MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 08dcc0cd8aa90a04708aab25c7de5b66d62b4218ef0c5d2654a24b3cef83e534. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Smoke Loader
Vendor detections: 10
| SHA256 hash: | 08dcc0cd8aa90a04708aab25c7de5b66d62b4218ef0c5d2654a24b3cef83e534 |
|---|---|
| SHA3-384 hash: | 9697ef39a16622bccec3fee7ba1befb522a91f734f2fa68b7c58bbda497b86e79e2c8021d6773007da89cab674c6dcf5 |
| SHA1 hash: | 5a59f647912e2b26e4e953a6f975931a52b7488e |
| MD5 hash: | 98586f27312dac0074453e56df6f853d |
| humanhash: | white-friend-enemy-eighteen |
| File name: | setup_x86_x64_install.exe |
| Download: | download sample |
| Signature | Smoke Loader |
| File size: | 5'378'406 bytes |
| First seen: | 2021-09-20 21:29:53 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox) |
| ssdeep | 98304:y+60DjG/U5hdRjAzfkMeQ35wQ7NazNRsZ3VyB/VY9D7RovkqZzG02SGf:y+6Mj1Uf1haz7sZ3VyBdYdRikqZzG02z |
| Threatray | 564 similar samples on MalwareBazaar |
| TLSH | T1BE46336C6E02C003D216EA339E5C85179B4EB307C831A155DD45123AEEC6A7EDBB76B3 |
| File icon (PE): |  |
| dhash icon | b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla) |
| Reporter | Anonymous |
| Tags: | exe Smoke Loader |
Intelligence
File Origin
# of uploads :
1
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
No threats detected
Analysis date:
2021-09-20 21:30:37 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% directory
Creating a window
Malware family:
Bsymem
Verdict:
Malicious
Result
Threat name:
RedLine Socelars Vidar
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Creates processes via WMI
Disable Windows Defender real time protection (registry)
Drops PE files with a suspicious file extension
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Threat name:
Win32.Infostealer.Reline
Status:
Malicious
First seen:
2021-09-20 21:30:07 UTC
AV detection:
29 of 45 (64.44%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
unknown
Similar samples:
+ 554 additional samples on MalwareBazaar
Result
Malware family:
vidar
Score:
10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:janesam botnet:nanani aspackv2 backdoor evasion infostealer spyware stealer themida trojan
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
Malware Config
C2 Extraction:
https://petrenko96.tumblr.com/
45.142.215.47:27643
65.108.20.195:6774
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
45.142.215.47:27643
65.108.20.195:6774
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Unpacked files
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
5f463952815ce4f763e9f4b3b72ed70ad82f74a69a271fc2b1588055c3fec4cc
MD5 hash:
21775ff041e7277d87aa8fdf1e09da6c
SHA1 hash:
6dd1d6716cb93adef6c9b39490a79e77fd5396c9
SH256 hash:
24348bf669e03444119c11b262b0e0b117102d81c6f1d1448eab1eecaf4bf77f
MD5 hash:
e6baca37f452fc98630853205ce11ee8
SHA1 hash:
03e3b3f87d0be94e40ddf900210ebc67b5445659
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
SH256 hash:
52587a260b384278c789b134c8f08d8af9997aedd818c3c6a280d00aaaa77d2d
MD5 hash:
2c509753fac93810c09574a8b56af1e4
SHA1 hash:
e53da7ff5a9cfc3bda21794d639ed1f02cd7a881
SH256 hash:
bb858b8d47ac686d95fa950f6877c8d456a3d8f0b65795b113283409320c5492
MD5 hash:
ed7aa1a3e71fa7dbc854f581d9620e5c
SHA1 hash:
d125456c0a8bc14ca5d564536003fe47ec6488ca
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
SH256 hash:
ec599b0b771a292902f3c42ce378c62abe78f524a4a0e9224c5c985691dcc40a
MD5 hash:
062d3693875aef480647447a99242b0d
SHA1 hash:
8c4a3888bf313fdac328058ae95250f81bc9bd80
SH256 hash:
8721a407a4ff662f299febaddea27ba570498718af39365b6bfdade2687cd09e
MD5 hash:
f433fcbd733cf5c44370c55558204e71
SHA1 hash:
7478e59537fb5f5a50d3785d4eff63718d5a05e8
SH256 hash:
aff9ab692225614831ee1630686474da45ab76c978f91345309f76dc8f85c039
MD5 hash:
3a07caaa60f3b83b0e230fbfa6b0b357
SHA1 hash:
57d995c58ad58865787f32d7a1a0eedab1cf8e0f
SH256 hash:
1e50bead67a29eaeec16eb7f67ae9624e2e117c21838753b339f8dedcc1d0819
MD5 hash:
34a48b5bb71c3e586ab70823760ab20a
SHA1 hash:
4a2a5053f44be79b897a9c126befbdf32df5c4d3
SH256 hash:
f1df7e40b22c3be3f745e5e9bfcb63e0d1cdeaa0f4277c58688f645b4c03cd86
MD5 hash:
4d5ca32c1087623afa573f0cea3b443d
SHA1 hash:
46cd2a6fa67759ff35912c1cadf0bc398c9b19b8
SH256 hash:
4216c9244383319112c28dc0986df099991aaababbea7dd3a70e37764d97ed32
MD5 hash:
dd242b03908ffa99b8a6e7c13fca68ee
SHA1 hash:
38843a3659445a619543406dafc8b8518b79361f
SH256 hash:
d7e681228fba9eb79c5cb956e00fc67bbae6430c51bb06208ca3ff6b7bb4f0d0
MD5 hash:
44bef05849fe4a31a13b3cac1093b9c8
SHA1 hash:
3026601edac7d49ac6d70381b5e3e163b30d5ef1
SH256 hash:
cb5405f78d1959eac2ff9dd0f595598327a9d7369cc7d4e4eb76b30fa463f77e
MD5 hash:
1850f151d8862c9f5ea50b0e01ff38ab
SHA1 hash:
1ce9a174cd47bf97b39dcc95dd9b13d90e6ee383
SH256 hash:
5a316abb59caec8bf3e95187f20d734edcee4234f9571ab2f6fd7aad83ef07bd
MD5 hash:
5a31d99dee8653f15811fcc93651c696
SHA1 hash:
1429465b72e4b9b3e05db0fd5e5d237150f79090
SH256 hash:
ff236ccbd61d322a223e3152e768d0a195bde866d4debbe98929a80946382832
MD5 hash:
14b846dbd77dbedb574227310467d5fb
SHA1 hash:
01318111c3ae602914839f4f44f66dc095f3aa51
SH256 hash:
247d69da57e075f15e7fedc62ef99404f3e4e15988d35c598054f6771567b12a
MD5 hash:
0ef47ae88282ced5a011034e25a46e07
SHA1 hash:
4ee96fa7cf4c7c0d3d909a1726a48551a81aaf72
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
SH256 hash:
894300eca1742f48ed61be1043d3cb9924e89522c24b0f01b7cceb261a1fa073
MD5 hash:
7c82c868054a4fc8a5f6337a55f8d82e
SHA1 hash:
279ef02de285cbaf873e1ac2794406baa1f84f19
SH256 hash:
0fbd853a669d4590b44cda0525f41aa99175133be439db7ca9cd575a2af2636b
MD5 hash:
bb4e4f419dbe419d5cdca7e8534ac023
SHA1 hash:
cdacd0ad82dcefa585734e751b1cea42161a9033
SH256 hash:
f986e7da2b7e9f5d3a647d53055de296d3654210b7ae1245ed6881d4b28c7dd5
MD5 hash:
e4736bf88023f1b245eaf9e96a0559a5
SHA1 hash:
a0306a7c4039745ce2e504921f88f06c3324b855
SH256 hash:
3988e0bc57b0ba4edefcc4632905f4989851bc78caaacc15f10fb009c531f355
MD5 hash:
968107128270cca089b277709d1307df
SHA1 hash:
aabc403080d808d23abb110b26bf8eda2523ddda
SH256 hash:
79000f1fc2c1b80ca27b75b311014c401e8b5b431ebe16d5eb9d1e21103927cd
MD5 hash:
46fb5b0d1328cdd2752e9dee6db34f7d
SHA1 hash:
fa709a3f39aa4e7320ea647a5a6b97423ed06fe8
Detections:
win_socelars_auto
SH256 hash:
129aaef67c89f0e677eda19ae342893fd21f9799970169eed7d69928a46359aa
MD5 hash:
6c05aac715aa1f2e00ae332d5a6709c8
SHA1 hash:
98b0e68255e82958d179e0727fd0b356a53232f6
SH256 hash:
bc2d01bfa4d1d35ad1b92e0b5b60f40ff290ce2494d964fe039cbbba583161bf
MD5 hash:
6d3575bc9364d647e19c313c33b60edb
SHA1 hash:
2590132753dbb3312393948e9249b9f135c4247b
SH256 hash:
08dcc0cd8aa90a04708aab25c7de5b66d62b4218ef0c5d2654a24b3cef83e534
MD5 hash:
98586f27312dac0074453e56df6f853d
SHA1 hash:
5a59f647912e2b26e4e953a6f975931a52b7488e
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.