MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 599a59aba0c234edc2c2799a7a06208d3d112438b1bc49ba5292f111429b9102. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	599a59aba0c234edc2c2799a7a06208d3d112438b1bc49ba5292f111429b9102
SHA3-384 hash:	53541a0ce4ea72306e4c987c46f98f6245af429b319dd8a3eb089d58b854e5f6d0e041c447f104eee65f8eaf97c2c17c
SHA1 hash:	bc5ea2977b66d315394cf44f179d3396da5d5ede
MD5 hash:	ff11155a45bfc0cf1e5f59e636d0fbeb
humanhash:	mike-delta-solar-jig
File name:	ff11155a45bfc0cf1e5f59e636d0fbeb.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	239'104 bytes
First seen:	2022-01-31 07:32:29 UTC
Last seen:	2022-01-31 10:04:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b54f072419f24418258899aa1cee7821 (3 x Loki, 1 x Smoke Loader)
ssdeep	3072:zaEkQ/rfdT/fs5cp949sUrByQtEJzfL9jN5mVggjcGkNIVqI:zapwFrpu9s+tCJzfPs7ITsq
Threatray	20 similar samples on MalwareBazaar
TLSH	T13C34BFC07691D0B6C05634B08936CBE19E3EFD32DCA4DAC73B76172E9E712D09A26356
File icon (PE):
dhash icon	fcf8b4b4b4d4d9c1 (6 x RedLineStealer, 4 x Smoke Loader, 2 x RaccoonStealer)
Reporter	abuse_ch
Tags:	Dofoil exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

393

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ff11155a45bfc0cf1e5f59e636d0fbeb.exe

Verdict:

Suspicious activity

Analysis date:

2022-01-31 08:27:48 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/7a6dae9b-6972-4639-864b-d5ae21d9a58d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/228336/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.5516.17080.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Searching for synchronization primitives

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Sending an HTTP POST request

Sending an HTTP GET request

Creating a file in the %temp% directory

Creating a process from a recently created file

Sending a custom TCP request

Unauthorized injection to a recently created process

Query of malicious DNS domain

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Enabling autorun by creating a file

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5590/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CPUID_Instruction

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/61f790b4d7fd65ae55fb394a/reports/24af3125-c0a0-4983-8c8d-22f91d132163/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

SystemBC

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/62d0e517-1438-40a3-8bbf-af4dc1b9054d

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/930633

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/599a59aba0c234edc2c2799a7a06208d3d112438b1bc49ba5292f111429b9102/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-01-31 08:16:37 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 28 (92.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lgnftk5ayi2o3qwcpgnhubraru6rcjbywg6etossslyrcqu3seba._file

Verdict:

malicious

Smoke Loader

3d6425cf292c5a78f2014754d8a3368a934110587077584bc54b54642609b1f0

Smoke Loader

5879d39a0bab80032ebc751728e034cf7ec7fb30749090b5df8c37100034ef95

Smoke Loader

7972504035b05ba390f0e4083ef1d4ee7725ad5c581ab6beb730425f4b6945ba

Smoke Loader

83d0e70a23c542850312be419a86d0a77390d766ce8b5dd21ab0620c1aec75d3

Smoke Loader

98ad02342614a473b078f5b12274fa3c9c78779894750fbb7af82664b9e7ffa8

Smoke Loader

c53c13aa261fe9d7afe51e88a781264aa8c37639543de2a0dff680b8599dee60

Smoke Loader

cf320b078c782f90983bf12ee8453c94321326a576336f14ef93c9a2f0badbfd

Smoke Loader

ee8b0e0f159d28b8bdf306b5ae9fef26379525cb6f8d07d8855963ceb6a9f7d6

Smoke Loader

f2e9475cbf8ad93f5762a2b5c02b552d5afe5247c9c14e2c1e72f507807ffbaa

Smoke Loader

+ 10 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor trojan

Link:

https://tria.ge/reports/220131-jdjskahdc9/

Behaviour

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetThreadContext

Deletes itself

Executes dropped EXE

SmokeLoader

Malware Config

C2 Extraction:

http://host-data-coin-11.com/
http://file-coin-host-12.com/

Unpacked files

SH256 hash:

196c516ea546fb935ac669681a74a4dc80da79d9088f464f6cc6f126ae934f4e

MD5 hash:

c36de8bc9668ec4eaafca4c349dca0d5

SHA1 hash:

ea2cadfada69b93ca3abeb8b2462c5c18891fabf

Link:

https://www.unpac.me/results/f027c68f-2b55-48db-9a3f-d4f91fc06db4/

Parent samples :

6b2d7c8bdedb901d80c89717c9889abf169c9059d8bb545af6ca1960660324ad
8928eed86ea55a63e3646bf8ca403b4b1e57702f73c1ecc8fa403b5700a304ef
18ad362dcae8df5827846223c09ceba7766e09733b685d4067ee39037daec452
da39948d95cdbce6e1ca9e0fdbb77080164a379f593e530b5732d3fc38df7bf8
7c74a8c41e24f69015185f78b8fbc177edcbe9d27099e904497b2310999f74cb
92ebb6be19502fe2573a9eac183bcc657b88ac5b0344285d9db409b0a3d88dab
af6fa095b427a0e95dd826696c2b92b0123e688e3c95f6d27825cc2928085d1b
de8099732ee5b73f3fa6d032a74e8576d06663fc16b2c6da27a34444fdced1c8

SH256 hash:

599a59aba0c234edc2c2799a7a06208d3d112438b1bc49ba5292f111429b9102

MD5 hash:

ff11155a45bfc0cf1e5f59e636d0fbeb

SHA1 hash:

bc5ea2977b66d315394cf44f179d3396da5d5ede

Link:

https://www.unpac.me/results/f027c68f-2b55-48db-9a3f-d4f91fc06db4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/599a59aba0c234edc2c2799a7a06208d3d112438b1bc49ba5292f111429b9102

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

exe 599a59aba0c234edc2c2799a7a06208d3d112438b1bc49ba5292f111429b9102

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2013850/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/228336/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample