MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf14f4abcf042298b59bcfb17035fbd3fcad5fcd7b5d3969b9eea24f70853add. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf14f4abcf042298b59bcfb17035fbd3fcad5fcd7b5d3969b9eea24f70853add
SHA3-384 hash: 61bafe69326a1569b146df66ac8e89b9822ac35cc77c4aa7d1c0823735f00cbafe1efb340bff7336f439a39b9117e3b7
SHA1 hash: c072830a71dafa0ad3d4f391dd9bc268cfca3d2c
MD5 hash: e378a01869a371d579f14129b6ef6c7b
humanhash: william-eleven-quebec-oscar
File name:e378a01869a371d579f14129b6ef6c7b
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:256'512 bytes
First seen:2022-04-05 07:04:02 UTC
Last seen:2022-04-05 08:07:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 25245420ce2e5010c32179ae5d5b5793 (4 x Loki, 2 x Tofsee, 2 x RedLineStealer)
ssdeep 6144:7YvHxOP49p43IXE0fvxMK7VKp7qeQposbK:7Yo49pMIXJpMKI72po
Threatray 7'065 similar samples on MalwareBazaar
TLSH T1E4447D10BB90C035F5B712F859B99368B93E7AB05B3494CBA7D51AEA46347E0EC3131B
File icon (PE):PE icon
dhash icon b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/260859/
Detection(s):
Win.Dropper.Tofsee-9942707-0
Create hunting rule

Win.Dropper.LokiBot-9942830-0
Create hunting rule

Win.Packed.Pwsx-9943145-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12669/overview
Behaviour
SystemUptime
MeasuringTime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mokes packed ransomware
Link:
https://www.filescan.io/uploads/624bea2240ce5db9f40ba577/reports/e8f1b662-c83e-4178-8e94-11b6ee78721e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5b91a8ed-a83c-4d55-809a-7a3e86635b9b
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/970630
Signature
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 603118 Sample: QArGPNhIKL Startdate: 05/04/2022 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected SmokeLoader 2->41 43 3 other signatures 2->43 7 QArGPNhIKL.exe 2->7         started        10 bsgidwt 2->10         started        process3 signatures4 53 Detected unpacking (changes PE section rights) 7->53 55 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 7->55 57 Maps a DLL or memory area into another process 7->57 59 Creates a thread in another existing process (thread injection) 7->59 12 explorer.exe 3 7->12 injected 61 Multi AV Scanner detection for dropped file 10->61 63 Machine Learning detection for dropped file 10->63 65 Checks if the current machine is a virtual machine (disk enumeration) 10->65 process5 dnsIp6 35 eyecosl.top 95.213.216.225, 49792, 49794, 80 SELECTELRU Russian Federation 12->35 27 C:\Users\user\AppData\Roaming\bsgidwt, PE32 12->27 dropped 29 C:\Users\user\...\bsgidwt:Zone.Identifier, ASCII 12->29 dropped 67 Benign windows process drops PE files 12->67 69 Injects code into the Windows Explorer (explorer.exe) 12->69 71 Deletes itself after installation 12->71 73 2 other signatures 12->73 17 explorer.exe 8 12->17         started        21 explorer.exe 12->21         started        23 explorer.exe 12->23         started        25 5 other processes 12->25 file7 signatures8 process9 dnsIp10 31 eyecosl.top 17->31 33 192.168.2.1 unknown unknown 17->33 45 System process connects to network (likely due to code injection or exploit) 17->45 47 Found evasive API chain (may stop execution after checking mutex) 17->47 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->49 51 4 other signatures 17->51 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf14f4abcf042298b59bcfb17035fbd3fcad5fcd7b5d3969b9eea24f70853add/
Threat name:
Win32.Trojan.Mikey
Create hunting rule
Status:
Malicious
First seen:
2022-04-05 07:05:06 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
28 of 42 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z4kpjk6paqrjrnm3z6yxanp32p6k2x6npnots2nz52re64efhloq._file
Verdict:
malicious
Similar samples:
49c7ce5e90b5bce33ac0ea6f02d309e030e81462e290e83403048822e52b1500
Smoke Loader
780aee300d0f8eba4233484b475aa6a0109e40d0bec49d1d7fd4435846ca6608
Smoke Loader
7a71c46f5f6f27776603ee0de69e6eb83364942d8af0c16f5b54c14d7faba136
Smoke Loader
808a1353be2e23a511c577b86ca5c2e37ee4a30d8b5abde669e7cc2f9d91d5e2
Smoke Loader
cc15573c85379c9dd96f926c62a62f402a95052ed65b616daf881e0dae9ee674
Smoke Loader
cdcb92f83216720f2d567392a6a4d9bc1b90b3f900b783934a402d310ae5ff46
Smoke Loader
dfd82ea53bb1196fc2e079063358063b524142778c754259045e4541c60d7c1d
Smoke Loader
e32a6751ec994ba114bc9f7b5802ccb7db09d60d70e41d937c17553b42ed2e5a
Smoke Loader
+ 7'055 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/220405-hvzdxabaa8/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
SmokeLoader
Malware Config
C2 Extraction:
http://eyecosl.top/
http://bullions.top/
Unpacked files
SH256 hash:
213013bc9d127ace49c7cbb6dbddd5bffd184ab487867f42f4bcdd3265f55b7d
MD5 hash:
0d9079b1926bbdb841ddfdf4d87e850d
SHA1 hash:
d82b73f9bd6babb8159ea9748613ac3f6da085bc
Link:
https://www.unpac.me/results/3cf323bb-8406-4eca-a979-c5873d363bd7/
SH256 hash:
cf14f4abcf042298b59bcfb17035fbd3fcad5fcd7b5d3969b9eea24f70853add
MD5 hash:
e378a01869a371d579f14129b6ef6c7b
SHA1 hash:
c072830a71dafa0ad3d4f391dd9bc268cfca3d2c
Link:
https://www.unpac.me/results/3cf323bb-8406-4eca-a979-c5873d363bd7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf14f4abcf042298b59bcfb17035fbd3fcad5fcd7b5d3969b9eea24f70853add

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe cf14f4abcf042298b59bcfb17035fbd3fcad5fcd7b5d3969b9eea24f70853add

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/260859/
  
URLhaus
https://urlhaus.abuse.ch/url/2132322/

Comments


Avatar
zbet commented on 2022-04-05 07:04:10 UTC

url : hxxp://198.12.127.228/365cloud/.win32.exe