{
	"id": "323cc9eb-7de9-4172-80a7-effc5a5e3c80",
	"created_at": "2026-04-06T00:08:39.529913Z",
	"updated_at": "2026-04-10T03:21:59.54381Z",
	"deleted_at": null,
	"sha1_hash": "eee9013347a4e2dd68d50126f7fe0c41bc850d0e",
	"title": "New-looking Sundown EK drops Smoke Loader, Kronos banker | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 468370,
	"plain_text": "New-looking Sundown EK drops Smoke Loader, Kronos banker |\r\nMalwarebytes Labs\r\nBy Jérôme Segura\r\nPublished: 2016-10-16 · Archived: 2026-04-05 16:06:03 UTC\r\nAs we keep a tab on exploit kits, today we are looking at some changes with Sundown EK. Nowhere near as\r\npopular as RIG EK, this exploit kit still remains a threat with exploits for Internet Explorer, Flash, and Silverlight.\r\nIn early October we detected a new landing page format for Sundown EK, which followed on some previous new\r\nURL patterns. The notable changes are additional obfuscation and the (ab)use of white space throughout the\r\nHTML landing page.\r\nFor once, the payload dropped in this case isn’t ransomware but a two stage infection starting with a downloader\r\nwhich retrieves a banking Trojan.\r\nBefore\r\nAfter\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/\r\nPage 1 of 6\n\nHere are some highlights\r\nCall for IE exploit\r\nCall for Flash exploit\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/\r\nPage 2 of 6\n\nCall for Silverlight exploit:\r\nPayload launch (via wscript):\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/\r\nPage 3 of 6\n\nMalwarebytes Anti-Exploit blocks the various exploits pushed by Sundown EK:\r\nPayload overview\r\nThe initial dropped payload we captured in this particular new Sundown EK instance is Smoke\r\nLoader a downloader whose purpose is to retrieve additional malware. Not too long ago, we\r\nobserved Smoke Loader being \r\nhttps://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/\r\nPage 4 of 6\n\nUpon execution, Smoke Loader will download a second stage payload\r\nfrom https://dl.dropboxusercontent.com/s/4o3dllw65z6wemb/vamos.lek.\r\nThis particular piece of malware belongs to the Kronos banking Trojan family. It is a credential-stealer with form\r\ngrabbing and HTML injection capabilities.\r\nBoth of those threats are detected by Malwarebytes Anti-Malware:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/\r\nPage 5 of 6\n\nFootnotes\r\nWe first noticed increased activity from Sundown EK\r\nCollecting this Kronos payload was interesting because it is part of a trend we have observed recently of an\r\nincreased number in banking Trojans distributed via malvertising campaigns.\r\nSpecial thanks to @hasherezade for help in unpacking the malware payloads.\r\nFurther reading\r\nSmoke Loader – downloader with a smokescreen still alive\r\nIOCs:\r\nRaw Sundown EK landing: Link\r\nPartially deobfuscated landing (thanks David Ledbetter): Link\r\nURL patterns:\r\nfhbg.futureproducts.xyz/index.php?\r\n8Fn3HGC8gA=sS28Njmi16RQG3jf2qBJ91nXhsFjqBM8rQf9zlFjJV6oksXmwLUiEzNO\r\nfhbg.futureproducts.xyz/undefined\r\nfhbg.futureproducts.xyz/45786437956439785/127.swf\r\nfhbg.futureproducts.xyz/580367589678954654986459286/489567945678456874356487356743256.swf\r\nfhbg.futureproducts.xyz/580367589678954654986459286/459643097739469743657974386794384.xap\r\nde.piclogo.xyz/43526876827345687356872456.php?id=127\r\nde.piclogo.xyz/z.php?id=127\r\nSmoke Loader: e420e521f891c1a6245e377dc7a6ab70458b7c0d77ad39535cb59018a542fe15\r\nKronos: e420e521f891c1a6245e377dc7a6ab70458b7c0d77ad39535cb59018a542fe15\r\nSource: https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/\r\nPage 6 of 6\n\n https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/ \nHere are some highlights \nCall for IE exploit \nCall for Flash exploit \n  Page 2 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/"
	],
	"report_names": [
		"new-looking-sundown-ek-drops-smoke-loader-kronos-banker"
	],
	"threat_actors": [],
	"ts_created_at": 1775434119,
	"ts_updated_at": 1775791319,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eee9013347a4e2dd68d50126f7fe0c41bc850d0e.pdf",
		"text": "https://archive.orkl.eu/eee9013347a4e2dd68d50126f7fe0c41bc850d0e.txt",
		"img": "https://archive.orkl.eu/eee9013347a4e2dd68d50126f7fe0c41bc850d0e.jpg"
	}
}