MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc25512ebc702b7b64fe49986b457e95884386944560d4fbdcf8a573e612629e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc25512ebc702b7b64fe49986b457e95884386944560d4fbdcf8a573e612629e
SHA3-384 hash: cc18f93dcb99d138ceb556ecfdbd962e2eb41ac9c02b894c32de6ae5c423e455664cdc3f7f31f34fd74c805b3d1db0c5
SHA1 hash: dfbcafc12bc2d92cf9d61f8022f5885017ef5167
MD5 hash: 2a600b7f0096e6ff8978dfcb3ab22abf
humanhash: edward-missouri-stairway-wyoming
File name:fc25512ebc702b7b64fe49986b457e95884386944560d4fbdcf8a573e612629e
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:390'147 bytes
First seen:2020-11-12 08:38:19 UTC
Last seen:2024-07-24 23:20:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'461 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 6144:x/QiQXCqoL8+Ee0CYDTAsdRGOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7LT:pQi3qoL8+iDNdRGlL//plmW9bTXeVhD4
Threatray 56 similar samples on MalwareBazaar
TLSH 4C841203E6E11934E073CEF05CA5D4724A3F79256E7C600472DC9D9E9F7BA82966A383
Reporter JAMESWT_WT
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
473
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PUA.OpenCandy.Gen-8.UNOFFICIAL
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Application.Agent.AIQ.2330.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Sending a UDP request
Deleting a recently created file
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Delayed writing of the file
Using the Windows Management Instrumentation requests
Searching for the window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/532164
Signature
Antivirus / Scanner detection for submitted sample
Benign windows process drops PE files
Binary contains a suspicious time stamp
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files with a suspicious file extension
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Renames NTDLL to bypass HIPS
Sigma detected: Suspicious Certutil Command
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 315184 Sample: 3MndTUzGQn Startdate: 12/11/2020 Architecture: WINDOWS Score: 100 103 crtstats.com 2->103 143 Antivirus / Scanner detection for submitted sample 2->143 145 Multi AV Scanner detection for submitted file 2->145 147 Uses ping.exe to sleep 2->147 149 5 other signatures 2->149 15 3MndTUzGQn.exe 2 2->15         started        18 ahevdud 2->18         started        21 rundll32.exe 2->21         started        signatures3 process4 file5 99 C:\Users\user\AppData\...\3MndTUzGQn.tmp, PE32 15->99 dropped 23 3MndTUzGQn.tmp 3 14 15->23         started        101 C:\Users\user\AppData\Local\Temp\5C1B.tmp, PE32 18->101 dropped 135 Machine Learning detection for dropped file 18->135 137 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 18->137 139 Renames NTDLL to bypass HIPS 18->139 141 3 other signatures 18->141 signatures6 process7 dnsIp8 105 4kyoutubedonwloaderk.xyz 185.195.24.76, 49712, 49721, 80 SUPERSERVERSDATACENTERRU Russian Federation 23->105 107 ipinfo.io 216.239.36.21, 443, 49709, 49710 GOOGLEUS United States 23->107 109 2 other IPs or domains 23->109 81 C:\Users\user\AppData\Local\...\Setup.exe, PE32 23->81 dropped 83 C:\Users\user\AppData\...\itdownload.dll, PE32 23->83 dropped 85 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 23->85 dropped 87 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 23->87 dropped 27 Setup.exe 1 26 23->27         started        file9 process10 dnsIp11 119 youtube4kdowloader.club 27->119 121 api.ip.sb 27->121 123 5 other IPs or domains 27->123 91 C:\Users\user\AppData\...\9776937376.exe, PE32 27->91 dropped 93 C:\Users\user\AppData\Local\...\li11[1].exe, PE32 27->93 dropped 95 C:\Users\user\AppData\...\4144128020.exe, PE32 27->95 dropped 97 3 other files (none is malicious) 27->97 dropped 161 Detected unpacking (changes PE section rights) 27->161 163 Detected unpacking (overwrites its own PE header) 27->163 165 Uses ping.exe to sleep 27->165 167 Machine Learning detection for dropped file 27->167 32 cmd.exe 1 27->32         started        35 cmd.exe 1 27->35         started        37 cmd.exe 1 27->37         started        file12 signatures13 process14 signatures15 125 Drops PE files with a suspicious file extension 32->125 39 4144128020.exe 1 7 32->39         started        42 conhost.exe 32->42         started        44 taskkill.exe 1 35->44         started        46 conhost.exe 35->46         started        process16 file17 79 jsFdumhphXflIvIqvV...vywMsnrVpRhlCAFBGCc, COM 39->79 dropped 48 cmd.exe 1 39->48         started        process18 process19 50 cmd.exe 2 48->50         started        54 conhost.exe 48->54         started        file20 77 C:\Users\user\AppData\...\SgrmBroker.com, PE32 50->77 dropped 151 Uses ping.exe to sleep 50->151 56 PING.EXE 1 50->56         started        59 PING.EXE 1 50->59         started        61 SgrmBroker.com 50->61         started        63 certutil.exe 2 50->63         started        signatures21 process22 dnsIp23 111 PUyzJRot.PUyzJRot 56->111 65 9776937376.exe 1 56->65         started        68 conhost.exe 56->68         started        113 127.0.0.1 unknown unknown 59->113 115 192.168.2.1 unknown unknown 59->115 70 SgrmBroker.com 61->70         started        process24 signatures25 127 Machine Learning detection for dropped file 65->127 129 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 65->129 131 Renames NTDLL to bypass HIPS 65->131 133 3 other signatures 65->133 72 explorer.exe 65->72 injected process26 dnsIp27 117 olobus.casa 66.85.185.107, 443, 49761 SSASN2US United States 72->117 89 C:\Users\user\AppData\Roaming\ahevdud, PE32 72->89 dropped 153 Benign windows process drops PE files 72->153 155 Tries to harvest and steal browser information (history, passwords, etc) 72->155 157 Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes) 72->157 159 Hides that the sample has been downloaded from the Internet (zone.identifier) 72->159 file28 signatures29
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc25512ebc702b7b64fe49986b457e95884386944560d4fbdcf8a573e612629e/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Suspicious
First seen:
2020-11-10 07:26:00 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
33 of 48 (68.75%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7qsvclv4oavxwzh6jgmgwrl6sweehbuuivqnj6647csxhzqsmkpa._file
Verdict:
malicious
Similar samples:
1765e5f0ee49b2b6cf4a7361bbaac484f15c6c1d003de02338fffdb615e831d8
Smoke Loader
2eafd204076978f8a4a3e39ab0b8dd4cbed9bec5a4ac39146e40d921c8af59ff
Smoke Loader
733036ae8101048351d1cf684fe1bc02c1cf7a70725a470bec7cbd59a602738b
Smoke Loader
91647ac947d5d5d3a0dc69e98070bfc2f9841d7839b579d69c524b02869a497f
Smoke Loader
939b640dab052ec6a08e17075397aa34abb4d4943768628a767f93d9f7d973f8
Smoke Loader
ab7d156971b4c71bd112c92043ac2fcace480d0032f6303beda28fb2a5001b3d
Smoke Loader
ad5592929818b5ee09b99dddb8a652d84621e0b70efe51c2f2b6ca54aeaa3713
Smoke Loader
b566ebf0eb9ddf87b1392a660af7b1826e80427ec8352cdcc29e49d226f13184
Smoke Loader
d95b7c505dbb3905f88c71bb1efedfe716a0d65862a622eb932f3d774a07a740
Smoke Loader
e934da8d0b455bcdf23e6e9c2fa5580982bf2f9b39a5d0246b2f462bbf1ae141
Smoke Loader
+ 46 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:smokeloader backdoor persistence spyware trojan
Link:
https://tria.ge/reports/201112-m51qjpzx6n/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies Internet Explorer settings
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
ModiLoader First Stage
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
ModiLoader, DBatLoader
Malware Config
C2 Extraction:
https://olobus.casa/feedback.php
https://trusho.online/feedback.php
Unpacked files
SH256 hash:
3660421114f2ad210589c67ac7051c46caeec2feb4a0412524e9af54a12420cb
MD5 hash:
da4ef56f99129f8985f47877a232cf9c
SHA1 hash:
03c5adb9688de74a5c1d03cdd60c4a8bfe1fa383
Link:
https://www.unpac.me/results/f4d2023a-9728-44a0-a801-8c234053f24c/
SH256 hash:
ec32b38e5ad5c285c1d6d8237341a99772709e8e4ea23db953d63ab8f078379c
MD5 hash:
ccf4a60623b784b084855d0468d76eab
SHA1 hash:
9419cc65a1bb70e8780f6da7cedd169eb333db88
Link:
https://www.unpac.me/results/f4d2023a-9728-44a0-a801-8c234053f24c/
SH256 hash:
fc25512ebc702b7b64fe49986b457e95884386944560d4fbdcf8a573e612629e
MD5 hash:
2a600b7f0096e6ff8978dfcb3ab22abf
SHA1 hash:
dfbcafc12bc2d92cf9d61f8022f5885017ef5167
Link:
https://www.unpac.me/results/f4d2023a-9728-44a0-a801-8c234053f24c/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments