MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af64f5b2b6c4cc63b0ca4bb48f369eba1629886d85e289a469a5c9612c4a5ee3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af64f5b2b6c4cc63b0ca4bb48f369eba1629886d85e289a469a5c9612c4a5ee3
SHA3-384 hash: 7a219fe7435c3081df56b54a755a3107b6bac764a77674009d9ed0ee135eb15252b53e66cdbbcd6108be55fe25071937
SHA1 hash: b2187debc6fde96e08d5014ce4f1af5cf568bce5
MD5 hash: df13fac0d8b182e4d8b9a02ba87a9571
humanhash: fruit-blue-mockingbird-salami
File name:df13fac0d8b182e4d8b9a02ba87a9571.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:163'328 bytes
First seen:2021-11-30 18:27:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash da6e44d670b5fbb5806227c9c04db77d (5 x RedLineStealer, 3 x Amadey, 1 x Smoke Loader)
ssdeep 3072:qkqeuZi3xqvmqEzkC34ygPsAXtITmUYasQ2:VXuk3EvmqEgS4jlLay
Threatray 7'214 similar samples on MalwareBazaar
TLSH T183F38C1176E29173D3B7A630247CCBA01ABBB8322531469F2795262E5FB13C14EBD772
File icon (PE):PE icon
dhash icon fcfcb4d4d4d4d8c0 (70 x RedLineStealer, 59 x RaccoonStealer, 24 x Smoke Loader)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
df13fac0d8b182e4d8b9a02ba87a9571.exe
Verdict:
No threats detected
Analysis date:
2021-11-30 18:34:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8b2fbc1e-90c5-4720-bd9a-b92e17298b53

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/210035/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
DNS request
Reading critical registry keys
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lockbit packed
Link:
https://www.filescan.io/uploads/61a66d36bbfd2af97cbd25a5/reports/b7b9edb0-a6df-4231-b691-e420d6ea7f92/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2664fe31-a716-4ae0-bdc9-ab8900163467
Result
Threat name:
Cryptbot Djvu SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/898935
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Yara detected Cryptbot
Yara detected Djvu Ransomware
Yara detected SmokeLoader
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 531413 Sample: f7Kudio57m.exe Startdate: 30/11/2021 Architecture: WINDOWS Score: 100 97 qoto.org 2->97 115 Antivirus detection for URL or domain 2->115 117 Multi AV Scanner detection for submitted file 2->117 119 Yara detected Vidar 2->119 121 15 other signatures 2->121 14 f7Kudio57m.exe 2->14         started        17 hbbgsrw 2->17         started        signatures3 process4 signatures5 157 Detected unpacking (changes PE section rights) 14->157 159 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 14->159 161 Maps a DLL or memory area into another process 14->161 19 explorer.exe 9 14->19 injected 163 Machine Learning detection for dropped file 17->163 165 Checks if the current machine is a virtual machine (disk enumeration) 17->165 167 Creates a thread in another existing process (thread injection) 17->167 process6 dnsIp7 99 212.193.30.196, 49768, 7766 SPD-NETTR Russian Federation 19->99 101 210.182.29.70, 49762, 49763, 49765 LGDACOMLGDACOMCorporationKR Korea Republic of 19->101 103 3 other IPs or domains 19->103 79 C:\Users\user\AppData\Roaming\hbbgsrw, PE32 19->79 dropped 81 C:\Users\user\AppData\Local\Temp\FE60.exe, PE32 19->81 dropped 83 C:\Users\user\AppData\Local\Temp\D693.exe, PE32 19->83 dropped 85 3 other malicious files 19->85 dropped 123 System process connects to network (likely due to code injection or exploit) 19->123 125 Benign windows process drops PE files 19->125 127 Deletes itself after installation 19->127 129 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->129 24 FE60.exe 30 19->24         started        27 1BAD.exe 75 19->27         started        31 explorer.exe 8 19->31         started        33 3 other processes 19->33 file8 signatures9 process10 dnsIp11 131 Antivirus detection for dropped file 24->131 133 Query firmware table information (likely to detect VMs) 24->133 135 Tries to detect sandboxes and other dynamic analysis tools (window names) 24->135 153 2 other signatures 24->153 107 qoto.org 51.91.13.105, 443, 49788 OVHFR France 27->107 109 159.69.92.223, 49794, 80 HETZNER-ASDE Germany 27->109 87 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 27->87 dropped 89 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 27->89 dropped 91 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 27->91 dropped 93 9 other files (none is malicious) 27->93 dropped 137 Detected unpacking (changes PE section rights) 27->137 139 Detected unpacking (overwrites its own PE header) 27->139 141 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->141 143 Tries to steal Crypto Currency Wallets 27->143 35 cmd.exe 27->35         started        111 srtuiyhuali.at 31->111 145 System process connects to network (likely due to code injection or exploit) 31->145 147 Tries to steal Mail credentials (via file / registry access) 31->147 149 Tries to harvest and steal browser information (history, passwords, etc) 31->149 151 Machine Learning detection for dropped file 33->151 155 2 other signatures 33->155 37 mshta.exe 33->37         started        39 D693.exe 12 33->39         started        file12 signatures13 process14 dnsIp15 42 conhost.exe 35->42         started        44 taskkill.exe 35->44         started        46 timeout.exe 35->46         started        48 cmd.exe 37->48         started        105 api.2ip.ua 77.123.139.190, 443, 49771 VOLIA-ASUA Ukraine 39->105 process16 file17 77 C:\Users\user\AppData\...~OIYufRun.eXE, PE32 48->77 dropped 113 Submitted sample is a known malware sample 48->113 52 E~OIYufRun.eXE 48->52         started        54 conhost.exe 48->54         started        56 taskkill.exe 48->56         started        signatures18 process19 process20 58 mshta.exe 52->58         started        60 mshta.exe 52->60         started        process21 62 cmd.exe 58->62         started        65 cmd.exe 60->65         started        file22 95 C:\Users\user\AppData\Local\Temp\UQR7iP.DMX, PE32 62->95 dropped 67 conhost.exe 62->67         started        69 cmd.exe 62->69         started        71 cmd.exe 62->71         started        73 odbcconf.exe 62->73         started        75 conhost.exe 65->75         started        process23
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/af64f5b2b6c4cc63b0ca4bb48f369eba1629886d85e289a469a5c9612c4a5ee3/
Threat name:
Win32.Trojan.Lockbit
Create hunting rule
Status:
Malicious
First seen:
2021-11-30 16:59:58 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
31 of 44 (70.45%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0537e5b579951c5fcbd64fbf11bb1b0ea70bd9d7984896b5893ba64d06597d6a
Smoke Loader
218ae2e9ccd0d778ca78c7aa8e9fd7101819507d0f9da4bfbc40687063bd7fd4
Smoke Loader
42e7ef551c652a5e6f0ff919fcb53cd2c34682006cb1436295205a41abec6589
Smoke Loader
5eff7e99184b9c8352125aaf8aa9d72e33049c52dc4eb7a69d509da3e7004cb2
Smoke Loader
672c2343ecbaba5e397027a9a13a04ef46e9d7036ae7a4ebf32336e3708d2af8
Smoke Loader
836e9de6ff5057a4964402ed5a9695e270a7db9e0d8b756a99203befa70fc4b7
Smoke Loader
a8b37d6b073ee045ae63473cb1a592c974e896b19e3db06d552f955901c06db7
Smoke Loader
d3184ceae376a789ccd61e767da3f21cacd72dfc7162a5e1a9569c7244d0bf9a
Smoke Loader
+ 7'204 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:smokeloader backdoor collection discovery evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/211130-w4b7mabad7/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
CryptBot
SmokeLoader
Malware Config
C2 Extraction:
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
Unpacked files
SH256 hash:
f12298a85ad18a55421deada8eb23f2a519a606439eedc2f9a60cd1ec8494914
MD5 hash:
b759df8ed45d16518bd54eb6f3b996ca
SHA1 hash:
ed63cdc2a64db6902b2a94e94020ff7db52c7691
Link:
https://www.unpac.me/results/36765f45-f400-4ed2-95a1-31f25af4f688/
SH256 hash:
af64f5b2b6c4cc63b0ca4bb48f369eba1629886d85e289a469a5c9612c4a5ee3
MD5 hash:
df13fac0d8b182e4d8b9a02ba87a9571
SHA1 hash:
b2187debc6fde96e08d5014ce4f1af5cf568bce5
Link:
https://www.unpac.me/results/36765f45-f400-4ed2-95a1-31f25af4f688/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/af64f5b2b6c4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af64f5b2b6c4cc63b0ca4bb48f369eba1629886d85e289a469a5c9612c4a5ee3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe af64f5b2b6c4cc63b0ca4bb48f369eba1629886d85e289a469a5c9612c4a5ee3

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/210035/
  
URLhaus
https://urlhaus.abuse.ch/url/1840843/
  
Delivery method
Distributed via web download

Comments