MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf1fb9950ced59966ffb235f4a8247c23075d44a09eb0c354f9183585a4faea3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 16

Intelligence 16 IOCs YARA 1 File information Comments

SHA256 hash:	cf1fb9950ced59966ffb235f4a8247c23075d44a09eb0c354f9183585a4faea3
SHA3-384 hash:	3886fde5a260559ef4b6e670a995ce117a03f60f9396dcce2e702bcca1ed8a66b6816b92a7e6a1e6a5ee9e61d9afc0c2
SHA1 hash:	591552ddd98a777c905278056ae42b3f7c1869c9
MD5 hash:	80263288689bcb49541b304383f200bb
humanhash:	spring-orange-ack-butter
File name:	04121999.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	298'496 bytes
First seen:	2023-05-27 17:59:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	82b2bd7dc938b719df57a6b2df186152 (2 x Smoke Loader, 1 x TeamBot, 1 x Stop)
ssdeep	3072:5ZV2d0h6e7c5BdoifQugY4FAdQXkQPG3kA8uzAnINIbt5QaGvASizY:572d47jSQuP4QQXkQPG3kA8KrNrau
Threatray	6'085 similar samples on MalwareBazaar
TLSH	T14D543B03D6E2FC52ED664A728E2FD6FC761EF5548E19776A22186B1F04702B2C173722
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0283024a2a022200 (1 x Smoke Loader)
Reporter	Neiki
Tags:	Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

118

Origin country :

Vendor Threat Intelligence

Malware family:

smoke

ID:

File name:

04121999.exe

Verdict:

Malicious activity

Analysis date:

2023-05-27 18:00:25 UTC

Tags:

loader smoke trojan rat stealer avemaria warzone

Link:

https://app.any.run/tasks/836bad39-171f-4485-9d97-77a8d77d5d26

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

SmokeLoader

Link:

https://www.capesandbox.com/analysis/392615/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Sending an HTTP GET request

Creating a file in the %temp% directory

Creating a process from a recently created file

Сreating synchronization primitives

Sending an HTTP POST request

Creating a file

Connecting to a non-recommended domain

Creating a file in the Windows subdirectories

Launching a process

Creating a process with a hidden window

Unauthorized injection to a recently created process

Query of malicious DNS domain

Sending a TCP request to an infection source

Unauthorized injection to a recently created process by context flags manipulation

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/88253/overview

Behaviour

MalwareBazaar

SystemUptime

CPUID_Instruction

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

86%

Tags:

greyware packed xpack

Link:

https://www.filescan.io/uploads/6472454b176c70296c393642/reports/3b7d1d82-c052-459d-9da5-cd56c475d007/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/cf1fb9950ced59966ffb235f4a8247c23075d44a09eb0c354f9183585a4faea3

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ce5fa2e8-0497-4427-ad96-2448ad379e76

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1243855

Signature

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cf1fb9950ced59966ffb235f4a8247c23075d44a09eb0c354f9183585a4faea3/

Threat name:

Win32.Trojan.Smokeloader

Status:

Malicious

First seen:

2023-05-27 18:00:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=z4p3tfim5vmzm373enpuvashyiyhlvckbhvqynkpsgbvqwspv2rq._file

Verdict:

malicious

Smoke Loader

2a8c393b39ceaa973f5b3fa6f1a43d93c50d3d9815076e7a831e3e06854900ba

Smoke Loader

68d403a9771f35c951d7fdefb578f3cddc1789760fd5e381060c96e2ba15a8fd

Smoke Loader

694f253c98856f3398062575a4ada04df3f50090b3cd66eda8044cd13645ac4b

Smoke Loader

928d21976ae7548e274f9d738805e7ae9f250397f70bc56d82f9ccfc1ed7dd3e

Smoke Loader

9efe10a206ba1326c1d75b3e41df36c4bfc25d090b0d3d2c74f762587c70a39d

Smoke Loader

c576b3a87ac07ff38f4dcbd14561186361b38cff36fa2f08b99ed4be80d3313a

Smoke Loader

e88173448664121ca9f43d08897218b6afcd00309aff754e5d9e2a9e8e5e4bdc

Smoke Loader

ebbbcddcc71eb168df549650ca4595b33d97f39c16c9b475a9fbdd11eea8fe7f

Smoke Loader

efaab91dcc9f31617e0d512545a3be360eaa320701d1e2d686e430647ffb11b9

Smoke Loader

+ 6'075 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader botnet:pub1 backdoor trojan

Link:

https://tria.ge/reports/230527-wla7lscf35/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of SetThreadContext

SmokeLoader

Malware Config

C2 Extraction:

http://host-file-host6.com/
http://host-host-file8.com/

Gathering data

Malware family:

Warzone

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/cf1fb9950ced/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cf1fb9950ced59966ffb235f4a8247c23075d44a09eb0c354f9183585a4faea3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.