MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42cc2a8e97add8162a113cefb4399f16806416acf5ba01b6008009f292d2c4bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	42cc2a8e97add8162a113cefb4399f16806416acf5ba01b6008009f292d2c4bb
SHA3-384 hash:	360ef8b41230b3a37dcf24324bda0c04e97a367a01b2588aaf9c0fd6faa91d09479c41830c3d675024b4190f20a6f288
SHA1 hash:	098b62f8dd62d46b36af6e49ec462c3cb0badb6b
MD5 hash:	cfcd19e386be1f81fa2311cf6d9d57e5
humanhash:	thirteen-vermont-oranges-fillet
File name:	cfcd19e386be1f81fa2311cf6d9d57e5.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	238'592 bytes
First seen:	2022-01-31 07:32:26 UTC
Last seen:	2022-01-31 10:04:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	38920ac54731b26e076dad07b8d02c75 (1 x Loki, 1 x Smoke Loader)
ssdeep	3072:xYl9n8Wf1ODvqg5znhIAds7lyK2/kyE4eVggjcGkNIVqI:xYX828u+8L2/kyxW7ITsq
Threatray	6'856 similar samples on MalwareBazaar
TLSH	T17034BFC07690C472C09135B19B29CBB05A3EBC32D9A5DB073776176EDF722D0BA2A359
File icon (PE):
dhash icon	fcfcb4b4b4d4d9c1 (24 x RedLineStealer, 10 x Smoke Loader, 4 x RaccoonStealer)
Reporter	abuse_ch
Tags:	Dofoil exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

390

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

cfcd19e386be1f81fa2311cf6d9d57e5.exe

Verdict:

Suspicious activity

Analysis date:

2022-01-31 07:40:46 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/7a85fde2-cf30-4518-9db5-3e69709e3f57

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/228335/

Detection(s):

SecuriteInfo.com.Trojan.Siggen16.38837.8980.10988.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Sending an HTTP POST request

Sending an HTTP GET request

Creating a file in the %temp% directory

Creating a process from a recently created file

Sending a custom TCP request

Unauthorized injection to a recently created process

Query of malicious DNS domain

Unauthorized injection to a recently created process by context flags manipulation

Enabling autorun by creating a file

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5589/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CPUID_Instruction

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/61f790b2d7fd65ae55fb3948/reports/c00ac918-7849-4c36-bf4a-8933314ff55b/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

SystemBC

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/439a934a-fad2-4f49-aaf2-646738e0b11e

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/930634

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/42cc2a8e97add8162a113cefb4399f16806416acf5ba01b6008009f292d2c4bb/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-01-31 07:33:15 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 28 (92.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ilgcvduxvxmbmkqrhtx3iom7c2agifvm6w5adnqaqae7fewsys5q._file

Verdict:

malicious

Label(s):

ryuk

Smoke Loader

29a5461cca77683d6a47c83eb774235bd0ae092adc58c987e571eeecb3e1cd03

Smoke Loader

4f9f2d3789809c1f34877a5cd109aabeccea14c1cfe423ea271cc7cd0178b23a

Smoke Loader

8bbdda1786e15a568a573a2f38762e95de138af969e0a13b96d7086aaa98bfc2

Smoke Loader

8cedc3fb74185394bbf60d2dc1f9618b1e576986f13031b9e29ef12daa6eaf2c

Smoke Loader

eb24b3b9375f0b3272fac6eecc9329f79eab274d802b2ad37037cc83a46fa3f1

Smoke Loader

+ 6'846 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor trojan

Link:

https://tria.ge/reports/220131-jdjgsshdc8/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

SmokeLoader

Malware Config

C2 Extraction:

http://host-data-coin-11.com/
http://file-coin-host-12.com/

Unpacked files

SH256 hash:

721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589

MD5 hash:

b984a027c8a2abf874f3eb306a831613

SHA1 hash:

d3b3f8890adc840b0bd411cf304eef15d415ed48

Link:

https://www.unpac.me/results/8eef174f-1baf-43a4-a512-5563bae09ec4/

Parent samples :

fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a

SH256 hash:

42cc2a8e97add8162a113cefb4399f16806416acf5ba01b6008009f292d2c4bb

MD5 hash:

cfcd19e386be1f81fa2311cf6d9d57e5

SHA1 hash:

098b62f8dd62d46b36af6e49ec462c3cb0badb6b

Link:

https://www.unpac.me/results/8eef174f-1baf-43a4-a512-5563bae09ec4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/42cc2a8e97add8162a113cefb4399f16806416acf5ba01b6008009f292d2c4bb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

exe 42cc2a8e97add8162a113cefb4399f16806416acf5ba01b6008009f292d2c4bb

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2013897/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/228335/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample