MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1c19e1cf9f32a5aa6350ced35d355e37ae108dfc208902b72c73874410a5c1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1c19e1cf9f32a5aa6350ced35d355e37ae108dfc208902b72c73874410a5c1b
SHA3-384 hash: d98643e52642b933a84a83a8786ef84e42eed4a8b575ba0d36d3ae480cd4a4147641aaa81375d17d0ce7913622b52ce6
SHA1 hash: 75b3bd73150caccaed78926373fe873e1a32a703
MD5 hash: 427b0cb40c5039325a96d5e0f48aba16
humanhash: six-carpet-eleven-william
File name:f1c19e1cf9f32a5aa6350ced35d355e37ae108dfc208902b72c73874410a5c1b
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:173'056 bytes
First seen:2024-02-08 14:52:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 84afe0ab1b5a409dd53181b32a06f07f (1 x Smoke Loader)
ssdeep 3072:laLBauFa7VdmaiGtnIBBbExLQRiH5K/vrGL:ALBaHnZ6Nb
Threatray 2'392 similar samples on MalwareBazaar
TLSH T13504AF217AF1C072E6F7863059B1F6655A3FB8736BB4C18F2694172E1E322D08B26717
TrID 67.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.2% (.EXE) Win32 Executable (generic) (4504/4/1)
2.4% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0410123240c08000 (1 x Smoke Loader)
Reporter adrian__luca
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
325
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
f1c19e1cf9f32a5aa6350ced35d355e37ae108dfc208902b72c73874410a5c1b.exe
Verdict:
Malicious activity
Analysis date:
2024-02-08 14:53:57 UTC
Tags:
loader smoke smokeloader stealer vidar
Link:
https://app.any.run/tasks/e169e7c7-e6b2-426e-8a03-ade1a153d650

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/475452/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Win.Ransomware.Stop-10019933-0
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint icedid infostealer packed redline smokeloader
Link:
https://www.filescan.io/uploads/65c4ead004c91578fab06043/reports/ad2911d2-77d3-409b-9425-44a757977527/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f1c19e1cf9f32a5aa6350ced35d355e37ae108dfc208902b72c73874410a5c1b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/05b1d041-2995-47e6-9fc0-b4142bc3cd89
Result
Threat name:
Amadey, PureLog Stealer, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1389190
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1389190 Sample: Wp6XqzqiPB.exe Startdate: 08/02/2024 Architecture: WINDOWS Score: 100 67 gxutc2c.com 2->67 69 emgvod.com 2->69 71 5 other IPs or domains 2->71 73 Snort IDS alert for network traffic 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 18 other signatures 2->79 10 Wp6XqzqiPB.exe 2->10         started        13 wrgthhc 2->13         started        15 5F74.exe 2->15         started        signatures3 process4 signatures5 103 Detected unpacking (changes PE section rights) 10->103 105 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 10->105 107 Maps a DLL or memory area into another process 10->107 109 Creates a thread in another existing process (thread injection) 10->109 17 explorer.exe 51 10 10->17 injected 111 Multi AV Scanner detection for dropped file 13->111 113 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->113 115 Checks if the current machine is a virtual machine (disk enumeration) 13->115 22 WerFault.exe 21 16 15->22         started        process6 dnsIp7 61 gxutc2c.com 187.209.149.149, 49706, 49707, 49708 UninetSAdeCVMX Mexico 17->61 63 emgvod.com 187.211.34.223, 49717, 49728, 80 UninetSAdeCVMX Mexico 17->63 65 mmtplonline.com 103.20.213.70, 443, 49713 NETMAGIC-APNetmagicDatacenterMumbaiIN India 17->65 49 C:\Users\user\AppData\Roaming\wrgthhc, PE32 17->49 dropped 51 C:\Users\user\AppData\Local\Temp\A51A.exe, PE32 17->51 dropped 53 C:\Users\user\AppData\Local\Temp\7927.exe, PE32 17->53 dropped 55 2 other malicious files 17->55 dropped 81 System process connects to network (likely due to code injection or exploit) 17->81 83 Benign windows process drops PE files 17->83 85 Deletes itself after installation 17->85 87 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->87 24 7927.exe 3 17->24         started        28 5F74.exe 17->28         started        30 A51A.exe 17->30         started        file8 signatures9 process10 file11 57 C:\Users\user\AppData\Local\...\Utsysc.exe, PE32 24->57 dropped 91 Detected unpacking (changes PE section rights) 24->91 93 Detected unpacking (overwrites its own PE header) 24->93 95 Contains functionality to inject code into remote processes 24->95 32 WerFault.exe 21 24->32         started        34 WerFault.exe 24->34         started        36 WerFault.exe 24->36         started        43 6 other processes 24->43 97 Multi AV Scanner detection for dropped file 28->97 99 Contains functionality to infect the boot sector 28->99 38 WerFault.exe 3 21 28->38         started        59 C:\Users\user\AppData\Local\Temp\build.exe, PE32 30->59 dropped 101 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 30->101 40 cmd.exe 30->40         started        signatures12 process13 signatures14 89 Uses ipconfig to lookup or modify the Windows network settings 40->89 45 conhost.exe 40->45         started        47 ipconfig.exe 40->47         started        process15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f1c19e1cf9f32a5aa6350ced35d355e37ae108dfc208902b72c73874410a5c1b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1c19e1cf9f32a5aa6350ced35d355e37ae108dfc208902b72c73874410a5c1b/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-01-28 13:31:39 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
31 of 38 (81.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6haz4hhz6mvfvjrvbtwtlu2v4n5occg7yiejak3sy44hiqiklqnq._file
Verdict:
malicious
Similar samples:
404afd3c18b203aa9ce9f8f5f9b7a813fda0d2a322252cd28e002e142080a4f7
Smoke Loader
615b666d7dbd523685e35a7bd7abb3d93f3cf82a9bc3374be0134be716a89080
Smoke Loader
804f07bc39f1916a886c0ff54055641e124f198e66e79239bb7bf126ae1f96ae
Smoke Loader
c2c188e1268c54261a51deaee8c99af06ec604bf7e873c88e01e3b3d95e0d028
Smoke Loader
c444868d4cbbecd4c7083de14310fcc934d9e60a2c41de4a30057044acd9b962
Smoke Loader
f95b01b35d47756420ec9c626d56865c687323473b11e51f141277c746db03a0
Smoke Loader
+ 2'382 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:smokeloader botnet:pub3 backdoor spyware stealer trojan
Link:
https://tria.ge/reports/240208-r9ahrseg6x/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Enumerates physical storage devices
Program crash
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Amadey
SmokeLoader
Malware Config
C2 Extraction:
http://gxutc2c.com/tmp/index.php
http://proekt8.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://pirateking.online/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
http://anfesq.com
http://cbinr.com
http://rimakc.ru
Unpacked files
SH256 hash:
97e4ad3db0e360c7f1fead3bd5d8ccd82c1c29351abf7f5a4d8d95c418b95d18
MD5 hash:
4b9c195e3350da2a74778c76d22bb6f5
SHA1 hash:
41cb8b7e7505483c73f5ba78f547721ce6c86864
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/2c730138-e8b1-4acd-b2a0-6d4245230271/
Parent samples :
c086815f53088951955eebb5bdd5329b57c0d7e65980cb8d6ef7b40a18c6b3d8
b996a1613f4254a630d0b3889c71e1c500be05a9c7a03ec97130ca0998009b70
97d96881923faf0f965623a5097bb5e7bd87ecce22fe496e17da1242f0fb8930
1de489805895c5c666547d588f1d762dbc28b6be48002b99e3404957ecf8fc08
5d55a06ca16a85c8189e1a25891c431bd8e36a7a007b804b94a2f29ddd69707c
c1729a5ea8f0c238e855a99db33975c7116efae61c8402999a1adc8f4661c750
7027b1ec91d52aa39f5c78d9ee8fe0a2dd7375d0f6d2e3155e31e4f175838143
30647636b3bff8dc2e7ffdd191cf3b75e43b1fc3d4793b7ed5edc8a9d512b54d
bb42b12cdcf63fc557600c06eece3855550af6c016debc06d6cd6c9a22d662e4
8226588a025ed217525e6261df8007d4e5941847defb2dde313b75f244fe8944
f1c19e1cf9f32a5aa6350ced35d355e37ae108dfc208902b72c73874410a5c1b
SH256 hash:
f1c19e1cf9f32a5aa6350ced35d355e37ae108dfc208902b72c73874410a5c1b
MD5 hash:
427b0cb40c5039325a96d5e0f48aba16
SHA1 hash:
75b3bd73150caccaed78926373fe873e1a32a703
Link:
https://www.unpac.me/results/2c730138-e8b1-4acd-b2a0-6d4245230271/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f1c19e1cf9f3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1c19e1cf9f32a5aa6350ced35d355e37ae108dfc208902b72c73874410a5c1b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe f1c19e1cf9f32a5aa6350ced35d355e37ae108dfc208902b72c73874410a5c1b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2749986/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/475452/

Comments