MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cccc4690ace16e44f44473c2df179b5b17e27f863b33abda126199014cb224d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cccc4690ace16e44f44473c2df179b5b17e27f863b33abda126199014cb224d8
SHA3-384 hash: f73dcbe77d309a34b562804565bf05bb3148e2d4f0682310cbaad25ca79e0a52ba0256ae867c51860c6aa37f1143f061
SHA1 hash: 991ffa6fae12e521118bf1800fb9d534037c04fc
MD5 hash: 65acbf192ddef924085504f07e559ad7
humanhash: pluto-arkansas-lake-utah
File name:SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:437'248 bytes
First seen:2023-11-09 03:19:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:/8rkefAW3HZ4V0Kfhv/4u+EOeMKuCQ0Ftpw+TaT0e145Ep/rQTm1:HOGx/HkHKDJ3aT0K4gMT
Threatray 3 similar samples on MalwareBazaar
TLSH T1BA94D0AFAAE0AD1AC9F768354E267D561939C9D30A30D3959F8BA33C25070D382C573D
TrID 30.6% (.SCR) Windows screen saver (13097/50/3)
24.5% (.EXE) Win64 Executable (generic) (10523/12/4)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win32 Executable (generic) (4505/5/1)
4.8% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
323
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Connecting to a non-recommended domain
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Running batch commands
Blocking the User Account Control
Query of malicious DNS domain
Sending a TCP request to an infection source
Forced shutdown of a system process
Unauthorized injection to a recently created process
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed remote
Link:
https://www.filescan.io/uploads/654c4fe4993fbf888b6b6e3f/reports/c7b22f15-e24c-4da8-a5d0-2dde9386e0cb/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/cccc4690ace16e44f44473c2df179b5b17e27f863b33abda126199014cb224d8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8cca0852-bb78-4cb5-a1ad-2ff017650772
Result
Threat name:
RedLine, SmokeLoader, onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1339452
Signature
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables UAC (registry)
Disables Windows Defender (deletes autostart)
Drops script or batch files to the startup folder
Found evasive API chain (may stop execution after checking computer name)
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1339452 Sample: SecuriteInfo.com.IL.Trojan.... Startdate: 09/11/2023 Architecture: WINDOWS Score: 100 150 Multi AV Scanner detection for domain / URL 2->150 152 Found malware configuration 2->152 154 Malicious sample detected (through community Yara rule) 2->154 156 17 other signatures 2->156 9 SecuriteInfo.com.IL.Trojan.MSILZilla.30386.95.11942.exe 2 4 2->9         started        12 cmd.exe 2->12         started        14 svchost.exe 2->14         started        17 cmd.exe 2->17         started        process3 dnsIp4 206 Adds a directory exclusion to Windows Defender 9->206 208 Disables UAC (registry) 9->208 19 CasPol.exe 15 266 9->19         started        24 powershell.exe 21 9->24         started        26 5CW2BJQAX4gaOjnCwIVMOmYF.exe 12->26         started        28 conhost.exe 12->28         started        146 23.48.146.5 AKAMAI-ASN1EU United States 14->146 148 127.0.0.1 unknown unknown 14->148 30 conhost.exe 17->30         started        signatures5 process6 dnsIp7 136 179.61.12.110 TECNOWEBPERUSACPE Chile 19->136 138 85.209.11.204 SYNGB Russian Federation 19->138 140 16 other IPs or domains 19->140 96 C:\Users\...\xfPM0RXfmZkOgpksPoKz3bH3.exe, PE32 19->96 dropped 98 C:\Users\...\wafo9iHVtBSPrSqabW6dN6nu.exe, PE32 19->98 dropped 100 C:\Users\...\twu5BL5skqvVU0AmtSBhlCUY.exe, PE32+ 19->100 dropped 102 235 other malicious files 19->102 dropped 186 Drops script or batch files to the startup folder 19->186 188 Creates HTML files with .exe extension (expired dropper behavior) 19->188 32 UORHDlPnqNxngaeSQJvLr9tZ.exe 19->32         started        37 iXXu7KHsCCyr8UF5taGiS6JA.exe 19->37         started        39 ZgEamomyC80vmKocqT3Qy334.exe 19->39         started        43 11 other processes 19->43 41 conhost.exe 24->41         started        190 Antivirus detection for dropped file 26->190 192 Multi AV Scanner detection for dropped file 26->192 194 Machine Learning detection for dropped file 26->194 196 2 other signatures 26->196 file8 signatures9 process10 dnsIp11 122 87.240.132.72 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 32->122 124 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 32->124 130 12 other IPs or domains 32->130 78 C:\Users\...\z4vljWTEnJzptVzgsvDqaFsE.exe, PE32 32->78 dropped 80 C:\Users\...\yMOUqR5VNPrJ69oP2m7lM8Oe.exe, PE32 32->80 dropped 82 C:\Users\...\swbGcdRBX5qoUFaZa8p_Dtsk.exe, PE32+ 32->82 dropped 92 11 other malicious files 32->92 dropped 158 Query firmware table information (likely to detect VMs) 32->158 160 Creates HTML files with .exe extension (expired dropper behavior) 32->160 162 Disables Windows Defender (deletes autostart) 32->162 178 6 other signatures 32->178 126 107.167.110.217 OPERASOFTWAREUS United States 37->126 132 6 other IPs or domains 37->132 84 Opera_installer_2311090321213943836.dll, PE32 37->84 dropped 86 C:\Users\user\AppData\Local\...\opera_package, PE32 37->86 dropped 94 4 other malicious files 37->94 dropped 45 iXXu7KHsCCyr8UF5taGiS6JA.exe 37->45         started        48 iXXu7KHsCCyr8UF5taGiS6JA.exe 37->48         started        50 iXXu7KHsCCyr8UF5taGiS6JA.exe 37->50         started        164 Detected unpacking (changes PE section rights) 39->164 166 Detected unpacking (overwrites its own PE header) 39->166 168 Contains functionality to inject code into remote processes 39->168 170 Injects a PE file into a foreign processes 39->170 52 ZgEamomyC80vmKocqT3Qy334.exe 39->52         started        128 149.154.167.99 TELEGRAMRU United Kingdom 43->128 134 2 other IPs or domains 43->134 88 Opera_installer_2311090321322917824.dll, PE32 43->88 dropped 90 C:\Users\...\CCZNCP0sIQUBvxAM9626DvpH.exe, PE32 43->90 dropped 172 Tries to detect sandboxes and other dynamic analysis tools (window names) 43->172 174 Found evasive API chain (may stop execution after checking computer name) 43->174 176 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 43->176 180 3 other signatures 43->180 55 xfPM0RXfmZkOgpksPoKz3bH3.exe 43->55         started        58 AppLaunch.exe 43->58         started        60 ouLDREHTusKqL1TfoK6mD9NR.exe 43->60         started        62 2 other processes 43->62 file12 signatures13 process14 dnsIp15 104 Opera_installer_2311090321239637368.dll, PE32 45->104 dropped 64 iXXu7KHsCCyr8UF5taGiS6JA.exe 45->64         started        106 Opera_installer_2311090321219296204.dll, PE32 48->106 dropped 108 Opera_installer_2311090321227397248.dll, PE32 50->108 dropped 142 142.250.217.78 GOOGLEUS United States 52->142 144 172.217.14.225 GOOGLEUS United States 52->144 110 C:\Users\user\AppData\...\2975319304.exe, PE32 52->110 dropped 112 C:\Users\user\AppData\Local\...\s51[1], PE32 52->112 dropped 114 C:\Users\user\AppData\Local\...\s51[1], PE32 52->114 dropped 198 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 55->198 200 Maps a DLL or memory area into another process 55->200 202 Checks if the current machine is a virtual machine (disk enumeration) 55->202 204 Creates a thread in another existing process (thread injection) 55->204 67 dialer.exe 58->67         started        70 WerFault.exe 58->70         started        116 C:\Users\user\AppData\...\4590781922.exe, PE32 60->116 dropped 118 C:\Users\user\AppData\Local\...\s51[1], PE32 60->118 dropped 120 Opera_installer_2311090321345997884.dll, PE32 62->120 dropped 72 WerFault.exe 62->72         started        74 Conhost.exe 62->74         started        file16 signatures17 process18 file19 76 Opera_installer_2311090321245227512.dll, PE32 64->76 dropped 182 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 67->182 184 Checks if the current machine is a virtual machine (disk enumeration) 67->184 signatures20
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cccc4690ace16e44f44473c2df179b5b17e27f863b33abda126199014cb224d8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cccc4690ace16e44f44473c2df179b5b17e27f863b33abda126199014cb224d8/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2023-11-09 03:20:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ztgenefm4fxej5ceopbn6f43lml6e74ghmz2xwqsmgmqctfsetma._file
Verdict:
malicious
Similar samples:
0a83d0d2312389ef06b761afdbbc213888ebba51bcd41ef53d532485e1bc0600
Smoke Loader
3dc6359da570fe22bb978572f80c64c540f1d3f68db732953ce8aec2586a6d36
Smoke Loader
9cd45c2dec3640ea0a345bbe5f21987485e91a2ab5cb605b0f30a741d2cb7b38
Smoke Loader
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:privateloader family:smokeloader botnet:pub1 backdoor discovery dropper evasion loader themida trojan upx
Link:
https://tria.ge/reports/231109-dvra3sgf36/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Themida packer
UPX packed file
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Glupteba
Glupteba payload
PrivateLoader
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
31f3b32a7faf43c93b36d2ac7761fc597e6efb5c99520b181e2ee43764b994a3
MD5 hash:
ce4f84a4225ecf319d9bc0a39eefd799
SHA1 hash:
1c8ca6900a0d8fa110898c9a3a47d93bcf2f6a38
Link:
https://www.unpac.me/results/676935cc-b099-496f-8263-10296ec03a30/
SH256 hash:
cccc4690ace16e44f44473c2df179b5b17e27f863b33abda126199014cb224d8
MD5 hash:
65acbf192ddef924085504f07e559ad7
SHA1 hash:
991ffa6fae12e521118bf1800fb9d534037c04fc
Link:
https://www.unpac.me/results/676935cc-b099-496f-8263-10296ec03a30/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cccc4690ace1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cccc4690ace16e44f44473c2df179b5b17e27f863b33abda126199014cb224d8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe cccc4690ace16e44f44473c2df179b5b17e27f863b33abda126199014cb224d8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2728931/
  
Delivery method
Distributed via web download

Comments