MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fcddde971fc98e2d043e7078c1b2c2526ac62920794a7574cd9b8f826fbf218c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fcddde971fc98e2d043e7078c1b2c2526ac62920794a7574cd9b8f826fbf218c
SHA3-384 hash: 9bf2a6de459cb7c1963bfccb4c5c674d4d75abd4cc6ab87605fdd38b5596f3de512dd0b5a8a670ce06a3810dcd102010
SHA1 hash: 85c7db856c61cef739f6d106975139e9d78e86c2
MD5 hash: c6758ff664b234e640227870bbe23b5d
humanhash: butter-speaker-nebraska-chicken
File name:c6758ff664b234e640227870bbe23b5d
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:877'056 bytes
First seen:2022-10-04 05:29:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'854 x Amadey, 290 x Smoke Loader)
ssdeep 12288:gS7Jb69SKBgF7wIRmE+trfkIDt03B+WaaccUkEMtaa+Sjpj6aI:7qUxRmESfbt0LaLc6zI4aI
TLSH T14C1512018EE9C813D2F41B7164F902BF153E7920AE698748B948B8DC55B1ACD7CB63B7
TrID 71.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 849878d0660c848c (1 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
262
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316312/
Detection(s):
SecuriteInfo.com.Generic.ML.PUA.31886.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
DNS request
Launching the process to create tasks for the scheduler
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/40981/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/90fdf1ce-486a-4b96-ba15-2e4cf4fecda6
Result
Threat name:
ManusCrypt, SmokeLoader, Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.bank.spyw.expl.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1082957
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected VMProtect packer
DLL reload attack detected
Drops PE files with a suspicious file extension
Found API chain indicative of sandbox detection
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites Mozilla Firefox settings
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically)
Sets debug register (to hijack the execution of another thread)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected ManusCrypt
Yara detected SmokeLoader
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 715514 Sample: dBDfcVVkIk.exe Startdate: 04/10/2022 Architecture: WINDOWS Score: 100 192 Malicious sample detected (through community Yara rule) 2->192 194 Antivirus detection for URL or domain 2->194 196 Multi AV Scanner detection for dropped file 2->196 198 9 other signatures 2->198 14 dBDfcVVkIk.exe 1 5 2->14         started        17 rundll32.exe 2->17         started        19 svchost.exe 2->19         started        21 2 other processes 2->21 process3 signatures4 246 Uses schtasks.exe or at.exe to add and modify task schedules 14->246 23 cmd.exe 1 14->23         started        26 at.exe 1 14->26         started        28 rundll32.exe 17->28         started        30 WerFault.exe 19->30         started        process5 signatures6 224 Obfuscated command line found 23->224 226 Uses ping.exe to sleep 23->226 228 Drops PE files with a suspicious file extension 23->228 230 Uses ping.exe to check the status of other devices and networks 23->230 32 cmd.exe 2 23->32         started        36 conhost.exe 23->36         started        38 PING.EXE 1 23->38         started        40 conhost.exe 26->40         started        232 Writes to foreign memory regions 28->232 234 Allocates memory in foreign processes 28->234 236 Creates a thread in another existing process (thread injection) 28->236 42 svchost.exe 28->42 injected 44 svchost.exe 28->44 injected 46 svchost.exe 28->46 injected 48 svchost.exe 28->48 injected process7 file8 106 C:\Users\user\AppData\...\Kelkoo.exe.pif, PE32 32->106 dropped 180 Obfuscated command line found 32->180 182 Uses ping.exe to sleep 32->182 50 Kelkoo.exe.pif 1 32->50         started        54 tasklist.exe 1 32->54         started        56 tasklist.exe 1 32->56         started        61 4 other processes 32->61 184 Sets debug register (to hijack the execution of another thread) 42->184 186 Modifies the context of a thread in another process (thread injection) 42->186 58 svchost.exe 42->58         started        signatures9 process10 dnsIp11 116 C:\Users\user\AppData\...\CtOPrTmCtPpxv.dll, PE32 50->116 dropped 200 DLL reload attack detected 50->200 202 Found API chain indicative of sandbox detection 50->202 204 Renames NTDLL to bypass HIPS 50->204 206 Injects a PE file into a foreign processes 50->206 63 Kelkoo.exe.pif 55 50->63         started        67 Kelkoo.exe.pif 50->67         started        69 Kelkoo.exe.pif 50->69         started        160 208.95.112.1 TUT-ASUS United States 58->160 162 104.21.34.132 CLOUDFLARENETUS United States 58->162 164 34.142.181.181 ATGS-MMD-ASUS United States 58->164 118 C:\Users\user\AppData\...\cookies.sqlite.db, SQLite 58->118 dropped 120 C:\Users\user\AppData\Local\...\Login Data.db, SQLite 58->120 dropped 122 C:\Users\user\AppData\Local\...\Login Data.db, SQLite 58->122 dropped 124 C:\Users\user\AppData\Local\...\Cookies.db, SQLite 58->124 dropped 208 Query firmware table information (likely to detect VMs) 58->208 210 Installs new ROOT certificates 58->210 212 Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically) 58->212 214 2 other signatures 58->214 file12 signatures13 process14 dnsIp15 174 188.72.236.239 WEBZILLANL Netherlands 63->174 176 151.115.10.1 OnlineSASFR United Kingdom 63->176 178 10 other IPs or domains 63->178 108 C:\Users\user\AppData\Local\Temp\...\SOCapm, PE32 63->108 dropped 110 C:\Users\user\AppData\Local\Temp\...\HvWvHo, PE32+ 63->110 dropped 112 C:\Users\user\AppData\Local\Temp\...\esSBBy, PE32 63->112 dropped 114 14 other files (13 malicious) 63->114 dropped 71 gEcvnl 2 63->71         started        75 esSBBy 63->75         started        77 sDVlOj 4 63->77         started        80 3 other processes 63->80 file16 process17 dnsIp18 138 C:\Users\user\AppData\Local\...\gEcvnl.tmp, PE32 71->138 dropped 238 Multi AV Scanner detection for dropped file 71->238 240 Obfuscated command line found 71->240 82 gEcvnl.tmp 71->82         started        242 Injects a PE file into a foreign processes 75->242 86 esSBBy 75->86         started        166 188.114.96.3 CLOUDFLARENETUS European Union 77->166 140 C:\Users\user\AppData\Local\Temp\db.dll, PE32 77->140 dropped 244 Creates processes via WMI 77->244 89 conhost.exe 77->89         started        168 148.251.234.83 HETZNER-ASDE Germany 80->168 170 193.149.187.196 DANISCODK Denmark 80->170 172 149.28.253.196 AS-CHOOPAUS United States 80->172 142 C:\Windows\maTcBXSu.exe, PE32 80->142 dropped 91 WerFault.exe 80->91         started        file19 signatures20 process21 dnsIp22 152 68.232.34.200 EDGECASTUS United States 82->152 154 13.224.103.95 AMAZON-02US United States 82->154 158 2 other IPs or domains 82->158 126 C:\Users\user\...\xmrBridge.dll (copy), PE32+ 82->126 dropped 128 C:\Users\user\...\unins000.exe (copy), PE32 82->128 dropped 130 C:\Users\user\...\nvrtc64_100_0.dll (copy), PE32+ 82->130 dropped 132 30 other files (29 malicious) 82->132 dropped 93 vc_redist.x64.exe 82->93         started        216 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 86->216 218 Maps a DLL or memory area into another process 86->218 220 Checks if the current machine is a virtual machine (disk enumeration) 86->220 222 Creates a thread in another existing process (thread injection) 86->222 96 explorer.exe 86->96 injected 156 20.42.73.29 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 91->156 file23 signatures24 process25 dnsIp26 146 C:\Windows\Temp\...\vc_redist.x64.exe, PE32 93->146 dropped 100 vc_redist.x64.exe 93->100         started        150 176.124.192.17 GULFSTREAMUA Russian Federation 96->150 148 C:\Users\user\AppData\Roaming\swhwvbb, PE32 96->148 dropped 188 Benign windows process drops PE files 96->188 190 Hides that the sample has been downloaded from the Internet (zone.identifier) 96->190 file27 signatures28 process29 file30 134 C:\Windows\Temp\...\VC_redist.x64.exe, PE32 100->134 dropped 136 C:\Windows\Temp\...\wixstdba.dll, PE32 100->136 dropped 103 VC_redist.x64.exe 100->103         started        process31 file32 144 C:\ProgramData\...\VC_redist.x64.exe, PE32 103->144 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fcddde971fc98e2d043e7078c1b2c2526ac62920794a7574cd9b8f826fbf218c/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-10-03 20:29:51 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
9 of 25 (36.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7to55fy7zghc2bb6ob4mdmwckjvmmkjapffhk5gntohye357egga._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/221004-f65zqadhg8/
Behaviour
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3cac8da9-303c-42bd-a95c-849e80762b94
Unpacked files
SH256 hash:
a39dda23714360392e4b419b9eca54dab56e7e8d2d3f6a2b30c97cb2b7d3e186
MD5 hash:
65ccc76417732b02c2a92b784a1532b2
SHA1 hash:
cb75a04ae78642f274acd1fd9d15bf3f1d22f082
Link:
https://www.unpac.me/results/7ead0a9f-8c51-4fa6-b335-d0997a12dacf/
SH256 hash:
fcddde971fc98e2d043e7078c1b2c2526ac62920794a7574cd9b8f826fbf218c
MD5 hash:
c6758ff664b234e640227870bbe23b5d
SHA1 hash:
85c7db856c61cef739f6d106975139e9d78e86c2
Link:
https://www.unpac.me/results/7ead0a9f-8c51-4fa6-b335-d0997a12dacf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fcddde971fc98e2d043e7078c1b2c2526ac62920794a7574cd9b8f826fbf218c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe fcddde971fc98e2d043e7078c1b2c2526ac62920794a7574cd9b8f826fbf218c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/316312/
  
URLhaus
https://urlhaus.abuse.ch/url/2349963/

Comments


Avatar
zbet commented on 2022-10-04 05:29:31 UTC

url : hxxp://171.22.30.79/files/Vdi.exe