MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c99fe181f72e4484c5de24d3edd0e51641dcb8cd6f24fc2b2b05ce1ef2b4220d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 14


Intelligence 14 IOCs YARA 45 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c99fe181f72e4484c5de24d3edd0e51641dcb8cd6f24fc2b2b05ce1ef2b4220d
SHA3-384 hash: cf1128250715dfdf4d6ff653ddb867dc4298ffde38db9c5ff49da97b2eb63a514fa20743c42c86a15d61a38f77da3b62
SHA1 hash: 4468ab04da59b497796db5d70a99ddc37575639f
MD5 hash: 984a2c26647728678666b8308c8e3753
humanhash: dakota-carpet-lactose-nebraska
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:24'473'600 bytes
First seen:2023-10-25 12:14:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'596 x Formbook, 12'240 x SnakeKeylogger)
ssdeep 393216:neKmPtm6NWb8dhJzKxtT0nKwLf9WytZiM2QFCUl2NQ2Jb8kQRzLC3Bmf9S/lJcOl:n/mPtub8kNiKwLvZiM2QIUsNQMb/6MmY
TLSH T143373374F9F8489EE9F72B147C356EEB61F93914BF6E91E802B8204C9D16F71048027A
TrID 72.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.3% (.EXE) Win64 Executable (generic) (10523/12/4)
4.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter andretavare5
Tags:exe Smoke Loader


Avatar
andretavare5
Sample downloaded from http://185.172.128.69/newumma.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
330
Origin country :
US US
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-10-25 12:15:48 UTC
Tags:
loader smoke miner
Link:
https://app.any.run/tasks/697245e8-f0cd-4603-a0cd-abc7b247b54f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.43.17561.14383.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Sending a custom TCP request
Creating a window
Creating a file
Searching for synchronization primitives
Searching for the window
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Launching a process
Modifying a system file
Running batch commands
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
89%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/653906cabc703e36b08c6d5c/reports/6bf5f34f-c4e1-43d2-a0bf-b20f78d41e59/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/c99fe181f72e4484c5de24d3edd0e51641dcb8cd6f24fc2b2b05ce1ef2b4220d
Result
Verdict:
MALICIOUS
Result
Threat name:
Glupteba, RedLine, SmokeLoader, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1331859
Signature
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Encrypted powershell cmdline option found
Found malware configuration
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies power options to not sleep / hibernate
Modifies the hosts file
Modifies Windows Defender protection settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1331859 Sample: file.exe Startdate: 25/10/2023 Architecture: WINDOWS Score: 100 156 zexeq.com 2->156 158 iplogger.com 2->158 160 5 other IPs or domains 2->160 174 Snort IDS alert for network traffic 2->174 176 Multi AV Scanner detection for domain / URL 2->176 178 Found malware configuration 2->178 180 24 other signatures 2->180 12 file.exe 7 2->12         started        15 qDlxRlZ.exe 2->15         started        18 powershell.exe 2->18         started        20 powershell.exe 2->20         started        signatures3 process4 file5 146 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 12->146 dropped 148 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 12->148 dropped 150 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 12->150 dropped 154 2 other malicious files 12->154 dropped 22 kos3.exe 4 12->22         started        26 toolspub2.exe 12->26         started        28 setup.exe 7 12->28         started        36 2 other processes 12->36 152 C:\Windows\Temp\...\mrTabTb.exe, PE32 15->152 dropped 238 Multi AV Scanner detection for dropped file 15->238 240 Very long command line found 15->240 242 Modifies Windows Defender protection settings 15->242 30 powershell.exe 15->30         started        32 conhost.exe 18->32         started        34 conhost.exe 20->34         started        signatures6 process7 file8 132 C:\Users\user\AppData\Local\Temp\tuc19.exe, PE32 22->132 dropped 134 C:\Users\user\AppData\Local\Temp\kos.exe, PE32 22->134 dropped 208 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->208 38 tuc19.exe 2 22->38         started        41 kos.exe 14 4 22->41         started        210 Multi AV Scanner detection for dropped file 26->210 212 Detected unpacking (changes PE section rights) 26->212 214 Contains functionality to inject code into remote processes 26->214 216 Injects a PE file into a foreign processes 26->216 44 toolspub2.exe 26->44         started        136 C:\Users\user\AppData\Local\...\Install.exe, PE32 28->136 dropped 47 Install.exe 4 28->47         started        49 conhost.exe 30->49         started        138 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 36->138 dropped 140 C:\Windows\System32\drivers\etc\hosts, ASCII 36->140 dropped 218 Detected unpacking (overwrites its own PE header) 36->218 220 Suspicious powershell command line found 36->220 222 Found Tor onion address 36->222 224 2 other signatures 36->224 51 powershell.exe 36->51         started        signatures9 process10 dnsIp11 142 C:\Users\user\AppData\Local\...\tuc19.tmp, PE32 38->142 dropped 53 tuc19.tmp 38->53         started        166 iplogger.com 148.251.234.93, 443, 49737 HETZNER-ASDE Germany 41->166 228 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 44->228 230 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 44->230 232 Maps a DLL or memory area into another process 44->232 236 2 other signatures 44->236 57 explorer.exe 44->57 injected 144 C:\Users\user\AppData\Local\...\Install.exe, PE32 47->144 dropped 234 Multi AV Scanner detection for dropped file 47->234 60 Install.exe 10 47->60         started        62 conhost.exe 51->62         started        file12 signatures13 process14 dnsIp15 114 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 53->114 dropped 116 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 53->116 dropped 118 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 53->118 dropped 130 22 other files (19 malicious) 53->130 dropped 182 Uses schtasks.exe or at.exe to add and modify task schedules 53->182 64 wDVDTools.exe 53->64         started        67 wDVDTools.exe 53->67         started        81 2 other processes 53->81 168 100acresclub.com 103.53.42.238, 443, 49793 PUBLIC-DOMAIN-REGISTRYUS India 57->168 170 colisumy.com 211.119.84.112, 49770, 49778, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 57->170 172 host-host-file8.com 95.214.26.34, 49760, 49762, 49771 CMCSUS Germany 57->172 120 C:\Users\user\AppData\Roaming\thtegtw, PE32 57->120 dropped 122 C:\Users\user\AppData\Local\Temp\6DF4.exe, PE32 57->122 dropped 124 C:\Users\user\AppData\Local\Temp\4144.exe, PE32 57->124 dropped 184 System process connects to network (likely due to code injection or exploit) 57->184 186 Benign windows process drops PE files 57->186 188 Suspicious powershell command line found 57->188 190 Hides that the sample has been downloaded from the Internet (zone.identifier) 57->190 70 cmd.exe 57->70         started        73 cmd.exe 57->73         started        75 powershell.exe 57->75         started        126 C:\Users\user\AppData\Local\...\qDlxRlZ.exe, PE32 60->126 dropped 128 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 60->128 dropped 192 Multi AV Scanner detection for dropped file 60->192 194 Uses cmd line tools excessively to alter registry or file data 60->194 196 Modifies Windows Defender protection settings 60->196 198 2 other signatures 60->198 77 forfiles.exe 60->77         started        79 forfiles.exe 60->79         started        83 5 other processes 60->83 file16 signatures17 process18 dnsIp19 112 C:\ProgramData\CoreArchive\CoreArchive.exe, PE32 64->112 dropped 162 195.154.241.165, 1074, 49940, 49992 OnlineSASFR France 67->162 164 eduxuyo.ua 185.141.63.172, 49804, 49805, 49806 BELCLOUDBG Bulgaria 67->164 200 Uses powercfg.exe to modify the power settings 70->200 202 Modifies power options to not sleep / hibernate 70->202 96 6 other processes 70->96 98 5 other processes 73->98 85 conhost.exe 75->85         started        204 Modifies Windows Defender protection settings 77->204 206 Adds extensions / path to Windows Defender exclusion list 77->206 87 cmd.exe 77->87         started        90 conhost.exe 77->90         started        92 cmd.exe 79->92         started        94 conhost.exe 79->94         started        100 2 other processes 81->100 102 4 other processes 83->102 file20 signatures21 process22 signatures23 226 Uses cmd line tools excessively to alter registry or file data 87->226 104 reg.exe 87->104         started        106 reg.exe 87->106         started        108 reg.exe 92->108         started        110 reg.exe 92->110         started        process24
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c99fe181f72e4484c5de24d3edd0e51641dcb8cd6f24fc2b2b05ce1ef2b4220d
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-10-25 12:15:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:smokeloader family:xmrig botnet:up3 backdoor discovery dropper evasion loader miner persistence rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/231025-pexnpshd6s/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Windows security modification
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Stops running service(s)
Modifies boot configuration data using bcdedit
XMRig Miner payload
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Windows security bypass
xmrig
Malware Config
C2 Extraction:
http://host-file-host6.com/
http://host-host-file8.com/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c99fe181f72e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c99fe181f72e4484c5de24d3edd0e51641dcb8cd6f24fc2b2b05ce1ef2b4220d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:crime_ZZ_botnet_aicm
Create hunting rule
Author:imp0rtp3
Description:DDoS Golang Botnet sample for linux called 'aicm'
Reference:https://twitter.com/IntezerLabs/status/1401869234511175683
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables containing artifcats associated with disabling Widnows Defender
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many varying, potentially fake Windows User-Agents
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_DLInjector04
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:msil_rc4
Create hunting rule
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shortloader
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:ShortLoader Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UroburosVirtualBoxDriver
Create hunting rule
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2722940/

Comments