MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfff129e77416c81657499a1aa091ff549ee037ef6b4783495a37f7891b87970. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cfff129e77416c81657499a1aa091ff549ee037ef6b4783495a37f7891b87970
SHA3-384 hash: 0fcfd2e8293e14386abb3f0bd4c63c28bb4e3623531a359948256a86d103d5e52768e5787c04e8d491bfee3ecc449cd9
SHA1 hash: 176166d573b26976dcf05352f32b3dc8ddaf8313
MD5 hash: 8619747c82aca5f02e097ec939317c2e
humanhash: island-hydrogen-steak-bakerloo
File name:08241599.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:298'496 bytes
First seen:2023-05-27 18:01:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 82b2bd7dc938b719df57a6b2df186152 (2 x Smoke Loader, 1 x TeamBot, 1 x Stop)
ssdeep 3072:M4xGZqhdP78PNv5SSZu71AUl6Sj/OKfj3hXKU8bt5QoGvAxfY:VGZQ7CNv5XU71PzOKL3M4o
Threatray 55 similar samples on MalwareBazaar
TLSH T14F543B1396F2FC54ED664A728E2FC6FC761EF5509E19776A2218AE1F04706B2C173322
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0229020400422a00 (1 x Smoke Loader)
Reporter Neiki
Tags:Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
08241599.exe
Verdict:
Malicious activity
Analysis date:
2023-05-27 18:03:25 UTC
Tags:
loader smoke trojan ransomware stop stealer vidar arkei
Link:
https://app.any.run/tasks/c203009d-7f8b-4d17-8fa7-d490961b2d05

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/392624/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Launching the default Windows debugger (dwwin.exe)
Searching for synchronization primitives
Creating a file
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Query of malicious DNS domain
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mokes packed xpack
Link:
https://www.filescan.io/uploads/647246c85724d77566df3b94/reports/8e6f2704-3567-468d-856a-b689a3b1f4e2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/cfff129e77416c81657499a1aa091ff549ee037ef6b4783495a37f7891b87970
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9524d9c5-bdb0-4f0a-8ab2-60cfbeb43446
Result
Threat name:
Amadey, Babuk, Clipboard Hijacker, Djvu,
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1243857
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found ransom note / readme
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes a notice file (html or txt) to demand a ransom
Yara detected Amadey bot
Yara detected Babuk Ransomware
Yara detected Clipboard Hijacker
Yara detected Djvu Ransomware
Yara detected Fabookie
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 876867 Sample: 08241599.exe Startdate: 27/05/2023 Architecture: WINDOWS Score: 100 93 zexeq.com 2->93 95 colisumy.com 2->95 97 2 other IPs or domains 2->97 123 Snort IDS alert for network traffic 2->123 125 Found malware configuration 2->125 127 Malicious sample detected (through community Yara rule) 2->127 129 16 other signatures 2->129 12 08241599.exe 2->12         started        15 fcjdurd 2->15         started        17 F274.exe 2->17         started        signatures3 process4 signatures5 163 Detected unpacking (changes PE section rights) 12->163 165 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->165 167 Maps a DLL or memory area into another process 12->167 19 explorer.exe 13 54 12->19 injected 169 Multi AV Scanner detection for dropped file 15->169 171 Checks if the current machine is a virtual machine (disk enumeration) 15->171 173 Creates a thread in another existing process (thread injection) 15->173 175 Detected unpacking (overwrites its own PE header) 17->175 177 Injects a PE file into a foreign processes 17->177 24 F274.exe 17->24         started        process6 dnsIp7 99 toobussy.com 19->99 101 201.124.33.177 UninetSAdeCVMX Mexico 19->101 105 13 other IPs or domains 19->105 71 C:\Users\user\AppData\Roaming\hgjdurd, PE32 19->71 dropped 73 C:\Users\user\AppData\Roaming\fcjdurd, PE32 19->73 dropped 75 C:\Users\user\AppData\Local\Temp\F274.exe, PE32 19->75 dropped 77 19 other malicious files 19->77 dropped 131 System process connects to network (likely due to code injection or exploit) 19->131 133 Benign windows process drops PE files 19->133 135 Deletes itself after installation 19->135 137 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->137 26 F274.exe 19->26         started        29 360A.exe 19->29         started        31 5F15.exe 19->31         started        33 8 other processes 19->33 103 api.2ip.ua 24->103 file8 signatures9 process10 signatures11 139 Multi AV Scanner detection for dropped file 26->139 141 Detected unpacking (changes PE section rights) 26->141 143 Detected unpacking (overwrites its own PE header) 26->143 145 Writes a notice file (html or txt) to demand a ransom 26->145 35 F274.exe 1 15 26->35         started        147 Machine Learning detection for dropped file 29->147 149 Injects a PE file into a foreign processes 29->149 39 360A.exe 29->39         started        151 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 31->151 153 Maps a DLL or memory area into another process 31->153 155 Checks if the current machine is a virtual machine (disk enumeration) 31->155 157 Sample uses process hollowing technique 33->157 159 Creates a thread in another existing process (thread injection) 33->159 41 7682.exe 12 33->41         started        43 F274.exe 33->43         started        45 35F.exe 33->45         started        47 3 other processes 33->47 process12 dnsIp13 79 C:\Users\user\AppData\Local\...\F274.exe, PE32 35->79 dropped 49 F274.exe 35->49         started        52 icacls.exe 35->52         started        54 360A.exe 39->54         started        107 api.2ip.ua 162.0.217.254, 443, 49714, 49718 ACPCA Canada 41->107 file14 process15 signatures16 121 Injects a PE file into a foreign processes 49->121 56 F274.exe 49->56         started        61 360A.exe 54->61         started        process17 dnsIp18 109 zexeq.com 84.224.88.101, 49735, 49739, 80 PGSM-HUTorokbalintHungaryHU Hungary 56->109 111 210.182.29.70, 49733, 49746, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 56->111 117 2 other IPs or domains 56->117 81 C:\Users\user\AppData\Local\...\build3[1].exe, PE32 56->81 dropped 83 C:\Users\user\AppData\Local\...\build2[1].exe, PE32 56->83 dropped 85 C:\Users\user\AppData\Local\...\build3.exe, PE32 56->85 dropped 91 6 other malicious files 56->91 dropped 161 Modifies existing user documents (likely ransomware behavior) 56->161 63 build2.exe 56->63         started        66 build3.exe 56->66         started        113 187.245.185.123, 49737, 80 MegaCableSAdeCVMX Mexico 61->113 115 colisumy.com 61->115 119 2 other IPs or domains 61->119 87 C:\Users\user\AppData\Local\...\build3.exe, PE32 61->87 dropped 89 C:\Users\user\AppData\Local\...\build2.exe, PE32 61->89 dropped file19 signatures20 process21 file22 179 Multi AV Scanner detection for dropped file 63->179 181 Machine Learning detection for dropped file 63->181 183 Sample uses process hollowing technique 63->183 185 Injects a PE file into a foreign processes 63->185 69 C:\Users\user\AppData\Roaming\...\mstsca.exe, PE32 66->69 dropped 187 Antivirus detection for dropped file 66->187 signatures23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cfff129e77416c81657499a1aa091ff549ee037ef6b4783495a37f7891b87970/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Suspicious
First seen:
2023-05-27 18:02:07 UTC
File Type:
PE (Exe)
Extracted files:
56
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z77rfhtxifwiczlutgq2uci76ve64a36622hqnevun7xrenypfya._file
Verdict:
malicious
Similar samples:
0d3ef6b4cf3172125dc208808d24392b8a3ff9a55b00b86608c3bc692cd15cec
Smoke Loader
259ada903b39beb613b1a24d73f6cee28cbd725fa11a3dc45c3fde6687a7a8f1
Smoke Loader
41b4ef28bcb4fcca37c63f3c34d9a40236c49fd7a49b5f41952ece56cda836e0
Smoke Loader
9c995cae1ea620bc32da91ac6d20234493c51bcc4e5fdea5521b70882212a5c3
Smoke Loader
a5b31ba24b4f2fff4a559084e8efe01a379ccd53ef0368656d2ba9d198e16466
Smoke Loader
c5b4a032661a477c9397cf02cf946a3d321099bd876fd29f5352335b67f9a564
Smoke Loader
cb7b2ae51a3cde01e9b5adb92aa9262ceb6fb9b499061b921550805dc1670419
Smoke Loader
cd5c8ed82f61855b377e3c59bad6edd1844bc5b46c21715969063a3e5befe2f5
Smoke Loader
cf1fb9950ced59966ffb235f4a8247c23075d44a09eb0c354f9183585a4faea3
Smoke Loader
ef0400469910cc9285bf258af7f59f93c3bc73a129685c51019be5cbefd5e9cd
Smoke Loader
+ 45 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:djvu family:smokeloader family:vidar botnet:e44c96dfdf315ccf17cdd4b93cfe6e48 botnet:pub1 botnet:summ backdoor discovery persistence ransomware stealer trojan
Link:
https://tria.ge/reports/230527-wmftgscf42/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Modifies file permissions
Downloads MZ/PE file
Amadey
Detected Djvu ransomware
Djvu Ransomware
SmokeLoader
Vidar
Malware Config
C2 Extraction:
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
http://toobussy.com/tmp/
http://wuc11.com/tmp/
http://ladogatur.ru/tmp/
http://kingpirate.ru/tmp/
http://zexeq.com/raud/get.php
http://zexeq.com/lancer/get.php
https://steamcommunity.com/profiles/76561199508624021
https://t.me/looking_glassbot
45.9.74.80/0bjdn2Z/index.php
Gathering data
Malware family:
STOP
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cfff129e7741/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cfff129e77416c81657499a1aa091ff549ee037ef6b4783495a37f7891b87970

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe cfff129e77416c81657499a1aa091ff549ee037ef6b4783495a37f7891b87970

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2479364/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/392624/

Comments