Managed XDR

home-cjq-hybrid_featur...466c5bfe436feda9aa.exe (Smoke Bot) — malware analysis report

File info

Filename: home-cjq-hybrid_feature_gan-patched-classic_cnn_svm_mse_0.1_28_-ca67ebf2b5f829924ad4eb6008250b8afb97c559f79503b98d118f669537df6d_8a9c2d74546e6c6d5971f97c43ace604199e38d99f259d466c5bfe436feda9aa.exe
File type: PE32 executable (GUI) Intel 80386, for MS Windows
File size: 295.3 KB
First seen: 2025-04-10 08:27
Last seen: 2025-04-10 08:27

Environment

win7/x86 en

Hashes

SHA1: febb0244736f6df2dde8a7b0875f7fca1efbd69d
SHA256: 8a9c2d74546e6c6d5971f97c43ace604199e38d99f259d466c5bfe436feda9aa
MD5: 47ad24d99afac4552b21d1ed5ecf83ee

Malwares

Smoke Bot

Signatures

Execution

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler

T1106 susp_callbacks: Suspicious usage of some WinAPI with callbacks

Persistence

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler

Privilege Escalation

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1070.004 deletes_self: Moves to different location or removes the original executable file

T1564.001 stealth_file: Creates hidden or system files

T1564.004 removes_zoneid_ads: Attempts to hide the indications that the file was downloaded from the Internet

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions

T1497.001 antivm_sandboxie: Attempts to detect Sandboxie

T1497.001 antivm_generic_ide: Checks the presence of IDE drives in the registry, possibly for anti-virtualization

T1497.001 antivm_generic_scsi: Attempts to detect virtualization by SCSI Disk Identifier

T1497 antidbg_query_process: Checks if the process is being debugged (ProcessDebugPort)

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1497.001 antivm_queries_computername: Retrieves the computer name

Discovery

T1497.001 antivm_sandboxie: Attempts to detect Sandboxie

T1497.001 antivm_generic_ide: Checks the presence of IDE drives in the registry, possibly for anti-virtualization

T1497.001 antivm_generic_scsi: Attempts to detect virtualization by SCSI Disk Identifier

T1518.001 antiav_avast_libs: Attempts to detect Avast Antivirus by a certain library

T1497 antidbg_query_process: Checks if the process is being debugged (ProcessDebugPort)

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1057 process_interest: Enumerates processes

T1497.001 antivm_queries_computername: Retrieves the computer name

Command and Control

T1071.001 network_http: Performs HTTP requests

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

Exfiltration

T1022 encrypts_pc_info: Collects and encrypts information about the computer (possibly for exfiltration)

Other

yara_rules: Static rules

smokeloader_behaviour: Exhibits behavior characteristics of SmokeLoader

suspicious_process_network: Unusual process network activity detected

no_graphical_activity: No graphic activity

has_pdb: This executable file has a PDB path

pe_overlay: PE file contains overlay

Related reports

Managed XDR