MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ccfd37710068b3998537ac325e29555ba9375ebf1230cf90e9dcf133e06bcdf3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ccfd37710068b3998537ac325e29555ba9375ebf1230cf90e9dcf133e06bcdf3
SHA3-384 hash: b61ef54853f618f18952e532e575edf358ed680d22cc21ef1c894d99c242f25bc5556cfb613ae6dbdd32516b75138783
SHA1 hash: ca15a3ddc76363f69ad3c9123b920a687d94e41d
MD5 hash: 9a112488064fd03d4a259e0f1db9d323
humanhash: double-golf-alanine-fanta
File name:ccfd37710068b3998537ac325e29555ba9375ebf1230cf90e9dcf133e06bcdf3.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:403'456 bytes
First seen:2021-10-16 02:47:02 UTC
Last seen:2021-10-16 04:16:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 441ea5dabfec8fb454e631fa97f99e08 (1 x Smoke Loader)
ssdeep 12288:4zH6GrstMQ1PVNDTrQ8j+xS42uW3o/Pp60VuQ755HWT:4zVrstP1vrQ8ixSpvkPlHHW
Threatray 665 similar samples on MalwareBazaar
TLSH T118845934E201F026F4F20475AC6ED3BA69286B30675548EFF3D44E69AAB56C1E234F17
Reporter StopMalvertisin
Tags:exe kim Smoke Loader

Intelligence

File Origin
# of uploads :
3
# of downloads :
289
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://free4pc.org/vmware-workstation-pro-keygen/
Verdict:
Malicious activity
Analysis date:
2021-09-24 07:13:54 UTC
Tags:
trojan evasion rat redline loader stealer vidar banker dridex opendir
Link:
https://app.any.run/tasks/ec3ca9a6-15c3-404f-aecd-127cdd1a50a8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197831/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader41.45021.32018.14906.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/615d68fd-1bdd-4f76-b473-9036aa722457
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/871423
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (creates a PE file in dynamic memory)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Drops PE files with a suspicious file extension
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious MSHTA Process Patterns
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 503847 Sample: 5he1PBER3h.exe Startdate: 16/10/2021 Architecture: WINDOWS Score: 100 108 208.95.112.1 TUT-ASUS United States 2->108 110 198.54.121.77 NAMECHEAP-NETUS United States 2->110 112 7 other IPs or domains 2->112 126 Antivirus detection for URL or domain 2->126 128 Antivirus detection for dropped file 2->128 130 Multi AV Scanner detection for dropped file 2->130 132 13 other signatures 2->132 8 5he1PBER3h.exe 19 2->8         started        13 PowerControl_Svc.exe 15 2->13         started        15 PowerControl_Svc.exe 15 2->15         started        signatures3 process4 dnsIp5 118 149.154.167.99 TELEGRAMRU United Kingdom 8->118 120 212.192.241.62 RAPMSB-ASRU Russian Federation 8->120 124 4 other IPs or domains 8->124 82 C:\Users\...\UTJTSQdX9ITDLyCRBKvHrxJ7.exe, PE32 8->82 dropped 84 C:\Users\...\AeXXqhQNJKur7teIlOrvF329.exe, PE32 8->84 dropped 86 C:\Users\user\AppData\...\Service[1].bmp, PE32 8->86 dropped 94 2 other files (1 malicious) 8->94 dropped 142 Drops PE files to the document folder of the user 8->142 144 Uses schtasks.exe or at.exe to add and modify task schedules 8->144 17 AeXXqhQNJKur7teIlOrvF329.exe 4 36 8->17         started        22 schtasks.exe 1 8->22         started        24 schtasks.exe 1 8->24         started        122 162.159.134.233 CLOUDFLARENETUS United States 13->122 88 C:\Users\user\AppData\...\Cube_WW14[1].bmp, PE32 13->88 dropped 26 VI55e98WpdT5oegSGFQuHRO1.exe 42 13->26         started        28 schtasks.exe 13->28         started        30 schtasks.exe 13->30         started        90 C:\Users\...\VI55e98WpdT5oegSGFQuHRO1.exe, PE32 15->90 dropped 92 C:\Users\user\AppData\...\Cube_WW14[2].bmp, PE32 15->92 dropped 32 VI55e98WpdT5oegSGFQuHRO1.exe 15->32         started        34 schtasks.exe 15->34         started        36 schtasks.exe 15->36         started        file6 signatures7 process8 dnsIp9 96 188.72.236.239 WEBZILLANL Netherlands 17->96 98 103.155.93.196 TWIDC-AS-APTWIDCLimitedHK unknown 17->98 106 9 other IPs or domains 17->106 58 C:\Users\...\iVdcBBY6qtXxNNDUrggwVmrj.exe, PE32 17->58 dropped 60 C:\Users\...\_SC4PFPC9R_2PunXsJJ4VhtP.exe, PE32 17->60 dropped 62 C:\Users\...\80n3Y8G8Or1WXjpsiddP09_z.exe, PE32 17->62 dropped 70 15 other files (7 malicious) 17->70 dropped 134 Creates HTML files with .exe extension (expired dropper behavior) 17->134 136 Disable Windows Defender real time protection (registry) 17->136 38 80n3Y8G8Or1WXjpsiddP09_z.exe 17->38         started        42 iVdcBBY6qtXxNNDUrggwVmrj.exe 17->42         started        44 bpDSRlL8A4F4cMJd3HjXY35m.exe 1 17->44         started        46 conhost.exe 22->46         started        48 conhost.exe 24->48         started        100 52.95.171.4 AMAZON-02US United States 26->100 64 C:\Users\user\...\search_hyperfs_209[2].exe, PE32 26->64 dropped 66 C:\Users\user\AppData\Local\...\pub3[2].exe, PE32 26->66 dropped 72 16 other files (3 malicious) 26->72 dropped 138 Detected unpacking (creates a PE file in dynamic memory) 26->138 50 conhost.exe 28->50         started        52 conhost.exe 30->52         started        102 104.21.33.184 CLOUDFLARENETUS United States 32->102 104 52.95.171.20 AMAZON-02US United States 32->104 68 C:\Users\user\...\search_hyperfs_209[1].exe, PE32 32->68 dropped 74 17 other files (4 malicious) 32->74 dropped 140 Tries to harvest and steal browser information (history, passwords, etc) 32->140 54 conhost.exe 34->54         started        56 conhost.exe 36->56         started        file10 signatures11 process12 dnsIp13 114 104.21.51.48 CLOUDFLARENETUS United States 38->114 76 C:\Users\user\AppData\Roaming\1435454.scr, PE32 38->76 dropped 116 104.21.85.99 CLOUDFLARENETUS United States 42->116 78 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 42->78 dropped 80 C:\Users\...\pidHTSIGEi8DrAmaYu9K8ghN89.dll, PE32+ 44->80 dropped file14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ccfd37710068b3998537ac325e29555ba9375ebf1230cf90e9dcf133e06bcdf3/
Threat name:
Win32.Trojan.Tasker
Create hunting rule
Status:
Malicious
First seen:
2021-09-21 16:39:57 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3153caf54366c0ddeddd293791b8f05eabd7343d9a73cc6444b769d0115dabf8
Smoke Loader
4468428f16aeb36c8c1a53f40c68806473201d37d94b6ac8f1c0d324d1e17006
Smoke Loader
44f3c573b5d6d77d97c2ebf5d4a235da5aed3a18eb5b76ea420d262df0f3a826
Smoke Loader
4cfbdd8acdc923beeca12d94f06d2f1632765434a2087df7ac803c254a0adf9c
Smoke Loader
5f6faf0507fca9db0b364b6d4718b24eb3880054ecace3207de384e8037852b2
Smoke Loader
79d1a0d0bd8b5672374ab7c97365a6b0276efc6755900cdbdcdb77019e69457a
Smoke Loader
84b57d3d7fdabaebcd85cf01dbf14b9cb94e08fe081abcb60b218c1298c55995
Smoke Loader
aa9830b26f9c0db4c3da3c04a96199550b57251b56f8c4ccb922b264a24e8de1
Smoke Loader
bfdb06e19260107f468834d5601f7f295ca82b31966be48f856011d9dba1f5b7
Smoke Loader
d05cb3a734aaa9d090be20fbaeddf8069a829fa78c44dd8378a2350c1510e1fc
Smoke Loader
+ 655 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion spyware stealer trojan
Link:
https://tria.ge/reports/211016-c9wcxabfd7/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
ccfd37710068b3998537ac325e29555ba9375ebf1230cf90e9dcf133e06bcdf3
MD5 hash:
9a112488064fd03d4a259e0f1db9d323
SHA1 hash:
ca15a3ddc76363f69ad3c9123b920a687d94e41d
Link:
https://www.unpac.me/results/e26b615f-da55-4f2c-a2af-564f878f337e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ccfd37710068b3998537ac325e29555ba9375ebf1230cf90e9dcf133e06bcdf3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/ET_Labs/status/1449110980496183300
Cape
Cape
https://www.capesandbox.com/analysis/197831/

Comments