MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9f0aaf36f064cdfc25a12663ffa348eb6d923a153f08c7ca9052dcb184b3570. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9f0aaf36f064cdfc25a12663ffa348eb6d923a153f08c7ca9052dcb184b3570
SHA3-384 hash: 726457769296675918211b55029db90cd741dce826492028377c0768256e0e788f1d2060b73f72716433e0a183395dce
SHA1 hash: 5995ae9d0247036cc6d3ea741e7504c913f1fb76
MD5 hash: 277680bd3182eb0940bc356ff4712bef
humanhash: oxygen-moon-sad-helium
File name:277680bd3182eb0940bc356ff4712bef
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:301'056 bytes
First seen:2022-01-11 00:35:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 59b39a32796ab4df4ad9e46d6bb02a4c (1 x Smoke Loader, 1 x ArkeiStealer)
ssdeep 3072:4/ls8LAAkcooHqeUolNx8IA0ZU3D80T840yWrxpzbgqruJnfed:Ils8LA/oHbbLAGOfT8auzbgwuJG
TLSH T16254CF307598C472C79702758824CAE55A7AF831AE678547379C2B6F2E70E8C8BF621D
File icon (PE):PE icon
dhash icon fcfcd4d4d4d4d8c0 (75 x RedLineStealer, 56 x RaccoonStealer, 23 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
242
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
277680bd3182eb0940bc356ff4712bef
Verdict:
No threats detected
Analysis date:
2022-01-11 00:36:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e06301ef-1077-4786-ab28-993e64216c7c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/218082/
Detection(s):
Win.Malware.Mikey-9917879-0
Create hunting rule

Win.Packed.Lockbit-9919158-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4042/overview
Behaviour
MalwareBazaar
SystemUptime
CPUID_Instruction
MeasuringTime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61dcd0f91c0d769df9dfb739/reports/1f6060ff-9893-4020-acdc-fa9a48338f15/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/32748fc0-9ac4-442b-80fb-5c091ee5667d
Result
Threat name:
Djvu SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/918005
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Found ransom note / readme
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Djvu Ransomware
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 550483 Sample: 1lBu5Y1jX1 Startdate: 11/01/2022 Architecture: WINDOWS Score: 100 97 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->97 99 Multi AV Scanner detection for domain / URL 2->99 101 Found malware configuration 2->101 103 8 other signatures 2->103 10 1lBu5Y1jX1.exe 2->10         started        13 iuicwig 2->13         started        15 BDC1.exe 2->15         started        process3 signatures4 127 Detected unpacking (changes PE section rights) 10->127 129 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 10->129 131 Maps a DLL or memory area into another process 10->131 17 explorer.exe 7 10->17 injected 133 Checks if the current machine is a virtual machine (disk enumeration) 13->133 135 Creates a thread in another existing process (thread injection) 13->135 137 Machine Learning detection for dropped file 15->137 139 Injects a PE file into a foreign processes 15->139 22 BDC1.exe 15->22         started        process5 dnsIp6 75 amogohuigotuli.at 17->75 77 189.141.138.172, 49766, 49784, 80 UninetSAdeCVMX Mexico 17->77 81 8 other IPs or domains 17->81 57 C:\Users\user\AppData\Roaming\iuicwig, PE32 17->57 dropped 59 C:\Users\user\AppData\Local\Temp\BDC1.exe, PE32 17->59 dropped 61 C:\Users\user\...\iuicwig:Zone.Identifier, ASCII 17->61 dropped 63 C:\Users\user\AppData\Local\TempE51.exe, PE32 17->63 dropped 105 System process connects to network (likely due to code injection or exploit) 17->105 107 Benign windows process drops PE files 17->107 109 Injects code into the Windows Explorer (explorer.exe) 17->109 111 3 other signatures 17->111 24 BDC1.exe 17->24         started        27 explorer.exe 12 17->27         started        30 BDC1.exe 17->30         started        32 3 other processes 17->32 79 api.2ip.ua 22->79 file7 signatures8 process9 dnsIp10 115 Machine Learning detection for dropped file 24->115 117 Injects a PE file into a foreign processes 24->117 35 BDC1.exe 1 16 24->35         started        93 61.36.14.230, 49792, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 27->93 95 amogohuigotuli.at 27->95 119 System process connects to network (likely due to code injection or exploit) 27->119 121 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->121 123 Tries to steal Mail credentials (via file / registry access) 27->123 125 Tries to harvest and steal browser information (history, passwords, etc) 27->125 39 BDC1.exe 30->39         started        55 C:\Users\user\AppData\Local\Temp\2I4I1u.9~J, PE32 32->55 dropped 41 BDC1.exe 32->41         started        43 msiexec.exe 32->43         started        file11 signatures12 process13 dnsIp14 89 api.2ip.ua 77.123.139.190, 443, 49785, 49795 VOLIA-ASUA Ukraine 35->89 91 192.168.2.1 unknown unknown 35->91 73 C:\Users\user\AppData\Local\...\BDC1.exe, PE32 35->73 dropped 45 BDC1.exe 35->45         started        48 icacls.exe 35->48         started        file15 process16 signatures17 141 Injects a PE file into a foreign processes 45->141 50 BDC1.exe 22 45->50         started        process18 dnsIp19 83 kotob.top 115.88.24.203, 49797, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 50->83 85 tzgl.org 14.51.96.70, 49796, 49798, 80 KIXS-AS-KRKoreaTelecomKR Korea Republic of 50->85 87 api.2ip.ua 50->87 65 C:\Users\user\AppData\Local\...\build2[1].exe, PE32 50->65 dropped 67 C:\Users\user\AppData\Local\...\build2.exe, PE32 50->67 dropped 69 C:\_readme.txt, ASCII 50->69 dropped 71 3 other malicious files 50->71 dropped 113 Modifies existing user documents (likely ransomware behavior) 50->113 file20 signatures21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9f0aaf36f064cdfc25a12663ffa348eb6d923a153f08c7ca9052dcb184b3570/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2022-01-10 16:14:18 UTC
File Type:
PE (Exe)
Extracted files:
31
AV detection:
33 of 43 (76.74%)
Threat level:
  5/5
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor collection trojan
Link:
https://tria.ge/reports/220111-axyw6aegg8/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Deletes itself
SmokeLoader
Malware Config
C2 Extraction:
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
Unpacked files
SH256 hash:
f12298a85ad18a55421deada8eb23f2a519a606439eedc2f9a60cd1ec8494914
MD5 hash:
b759df8ed45d16518bd54eb6f3b996ca
SHA1 hash:
ed63cdc2a64db6902b2a94e94020ff7db52c7691
Link:
https://www.unpac.me/results/0287cdf9-0bf1-4393-8e41-7103495d1bf2/
SH256 hash:
f9f0aaf36f064cdfc25a12663ffa348eb6d923a153f08c7ca9052dcb184b3570
MD5 hash:
277680bd3182eb0940bc356ff4712bef
SHA1 hash:
5995ae9d0247036cc6d3ea741e7504c913f1fb76
Link:
https://www.unpac.me/results/0287cdf9-0bf1-4393-8e41-7103495d1bf2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9f0aaf36f064cdfc25a12663ffa348eb6d923a153f08c7ca9052dcb184b3570

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe f9f0aaf36f064cdfc25a12663ffa348eb6d923a153f08c7ca9052dcb184b3570

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1963615/
Cape
Cape
https://www.capesandbox.com/analysis/218082/

Comments