MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06db102d1c5d9386cd8d13e22237b286e4ecf1869c84cc70f17da0d421ccad3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06db102d1c5d9386cd8d13e22237b286e4ecf1869c84cc70f17da0d421ccad3d
SHA3-384 hash: 66255c21f3f8a5cf54dd101dc0ff15ef8b541046de97ec5df72da76412a92d7f79f9a46edcecb14d8780cada032e1f69
SHA1 hash: 32c5bdf2346986abb3afa44c0b259d10b4fa0793
MD5 hash: f44e1099a3ad7de77b06b0884a0195a1
humanhash: purple-mockingbird-tennessee-maryland
File name:JonnyBoi_Loader3.ps1
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:456 bytes
First seen:2022-09-07 01:08:56 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12:s8AdjL+yT27L87HGrdvhIW+4tRHF7vQnD5j+CrBicIM+n:WvT27LmGrdB+4tRHF7vmD4GB5+
TLSH T159F0DC134CD15120C118C69FF46AC30644E6ED08F8CAB4D0F8E08C07EC03009A9B9C10
Reporter Anonymous
Tags:ps1 Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
80%
Tags:
powershell
Link:
https://www.filescan.io/uploads/6317ef48a90642bcbbe6c5fa/reports/db475590-499a-4ed1-934a-7db92ae7d102/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
Raccoon Stealer v2, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1066067
Signature
Allocates memory in foreign processes
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 698593 Sample: JonnyBoi_Loader3.ps1 Startdate: 07/09/2022 Architecture: WINDOWS Score: 100 88 Snort IDS alert for network traffic 2->88 90 Multi AV Scanner detection for domain / URL 2->90 92 Malicious sample detected (through community Yara rule) 2->92 94 7 other signatures 2->94 9 powershell.exe 14 22 2->9         started        14 ifsditw 2->14         started        process3 dnsIp4 74 85.192.63.184, 49720, 80 LINEGROUP-ASRU Russian Federation 9->74 64 C:\s.exe, PE32 9->64 dropped 104 Powershell drops PE file 9->104 16 s.exe 9->16         started        19 powershell.exe 6 9->19         started        21 conhost.exe 9->21         started        106 Detected unpacking (changes PE section rights) 14->106 108 Machine Learning detection for dropped file 14->108 110 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 14->110 112 3 other signatures 14->112 file5 signatures6 process7 signatures8 80 Detected unpacking (changes PE section rights) 16->80 82 Machine Learning detection for dropped file 16->82 84 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 16->84 86 3 other signatures 16->86 23 explorer.exe 12 16->23 injected process9 dnsIp10 68 www.vispavolley.net 46.252.151.147, 443, 49786, 49790 ASSUPERNOVAIT Italy 23->68 70 ojinsei.com 178.20.42.96, 49738, 49740, 49742 ASN-FRWInternetServiceProviderIT Russian Federation 23->70 72 2 other IPs or domains 23->72 56 C:\Users\user\AppData\Roaming\ifsditw, PE32 23->56 dropped 58 C:\Users\user\AppData\Local\Temp\9F9F.exe, PE32 23->58 dropped 60 C:\Users\user\AppData\Local\Temp\40C5.exe, PE32 23->60 dropped 62 3 other files (2 malicious) 23->62 dropped 96 System process connects to network (likely due to code injection or exploit) 23->96 98 Benign windows process drops PE files 23->98 100 Injects code into the Windows Explorer (explorer.exe) 23->100 102 2 other signatures 23->102 28 16B5.exe 1 23->28         started        31 40C5.exe 1 23->31         started        33 9F9F.exe 23->33         started        35 10 other processes 23->35 file11 signatures12 process13 dnsIp14 120 Machine Learning detection for dropped file 28->120 122 Contains functionality to inject code into remote processes 28->122 124 Writes to foreign memory regions 28->124 128 2 other signatures 28->128 38 AppLaunch.exe 2 28->38         started        40 conhost.exe 28->40         started        42 AppLaunch.exe 31->42         started        46 conhost.exe 31->46         started        126 Multi AV Scanner detection for dropped file 33->126 48 conhost.exe 33->48         started        66 116.203.167.5, 49802, 80 HETZNER-ASDE Germany 35->66 50 AppLaunch.exe 2 35->50         started        52 conhost.exe 35->52         started        54 conhost.exe 35->54         started        signatures15 process16 dnsIp17 76 t.me 149.154.167.99, 443, 49800 TELEGRAMRU United Kingdom 42->76 78 116.202.180.202, 49801, 80 HETZNER-ASDE Germany 42->78 114 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 42->114 116 Tries to harvest and steal browser information (history, passwords, etc) 42->116 118 Tries to steal Crypto Currency Wallets 42->118 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06db102d1c5d9386cd8d13e22237b286e4ecf1869c84cc70f17da0d421ccad3d/
Threat name:
Script.Exploit.Minerva
Create hunting rule
Status:
Malicious
First seen:
2022-09-07 01:09:05 UTC
File Type:
Text (Batch)
AV detection:
9 of 26 (34.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a3nrali4lwjyntmncprcen5sq3soz4mgtscmy4hrpwqniiomvu6q._file
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader botnet:747 botnet:d020f14a64593b123f5299012b4c811a botnet:nam5 backdoor discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/220907-bhsbhagafp/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Detects Smokeloader packer
Raccoon
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
78.153.144.6:2510
103.89.90.61:34589
http://116.203.167.5/
http://195.201.248.58/
Dropper Extraction:
http://85.192.63.184/s.exe
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/06db102d1c5d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06db102d1c5d9386cd8d13e22237b286e4ecf1869c84cc70f17da0d421ccad3d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Smoke Loader

PowerShell (PS) ps1 06db102d1c5d9386cd8d13e22237b286e4ecf1869c84cc70f17da0d421ccad3d

(this sample)

RedLineStealer

Executable exe 694b13a1ac031d126c57a4eb7d31b2eefef733bc082887153c8548f1b8dbe4b8

  
Dropping
SHA256 694b13a1ac031d126c57a4eb7d31b2eefef733bc082887153c8548f1b8dbe4b8

Comments