2023-12-23 23:33:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b12336fa8cbb9bd1c3e11ad0d8477f71 (2 x Smoke Loader, 2 x Stealc, 1 x RemcosRAT)
ssdeep 24576:p9cSTsqZCHEOKCy0aTrhw53Kd70sc1QEz:p9cSTZCHvK/agR0hz
Threatray 10 similar samples on MalwareBazaar
TLSH T1E9052333F0DDC890D9934EBB3EB5E7985ED3B1BA4E6207354A54D00DA9B24483D722B6
TrID 64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12)
25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
1.8% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 009286868686f800 (4 x Stealc, 4 x AgentTesla, 3 x Smoke Loader)
Reporter zbetcheckin
Tags:64 exe signed Smoke Loader

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2023-12-23T02:10:44Z
Valid to:2024-12-23T02:10:44Z
Serial number: d8683b5657b7e0aeeea9e8056c7c7db6
Thumbprint Algorithm:SHA256
Thumbprint: 373acebd4285ffff630f33f3eb299613c1a1bc9276936685d51a9583bdbb2efd
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
501
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/469106/
Detection(s):
SecuriteInfo.com.Trojan.Inject5.292.16131.22959.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
hacktool lolbin monero overlay packed packed packed shell32 upx
Link:
https://www.filescan.io/uploads/658676eab290743934eb15f9/reports/c9503a09-fd2d-488f-a13f-335edb853715/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/ff3bd8bcbd9f93c0b48fac3dad59735db9db2343da3126bc836a3134b563924d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5701faaf-748a-4b5e-9338-dc2386700e5f
Result
Threat name:
Glupteba, Neoreklami, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1366469
Signature
Adds extensions / path to Windows Defender exclusion list
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops script or batch files to the startup folder
Encrypted powershell cmdline option found
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies Windows Defender protection settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: Schedule system process
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Neoreklami
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1366469 Sample: 7zrLU5V186.exe Startdate: 23/12/2023 Architecture: WINDOWS Score: 100 209 Multi AV Scanner detection for domain / URL 2->209 211 Found malware configuration 2->211 213 Malicious sample detected (through community Yara rule) 2->213 215 16 other signatures 2->215 12 7zrLU5V186.exe 2->12         started        15 cmd.exe 2->15         started        17 cmd.exe 2->17         started        19 2 other processes 2->19 process3 signatures4 265 Writes to foreign memory regions 12->265 267 Allocates memory in foreign processes 12->267 269 Injects a PE file into a foreign processes 12->269 21 CasPol.exe 15 236 12->21         started        26 4av7FvEmGZ1iUyS7zR4xhyNi.exe 15->26         started        28 4av7FvEmGZ1iUyS7zR4xhyNi.exe 15->28         started        30 conhost.exe 15->30         started        32 4av7FvEmGZ1iUyS7zR4xhyNi.exe 15->32         started        34 kbcTcOfkltTMVH6UvtyPKfuo.exe 17->34         started        36 conhost.exe 17->36         started        process5 dnsIp6 183 194.104.136.64 SMEERBOEL-ASSMEERBOELBVNL Netherlands 21->183 185 5.42.64.35 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 21->185 191 14 other IPs or domains 21->191 141 C:\Users\...\zd8dG3hmGoI7pCFy4XbTwY4y.exe, PE32 21->141 dropped 143 C:\Users\...\yx9F7lWh8XSQV9RlnUAKizhs.exe, PE32 21->143 dropped 145 C:\Users\...\yrYOiyZX5FcDHc4zOZ0AMofw.exe, PE32 21->145 dropped 155 221 other malicious files 21->155 dropped 221 Drops script or batch files to the startup folder 21->221 223 Creates HTML files with .exe extension (expired dropper behavior) 21->223 225 Writes many files with high entropy 21->225 38 P62RGc8CiBOCnefgojmf3Cbd.exe 41 21->38         started        43 VkBx98YEqyYOfBBAsM9ItSBA.exe 1 40 21->43         started        45 75y9S11bcGhD0AvK9KwNBzMH.exe 21->45         started        51 3 other processes 21->51 187 192.0.66.233 AUTOMATTICUS United States 26->187 147 C:\Users\user\AppData\...\nsj2A2C.tmp.exe, PE32 26->147 dropped 149 C:\Users\user\AppData\Local\...\INetC.dll, PE32 26->149 dropped 151 C:\Users\user\AppData\...\syncUpd[1].exe, PE32 26->151 dropped 47 nsj2A2C.tmp.exe 26->47         started        49 BroomSetup.exe 26->49         started        227 Multi AV Scanner detection for dropped file 28->227 189 23.45.49.179 AKAMAI-LAEU United States 34->189 153 Opera_installer_2312230559217363668.dll, PE32 34->153 dropped 157 3 other malicious files 34->157 dropped file7 signatures8 process9 dnsIp10 193 107.167.110.211 OPERASOFTWAREUS United States 38->193 195 107.167.110.217 OPERASOFTWAREUS United States 38->195 201 6 other IPs or domains 38->201 169 8 other malicious files 38->169 dropped 229 Writes many files with high entropy 38->229 53 P62RGc8CiBOCnefgojmf3Cbd.exe 38->53         started        56 Assistant_106.0.4998.16_Setup.exe_sfx.exe 38->56         started        59 P62RGc8CiBOCnefgojmf3Cbd.exe 38->59         started        61 P62RGc8CiBOCnefgojmf3Cbd.exe 38->61         started        197 209.87.209.205 ZONEALARM-COMUS United States 43->197 199 104.237.62.212 WEBNXUS United States 43->199 203 3 other IPs or domains 43->203 159 C:\Users\user\AppData\...\nssE7E3.tmp.exe, PE32 43->159 dropped 161 C:\Users\user\AppData\Local\...\INetC.dll, PE32 43->161 dropped 171 2 other malicious files 43->171 dropped 63 nssE7E3.tmp.exe 43->63         started        66 BroomSetup.exe 43->66         started        205 2 other IPs or domains 45->205 163 C:\Users\user\AppData\Local\...\nsyE9D6.tmp, DOS 45->163 dropped 165 C:\Users\user\AppData\Local\Temp\...\Zip.dll, PE32 45->165 dropped 167 C:\Users\user\AppData\Local\...\Checker.dll, PE32 45->167 dropped 173 12 other malicious files 45->173 dropped 231 Query firmware table information (likely to detect VMs) 45->231 233 Creates an undocumented autostart registry key 45->233 235 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 45->235 237 Contain functionality to detect virtual machines 45->237 239 Detected unpacking (changes PE section rights) 47->239 241 Detected unpacking (overwrites its own PE header) 47->241 175 2 other malicious files 51->175 dropped 243 Found many strings related to Crypto-Wallets (likely being stolen) 51->243 245 Found Tor onion address 51->245 247 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 51->247 68 Install.exe 51->68         started        70 2cexm2eAIAn5s1UucaG2pVBc.exe 51->70         started        72 3 other processes 51->72 file11 signatures12 process13 dnsIp14 123 Opera_installer_2312230558574347416.dll, PE32 53->123 dropped 135 23 other malicious files 53->135 dropped 74 P62RGc8CiBOCnefgojmf3Cbd.exe 53->74         started        125 C:\Users\user\AppData\Local\...\mojo_core.dll, PE32 56->125 dropped 127 C:\Users\user\AppData\Local\...\launcher.exe, PE32 56->127 dropped 137 4 other malicious files 56->137 dropped 249 Found Tor onion address 56->249 129 Opera_installer_2312230558564867328.dll, PE32 59->129 dropped 251 Found many strings related to Crypto-Wallets (likely being stolen) 59->251 131 Opera_installer_2312230558559807208.dll, PE32 61->131 dropped 207 77.91.76.36 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 63->207 139 12 other files (8 malicious) 63->139 dropped 253 Detected unpacking (changes PE section rights) 63->253 255 Detected unpacking (overwrites its own PE header) 63->255 257 Tries to steal Mail credentials (via file / registry access) 63->257 259 4 other signatures 63->259 133 C:\Users\user\AppData\Local\...\Install.exe, PE32 68->133 dropped 77 Install.exe 68->77         started        80 powershell.exe 70->80         started        82 powershell.exe 72->82         started        84 conhost.exe 72->84         started        86 conhost.exe 72->86         started        file15 signatures16 process17 file18 177 Opera_installer_2312230558579717456.dll, PE32 74->177 dropped 179 C:\Users\user\AppData\Local\...\STZAljV.exe, PE32 77->179 dropped 181 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 77->181 dropped 271 Uses schtasks.exe or at.exe to add and modify task schedules 77->271 273 Modifies Windows Defender protection settings 77->273 275 Adds extensions / path to Windows Defender exclusion list 77->275 277 Modifies Group Policy settings 77->277 88 forfiles.exe 77->88         started        91 forfiles.exe 77->91         started        93 schtasks.exe 77->93         started        95 schtasks.exe 77->95         started        97 conhost.exe 80->97         started        99 conhost.exe 82->99         started        signatures19 process20 signatures21 261 Modifies Windows Defender protection settings 88->261 263 Adds extensions / path to Windows Defender exclusion list 88->263 101 cmd.exe 88->101         started        104 conhost.exe 88->104         started        106 cmd.exe 91->106         started        108 conhost.exe 91->108         started        110 conhost.exe 93->110         started        112 conhost.exe 95->112         started        process22 signatures23 219 Uses cmd line tools excessively to alter registry or file data 101->219 114 reg.exe 101->114         started        117 reg.exe 101->117         started        119 reg.exe 106->119         started        121 reg.exe 106->121         started        process24 signatures25 217 Adds extensions / path to Windows Defender exclusion list (Registry) 114->217
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ff3bd8bcbd9f93c0b48fac3dad59735db9db2343da3126bc836a3134b563924d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff3bd8bcbd9f93c0b48fac3dad59735db9db2343da3126bc836a3134b563924d/
Threat name:
Win64.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-12-23 05:59:05 UTC
File Type:
PE+ (Exe)
Extracted files:
5
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7455rpf5t6j4bnepvq622wltlw45wi2d3iysnpedniytjnldsjgq._file
Verdict:
malicious
Similar samples:
04d9740d54a1a12deb1a8cb0a5c1892474db2389bdd4044bafc540451bb2b6d5
Smoke Loader
3869f42deb7d3c0937324b64d2ee0ef4b684f780845a1fb5324f9e498076c594
Smoke Loader
402118a1fe9e2e3c12ba4e931e9e3afeeb464e0bd5cf075e926062c7a7255d87
Smoke Loader
4e2375353e49f18d6679c5372a688fc5c9a2ae3994830e6fe19e1cd20bc5ea6d
Smoke Loader
85c7ebf244cb05f624baea0b1526c57ba3ecaa05583c27fe814217f9ffbf020c
Smoke Loader
ab9a4f2751495094eb7f380d00c52e9a549eb8aaf2cc1c3280f5c3935ae57d08
Smoke Loader
c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32
Smoke Loader
e08d8afc5e83a54fa0fb6c84de49af3e864ec3f362ed4e3c09459bbafba7983c
Smoke Loader
e89d8af6209b99543fd2dcc8a37842d40e4d54ab8f52ce635665c432a152d8d6
Smoke Loader
ed451ab9bc98df781e851bc59415edb980f7f74f940900d91cb710f22b37d27e
Smoke Loader
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:stealc discovery dropper evasion loader persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/231223-gn6c7sghb2/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
NSIS installer
Program crash
Enumerates physical storage devices
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Registers COM server for autorun
UPX packed file
Windows security modification
Downloads MZ/PE file
Modifies Windows Firewall
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
Stealc
Windows security bypass
Malware Config
C2 Extraction:
http://77.91.76.36
Unpacked files
SH256 hash:
8c603d9751d31ffb9f8c74cf3ba2253f9407000c8cd66596d745327a2db2238f
MD5 hash:
8ed026c382c4d10e97dd85fadd6b63fa
SHA1 hash:
54321c2015aa79bd526e7897e59a283e0e703ce0
Link:
https://www.unpac.me/results/e152833b-6d35-4207-ac7c-46b5ddb45506/
SH256 hash:
ff3bd8bcbd9f93c0b48fac3dad59735db9db2343da3126bc836a3134b563924d
MD5 hash:
bb7917ed8063b9fd1cf3ea57fed87a5a
SHA1 hash:
d98d8b5f5577f9d46cbcc3b73774ab3bc57e2466
Link:
https://www.unpac.me/results/e152833b-6d35-4207-ac7c-46b5ddb45506/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ff3bd8bcbd9f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ff3bd8bcbd9f93c0b48fac3dad59735db9db2343da3126bc836a3134b563924d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe ff3bd8bcbd9f93c0b48fac3dad59735db9db2343da3126bc836a3134b563924d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2738073/
  
URLhaus
https://urlhaus.abuse.ch/url/2743800/
Cape
Cape
https://www.capesandbox.com/analysis/469106/

Comments


Avatar
zbet commented on 2023-12-23 05:58:01 UTC

url : hxxps://15.204.49.148/files/InstallSetup2.exe