MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f099192fa0abddedf802c4f4968271608f0d8b7c659a0defc95080120ce2192d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f099192fa0abddedf802c4f4968271608f0d8b7c659a0defc95080120ce2192d
SHA3-384 hash: 35bc4d9432bc415aff570b56694e2cc44d91ee8f04c72e34c40cfdd9cc79d79d43937323900e34d2399e2d6e2d560162
SHA1 hash: 82743740843d6539fd4b823b7313109dea2d347e
MD5 hash: 750c7c761a2ae2ab39d79e33c8c60bdf
humanhash: indigo-south-item-speaker
File name:04868699.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:288'256 bytes
First seen:2023-05-28 17:51:49 UTC
Last seen:2023-05-28 18:24:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 96475f7ea3cc105ae1bb971e987af868 (2 x Smoke Loader, 2 x Rhadamanthys, 1 x Stealc)
ssdeep 3072:IuXk2KAESkD72nSGyz3SJXNRVHNzBsES/ltInlLXkfUPdKU085T+wGkQ:VXkHSkD72nZXjzGFElLXeIdLxm
Threatray 1'898 similar samples on MalwareBazaar
TLSH T1ED54171392E13D54E9364A729F2FE7F87A1EF2508F497BA916189E2F04B03B2C163715
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 4313021212022202 (1 x Smoke Loader)
Reporter Neiki
Tags:Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
98
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
04868699.exe
Verdict:
Malicious activity
Analysis date:
2023-05-28 17:53:21 UTC
Tags:
loader smoke trojan ransomware stop
Link:
https://app.any.run/tasks/b00109ab-03d4-4ace-ac78-939db976bb30

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/392824/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Creating a window
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
Query of malicious DNS domain
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/647394ca0ebba81a83d0a9fc/reports/f8de1e8c-3185-429d-abf5-8f8a49238fa7/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f099192fa0abddedf802c4f4968271608f0d8b7c659a0defc95080120ce2192d
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6bb6f0c9-aa0f-4167-ab0c-f05a8daa756e
Result
Threat name:
Amadey, Babuk, Djvu, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1244062
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found ransom note / readme
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes a notice file (html or txt) to demand a ransom
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Babuk Ransomware
Yara detected Djvu Ransomware
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 877068 Sample: 04868699.exe Startdate: 28/05/2023 Architecture: WINDOWS Score: 100 103 zexeq.com 2->103 105 shsplatform.co.uk 2->105 107 2 other IPs or domains 2->107 129 Snort IDS alert for network traffic 2->129 131 Multi AV Scanner detection for domain / URL 2->131 133 Found malware configuration 2->133 135 16 other signatures 2->135 11 04868699.exe 2->11         started        14 41D7.exe 2->14         started        16 fbewjdi 2->16         started        signatures3 process4 signatures5 185 Detected unpacking (changes PE section rights) 11->185 187 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 11->187 189 Maps a DLL or memory area into another process 11->189 18 explorer.exe 7 31 11->18 injected 191 Multi AV Scanner detection for dropped file 14->191 193 Detected unpacking (overwrites its own PE header) 14->193 195 Machine Learning detection for dropped file 14->195 201 2 other signatures 14->201 23 41D7.exe 1 19 14->23         started        197 Checks if the current machine is a virtual machine (disk enumeration) 16->197 199 Creates a thread in another existing process (thread injection) 16->199 process6 dnsIp7 109 187.232.168.231, 49707, 49716, 80 UninetSAdeCVMX Mexico 18->109 111 222.236.49.123 SKB-ASSKBroadbandCoLtdKR Korea Republic of 18->111 119 9 other IPs or domains 18->119 67 C:\Users\user\AppData\Roaming\fbewjdi, PE32 18->67 dropped 69 C:\Users\user\AppData\Roaming\auewjdi, PE32 18->69 dropped 71 C:\Users\user\AppData\Local\Temp\FBA9.exe, PE32 18->71 dropped 79 10 other malicious files 18->79 dropped 137 System process connects to network (likely due to code injection or exploit) 18->137 139 Benign windows process drops PE files 18->139 141 Deletes itself after installation 18->141 143 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->143 25 94F4.exe 18->25         started        29 41D7.exe 18->29         started        31 FBA9.exe 18->31         started        33 8 other processes 18->33 113 zexeq.com 187.224.116.144, 49719, 80 UninetSAdeCVMX Mexico 23->113 115 192.168.2.1 unknown unknown 23->115 117 api.2ip.ua 23->117 73 C:\Users\user\_readme.txt, ASCII 23->73 dropped 75 C:\Users\user\Desktop\...75IRMEKAMZH.png, data 23->75 dropped 77 C:\Users\user\Desktop\...\BXAJUJAOEO.xlsx, data 23->77 dropped 81 2 other malicious files 23->81 dropped 145 Modifies existing user documents (likely ransomware behavior) 23->145 file8 signatures9 process10 file11 95 C:\Users\user\AppData\Local\Temp\aafg31.exe, PE32+ 25->95 dropped 97 C:\Users\user\AppData\Local\...\XandETC.exe, PE32+ 25->97 dropped 99 C:\Users\user\AppData\Local\...99ewPlayer.exe, PE32 25->99 dropped 165 Antivirus detection for dropped file 25->165 167 Multi AV Scanner detection for dropped file 25->167 169 Machine Learning detection for dropped file 25->169 35 NewPlayer.exe 25->35         started        39 aafg31.exe 25->39         started        42 XandETC.exe 25->42         started        171 Detected unpacking (changes PE section rights) 29->171 173 Detected unpacking (overwrites its own PE header) 29->173 175 Injects a PE file into a foreign processes 29->175 44 41D7.exe 1 15 29->44         started        46 Conhost.exe 29->46         started        177 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 31->177 179 Maps a DLL or memory area into another process 31->179 181 Checks if the current machine is a virtual machine (disk enumeration) 31->181 183 Creates a thread in another existing process (thread injection) 31->183 48 3E58.exe 33->48         started        50 ABD4.exe 33->50         started        52 1C1E.exe 33->52         started        54 5 other processes 33->54 signatures12 process13 dnsIp14 83 C:\Users\user\AppData\Local\...\mnolyk.exe, PE32 35->83 dropped 147 Antivirus detection for dropped file 35->147 149 Multi AV Scanner detection for dropped file 35->149 151 Machine Learning detection for dropped file 35->151 56 mnolyk.exe 35->56         started        121 jp.imgjeoighw.com 103.100.211.218, 49727, 80 HKKFGL-AS-APHKKwaifongGroupLimitedHK Hong Kong 39->121 123 ss.apjeoighw.com 154.221.31.191 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 39->123 127 5 other IPs or domains 39->127 153 Tries to harvest and steal browser information (history, passwords, etc) 39->153 125 api.2ip.ua 162.0.217.254, 443, 49708, 49713 ACPCA Canada 44->125 85 C:\Users\user\AppData\Local\...\41D7.exe, PE32 44->85 dropped 60 41D7.exe 44->60         started        62 icacls.exe 44->62         started        file15 signatures16 process17 file18 87 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 56->87 dropped 89 C:\...\3eef203fb515bda85f514e168abb5973.exe, PE32 56->89 dropped 91 C:\Users\user\AppData\Local\Temp\...\a03.exe, PE32 56->91 dropped 93 3 other malicious files 56->93 dropped 155 Antivirus detection for dropped file 56->155 157 Multi AV Scanner detection for dropped file 56->157 159 Creates an undocumented autostart registry key 56->159 161 Machine Learning detection for dropped file 56->161 163 Injects a PE file into a foreign processes 60->163 64 41D7.exe 60->64         started        signatures19 process20 dnsIp21 101 api.2ip.ua 64->101
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f099192fa0abddedf802c4f4968271608f0d8b7c659a0defc95080120ce2192d/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-05-28 17:52:09 UTC
File Type:
PE (Exe)
Extracted files:
52
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6cmrsl5avpo636acyt2jnatrmchq3c34mwna336jkcabedhcdewq._file
Verdict:
malicious
Similar samples:
2831300675369e6ac5d928446186f83bedc4027fe6db617039e5b224258ed0b6
Smoke Loader
35ba91ddf0d41590d0de137bc1d6e5524d8a84ecfabdae793e6b3a499f2c67d4
Smoke Loader
6a455892dc6b808ff4f012010f20ad4bbf16b881b9c235d98c85565591289012
Smoke Loader
83c4c80adbeb1d8411e49c1d14a886af6a26c9fb9827d8852d4e45e4a5f09b17
Smoke Loader
a0038a7651f4408728f4a8c7a2abe43b237fc9dc6645fa34e5c4d9c212658878
Smoke Loader
b299675e7e4654beadcaa2c38a96bf8324bbde96904ede17fdd88ebb7fdf2748
Smoke Loader
d46fec4abba46efe6663f19c2d9963a612f4ff25023c0dc6fc5bb559f106859d
Smoke Loader
+ 1'888 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:djvu family:smokeloader family:vidar botnet:e44c96dfdf315ccf17cdd4b93cfe6e48 botnet:pub1 backdoor discovery persistence ransomware stealer trojan
Link:
https://tria.ge/reports/230528-wfqp4sga52/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Modifies file permissions
Downloads MZ/PE file
Amadey
Detected Djvu ransomware
Djvu Ransomware
SmokeLoader
Vidar
Malware Config
C2 Extraction:
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
http://zexeq.com/raud/get.php
http://zexeq.com/lancer/get.php
https://steamcommunity.com/profiles/76561199508624021
https://t.me/looking_glassbot
45.9.74.80/0bjdn2Z/index.php
Gathering data
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f099192fa0ab/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eternalblue
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f099192fa0abddedf802c4f4968271608f0d8b7c659a0defc95080120ce2192d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe f099192fa0abddedf802c4f4968271608f0d8b7c659a0defc95080120ce2192d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2479364/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/392824/

Comments