MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 170ddb2583efd2402e84a7eb2c48754d978c8862e5c033fef9b7df34eadceb52. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 170ddb2583efd2402e84a7eb2c48754d978c8862e5c033fef9b7df34eadceb52
SHA3-384 hash: 34a985c4c56bf450e517fbfc9e53b1d1450332115c4cfc511a0a70cfc34377ceedaee9ea7e64be790e66ccb3857690ea
SHA1 hash: 5d81c7f60371c156fc29b840991a10fbc10b2ef1
MD5 hash: 3f237a04bc8ec74f62cbed6b1a31ca12
humanhash: bravo-robert-bluebird-colorado
File name:3f237a04bc8ec74f62cbed6b1a31ca12.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:1'078'552 bytes
First seen:2021-01-19 13:05:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2fb819a19fe4dee5c03e8c6a79342f79 (56 x Adware.InstallCore, 8 x RedLineStealer, 7 x Adware.ExtenBro)
ssdeep 24576:AyIXLhjLox0UGO4Gpn302pqa5ugHd+XfycUWmFCMo8eoSg1vpADsC/b:AyeLRu0UCGp302pcgHd+X6z94MWwvpgj
Threatray 485 similar samples on MalwareBazaar
TLSH A93523C3EFD00434D2A98A3A1534C1521FB6BD96EDFD04AC314CB497AF7A622E61671E
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
469
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3f237a04bc8ec74f62cbed6b1a31ca12.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-19 13:15:07 UTC
Tags:
installer
Link:
https://app.any.run/tasks/5e95b531-cf43-4b5f-99a1-2a5ec523756e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112897/
Detection(s):
Win.Malware.Generic-9808271-0
Create hunting rule

Win.Malware.Generic-9819412-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Cyberduck Djvu SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
90 / 100
Link:
https://www.joesandbox.com/analysis/585072
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary contains a suspicious time stamp
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Renames NTDLL to bypass HIPS
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Cyberduck
Yara detected Djvu Ransomware
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 341569 Sample: 9oUx9PzdSA.exe Startdate: 19/01/2021 Architecture: WINDOWS Score: 90 86 www.facebook.com 2->86 88 whois.iana.org 2->88 90 25 other IPs or domains 2->90 110 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->110 112 Multi AV Scanner detection for domain / URL 2->112 114 Antivirus detection for URL or domain 2->114 118 7 other signatures 2->118 11 9oUx9PzdSA.exe 2 2->11         started        14 tsfftge 2->14         started        17 svchost.exe 2->17         started        19 9 other processes 2->19 signatures3 116 Tries to resolve many domain names, but no domain seems valid 88->116 process4 dnsIp5 70 C:\Users\user\AppData\...\9oUx9PzdSA.tmp, PE32 11->70 dropped 22 9oUx9PzdSA.tmp 28 57 11->22         started        72 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 14->72 dropped 128 Renames NTDLL to bypass HIPS 14->128 130 Maps a DLL or memory area into another process 14->130 132 Checks if the current machine is a virtual machine (disk enumeration) 14->132 134 Creates a thread in another existing process (thread injection) 14->134 136 Changes security center settings (notifications, updates, antivirus, firewall) 17->136 92 127.0.0.1 unknown unknown 19->92 file6 signatures7 process8 file9 52 C:\Program Files (x86)\...\is-MGDCT.tmp, PE32 22->52 dropped 54 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 22->54 dropped 56 C:\Program Files (x86)\...\is-PTFRK.tmp, PE32 22->56 dropped 58 2 other files (none is malicious) 22->58 dropped 25 seed.sfx.exe 6 22->25         started        28 cmd.exe 2 13 22->28         started        process10 file11 68 C:\Program Files (x86)\...\seed.exe, PE32 25->68 dropped 30 seed.exe 1 25->30         started        33 iexplore.exe 2 71 28->33         started        36 conhost.exe 28->36         started        process12 dnsIp13 138 Renames NTDLL to bypass HIPS 30->138 140 Maps a DLL or memory area into another process 30->140 142 Checks if the current machine is a virtual machine (disk enumeration) 30->142 144 Creates a thread in another existing process (thread injection) 30->144 38 explorer.exe 3 13 30->38 injected 84 iplogger.org 33->84 43 iexplore.exe 35 33->43         started        signatures14 process15 dnsIp16 94 10022020yirtest231-service1002012510022020.ru 38->94 96 10022020yes1t3481-service1002012510022020.ru 38->96 102 85 other IPs or domains 38->102 60 C:\Users\user\AppData\Roaming\tsfftge, PE32 38->60 dropped 62 C:\Users\user\AppData\Local\Temp\B7FC.exe, PE32 38->62 dropped 64 C:\Users\user\AppData\Local\Temp\D53D.exe, PE32 38->64 dropped 66 4 other files (none is malicious) 38->66 dropped 120 System process connects to network (likely due to code injection or exploit) 38->120 122 Benign windows process drops PE files 38->122 124 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->124 45 B7FC.exe 38->45         started        50 B106.exe 38->50         started        98 iplogger.org 88.99.66.31, 443, 49711, 49712 HETZNER-ASDE Germany 43->98 100 192.168.2.1 unknown unknown 43->100 file17 126 Tries to resolve many domain names, but no domain seems valid 96->126 signatures18 process19 dnsIp20 104 raytracingengine.com 78.142.29.203, 49740, 80 VERDINABZ Bulgaria 45->104 106 ip-api.com 45->106 74 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 45->74 dropped 76 C:\Users\user\AppData\...\softokn3[1].dll, PE32 45->76 dropped 78 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 45->78 dropped 82 9 other files (none is malicious) 45->82 dropped 146 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 45->146 148 Tries to steal Instant Messenger accounts or passwords 45->148 150 Tries to steal Mail credentials (via file access) 45->150 152 2 other signatures 45->152 108 api.2ip.ua 77.123.139.190, 443, 49737, 49749 VOLIA-ASUA Ukraine 50->108 80 C:\Users\user\AppData\Local\...\B106.exe, PE32 50->80 dropped file21 signatures22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/170ddb2583efd2402e84a7eb2c48754d978c8862e5c033fef9b7df34eadceb52/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-01-19 01:19:59 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c4g5wjmd57jealueu7vsysdvjwlyzcdc4xadh7xzw7ptj2w45nja._file
Verdict:
malicious
Similar samples:
1620114c000809b11104adbadb3df7ac989d9c7bc5e7da5acb0ffc9c5cb05c14
Smoke Loader
173b72dcad9c8376adb5c67014e15feb1a041f927a386e1dae6d609ff0e4a003
Smoke Loader
289bb9f2125f62945f3960f0fe72381aea008539b1c6ea29a81ad66bd2f247a9
Smoke Loader
30898e79c019a359c6bc25a0217531494c12cfe62384beadc861eb622b811378
Smoke Loader
5623df29bdeb9756ab512f3c77dd11725878939a0b8d98726798d8604ab60dfa
Smoke Loader
7611d90b7fb2e98a1d76569ac7b18e8daaceb1312b50b47a9ef5ae95c3946053
Smoke Loader
78c42daa9bd978e2e2ca039a54f167f5090681124f402fa9c9bd69a2dd23bc26
Smoke Loader
c87a719713c51891fa7b0def4b093441934d9f60ef8bd52951e2efb9a030f59c
Smoke Loader
d461810943d78b803fbc9a0ea85d16325af10764243d7d3d6b7b24d52efe685c
Smoke Loader
f69bdd82ca22268d090832707e37b1cae408ba96476843b55feedac11acc6277
Smoke Loader
+ 475 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210119-8bvs9sbe22/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
98f3f2560dd120afa32c7b40c6a20966553cc0bcbc0f26a784b4fcc7ebe938fd
MD5 hash:
ca1d3fcb7b57c129bd8efae456333681
SHA1 hash:
3396ff1744cbcefcc48880bbdc4ff27569f3b72b
Link:
https://www.unpac.me/results/00314d3b-a40d-4830-8d5a-ffff1d68ef54/
SH256 hash:
61c21c7cfdd25523265a5151626709418bc5df1ebf1a51e109cadfe68e6d6661
MD5 hash:
845dd290e7f92401af14192701dcf2b3
SHA1 hash:
3046f3ba18ec50051c23e9180f17a335954dcd2a
Link:
https://www.unpac.me/results/00314d3b-a40d-4830-8d5a-ffff1d68ef54/
SH256 hash:
9835eef781d97d59e2f66d9af3baf09d28074815f4fdf2b87220d97958d98c84
MD5 hash:
6b09e2d8415b2a9dbffabd96a74ccb22
SHA1 hash:
6c26959055614686626b15b9a4ddb9ca0da69cbd
Link:
https://www.unpac.me/results/00314d3b-a40d-4830-8d5a-ffff1d68ef54/
SH256 hash:
170ddb2583efd2402e84a7eb2c48754d978c8862e5c033fef9b7df34eadceb52
MD5 hash:
3f237a04bc8ec74f62cbed6b1a31ca12
SHA1 hash:
5d81c7f60371c156fc29b840991a10fbc10b2ef1
Link:
https://www.unpac.me/results/00314d3b-a40d-4830-8d5a-ffff1d68ef54/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
FileTour
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/170ddb2583efd2402e84a7eb2c48754d978c8862e5c033fef9b7df34eadceb52

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/112897/

Comments