MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856
SHA3-384 hash: c5948dc415158b4cedd91af7ea79122177b9bc21cb987a6ea381bcb5e7dca4b39150055a6d2874e579d24f4145ae1e04
SHA1 hash: 93e67adbf89bed48a8f9d81de6d15baa88721795
MD5 hash: fc330692d17e8cbea9ebe300ed6077de
humanhash: winter-table-mobile-ink
File name:fc330692d17e8cbea9ebe300ed6077de
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:1'473'864 bytes
First seen:2022-11-16 09:17:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 310638d36ec921f029e67a7144e7c280 (2 x ArkeiStealer, 2 x Smoke Loader, 2 x LgoogLoader)
ssdeep 24576:dcEttPVEw1JS1ttl9hnsfQEvIHWBZlRrzl5qPcWOO7BkSG1L1BAT:X9iwSblAfQiI2jz/qPcWBKzLA
Threatray 15'564 similar samples on MalwareBazaar
TLSH T11F65D1611D1C19D7C5E1D279ECD0530EA86DD6DABDBC918AB087A29ECBBF21074DE2C0
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d4d4d4e8d8d4c4d4 (2 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe signed Smoke Loader

Code Signing Certificate

Organisation:forgiato.com
Issuer:Go Daddy Secure Certificate Authority - G2
Algorithm:sha256WithRSAEncryption
Valid from:2022-07-15T23:39:20Z
Valid to:2023-08-16T23:39:20Z
Serial number: 103ec8d8d08d08a8
Intelligence: 6 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 2189a1e2d045d06fd4bb1df1d2658341e23edf7d7e723db69a0551e4ac9345fb
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
183
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fc330692d17e8cbea9ebe300ed6077de
Verdict:
Suspicious activity
Analysis date:
2022-11-16 09:18:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/626eb23e-c993-48cd-b4d4-763f85ad4936

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/334734/
Detection(s):
SecuriteInfo.com.W32.Kryptik.HRAO.tr.26208.4597.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP POST request
Creating a process from a recently created file
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6374aacc4cfa4744015c6382/reports/5e1211fe-707e-4a8b-b8a2-c789d1ebbed2/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/138343e9-2050-448e-9a54-5e7b399bb3c8
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1114673
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect debuggers (CloseHandle check)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses known network protocols on non-standard ports
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Yara detected Go Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 747368 Sample: 88ql87dy5Y.exe Startdate: 16/11/2022 Architecture: WINDOWS Score: 100 61 hupeb6hjghdn6p12.obymh1afjvc 2->61 89 Snort IDS alert for network traffic 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 Antivirus detection for URL or domain 2->93 95 11 other signatures 2->95 9 88ql87dy5Y.exe 6 2->9         started        13 verbhvi 6 2->13         started        signatures3 process4 dnsIp5 73 zgsuwka5mq5bfiod6zbrf9bmwq.5jsfr2u94js0upum77fifcfos 9->73 123 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->123 125 Maps a DLL or memory area into another process 9->125 127 Checks if the current machine is a virtual machine (disk enumeration) 9->127 129 Creates a thread in another existing process (thread injection) 9->129 15 explorer.exe 1 9 9->15 injected 75 zgsuwka5mq5bfiod6zbrf9bmwq.5jsfr2u94js0upum77fifcfos 13->75 131 Multi AV Scanner detection for dropped file 13->131 133 Machine Learning detection for dropped file 13->133 signatures6 process7 dnsIp8 77 31.42.177.59, 49724, 80 YANINA-ASUA Ukraine 15->77 79 85.31.44.120, 49723, 49726, 80 CLOUDCOMPUTINGDE Germany 15->79 47 C:\Users\user\AppData\Roaming\verbhvi, PE32 15->47 dropped 49 C:\Users\user\AppData\Local\Temp\8384.exe, PE32+ 15->49 dropped 51 C:\Users\user\AppData\Local\Temp\6443.exe, PE32 15->51 dropped 53 2 other malicious files 15->53 dropped 81 System process connects to network (likely due to code injection or exploit) 15->81 83 Benign windows process drops PE files 15->83 85 Injects code into the Windows Explorer (explorer.exe) 15->85 87 3 other signatures 15->87 20 3C28.exe 15->20         started        24 8384.exe 1 15->24         started        27 cmd.exe 1 15->27         started        29 9 other processes 15->29 file9 signatures10 process11 dnsIp12 55 C:\Users\user\AppData\...\nvdrivesllapi.exe, PE32+ 20->55 dropped 57 C:\Users\user\AppData\Local\...\xlngptzm.tmp, PE32+ 20->57 dropped 97 Multi AV Scanner detection for dropped file 20->97 99 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->99 101 Tries to evade analysis by execution special instruction (VM detection) 20->101 103 Tries to detect virtualization through RDTSC time measurements 20->103 63 youtube-ui.l.google.com 172.217.23.110 GOOGLEUS United States 24->63 65 65.21.213.208 CP-ASDE United States 24->65 67 www.youtube.com 24->67 105 Tries to harvest and steal browser information (history, passwords, etc) 24->105 107 Tries to detect debuggers (CloseHandle check) 24->107 109 Hides threads from debuggers 24->109 111 Uses cmd line tools excessively to alter registry or file data 27->111 113 Uses powercfg.exe to modify the power settings 27->113 115 Modifies power options to not sleep / hibernate 27->115 31 conhost.exe 27->31         started        33 sc.exe 1 27->33         started        35 sc.exe 1 27->35         started        43 8 other processes 27->43 69 hupeb6hjghdn6p12.obymh1afjvc 29->69 71 192.168.2.1 unknown unknown 29->71 59 C:\Users\user\AppData\...\svcupdater.exe, PE32 29->59 dropped 117 Machine Learning detection for dropped file 29->117 119 Checks if browser processes are running 29->119 121 Contains functionality to compare user and computer (likely to detect sandboxes) 29->121 37 conhost.exe 29->37         started        39 conhost.exe 29->39         started        41 powercfg.exe 1 29->41         started        45 4 other processes 29->45 file13 signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856/
Threat name:
Win32.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2022-11-16 05:41:50 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ihu5fm7u4npwqi3by4jxwnwiakapryhjkh5asovk7f2na7xvbla._file
Verdict:
malicious
Similar samples:
4268c628b2cfcf6700dc00f43a474bd0fa720b43008bc3684631453542523bea
Smoke Loader
614d8a0cfd93b3ab2f4e01ea490ba9d350f7ea786a18b54785581777df71b371
Smoke Loader
71542a9dd0da516b5599228ace4fc9028ce2d389ec0fc1e68e9089ba174afe80
Smoke Loader
81dda2ffa7d1039d3b745540573c6e8c728584d536a449f5baa031fb40fc065d
Smoke Loader
88f86b01cb6078c58fd2d5ab9f1beb7c24fa1e4b71e1ca558678d7718c418b66
Smoke Loader
a3ab078df870be2b8552699a13d47a05c3078958ec76d582baf0a2ca47e9505f
Smoke Loader
b3952d5a517987c91deaf47757cdb7051db5e7f7af71e12eb42db4bc65e20552
Smoke Loader
+ 15'554 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike family:smokeloader backdoor evasion spyware stealer trojan
Link:
https://tria.ge/reports/221116-k9lgpsaa49/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
GoLang User-Agent
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Launches sc.exe
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Stops running service(s)
Cobaltstrike
Detects Smokeloader packer
Modifies security service
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/301cfae2-3b8a-48a7-9998-a1ca6903df72
Unpacked files
SH256 hash:
e651ddd576bf5aa7a62a961d3a6ef787bc3a76cab05b4680f244dbc7ca0f13a4
MD5 hash:
72f0ce3c7ea8409964c900f42bd54bd2
SHA1 hash:
ca488c0db15b5b44beec750ae709034ecebaccd0
Link:
https://www.unpac.me/results/1e5593b4-4c93-4db3-8ac0-4f321addd6c8/
SH256 hash:
fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856
MD5 hash:
fc330692d17e8cbea9ebe300ed6077de
SHA1 hash:
93e67adbf89bed48a8f9d81de6d15baa88721795
Link:
https://www.unpac.me/results/1e5593b4-4c93-4db3-8ac0-4f321addd6c8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe fa0f4e959fa71afb411b0e389bd9b6401407c7074a8fd049d557cba683f7a856

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2414287/
Cape
Cape
https://www.capesandbox.com/analysis/334734/

Comments


Avatar
zbet commented on 2022-11-16 09:17:22 UTC

url : hxxp://31.42.177.59/kurwa.exe