MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cd327d648018f31e5a411a72c839b8b74bb188488a32ddf7289990ae516fa7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0cd327d648018f31e5a411a72c839b8b74bb188488a32ddf7289990ae516fa7d
SHA3-384 hash: eae82908af2face49d522904eebf717e2018f8fd94249466efe8707ace3182adae5f412313f2b2be69508041630edd3c
SHA1 hash: 6ec6c203d1fed2cf6a2e3f56c1eed019cc5dcf9c
MD5 hash: 7b45ecfd38a20fdfdeaf3fe062e11a47
humanhash: tango-fix-mike-burger
File name:7b45ecfd38a20fdfdeaf3fe062e11a47
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:196'608 bytes
First seen:2021-08-03 16:08:40 UTC
Last seen:2021-08-03 19:17:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 41772127f978069b9f399090f08eba15 (4 x Smoke Loader, 3 x RaccoonStealer, 1 x DanaBot)
ssdeep 3072:1qfZjM1DfA4v+GSoB/+D2SuBqDtsW2VhL9mdN0pn5R98kr/YGKaSoArywoOLi6:cIBGD2SuBqDtsW2VhL9mQpb98XBoRwom
Threatray 1'365 similar samples on MalwareBazaar
TLSH T12814CF1135C0CA72D215167D8875CBB06B2ABC755F359A8B3BB1626F0F362D2EB25382
dhash icon 1272d292105c5c03 (31 x RaccoonStealer, 6 x Smoke Loader, 4 x Loki)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7b45ecfd38a20fdfdeaf3fe062e11a47
Verdict:
Suspicious activity
Analysis date:
2021-08-03 16:09:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1120d60b-b800-4b08-95cc-8ba85c8789da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176125/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.30202.9302.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Connection attempt
Sending an HTTP GET request
Launching a process
Creating a file
Searching for the window
Reading critical registry keys
Sending an HTTP POST request
Creating a process with a hidden window
Setting browser functions hooks
Unauthorized injection to a recently created process
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Unauthorized injection to a system process
Deleting of the original file
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Unauthorized injection to a browser process
Launching a file downloaded from the Internet
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1f0e6514-aa62-4c5e-b1f8-87ae1b9c30ed
Result
Threat name:
Raccoon RedLine SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/826336
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Removes signatures from Windows Defender
Sigma detected: Schedule system process
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 458769 Sample: NKqz6BNPdi Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 45 5.181.156.60, 49750, 80 MIVOCLOUDMD Moldova Republic of 2->45 47 telete.in 195.201.225.248, 443, 49749 HETZNER-ASDE Germany 2->47 49 5 other IPs or domains 2->49 57 Multi AV Scanner detection for domain / URL 2->57 59 Antivirus detection for URL or domain 2->59 61 System process connects to network (likely due to code injection or exploit) 2->61 63 19 other signatures 2->63 10 NKqz6BNPdi.exe 2->10         started        13 truwwfv 2->13         started        signatures3 process4 signatures5 81 Detected unpacking (changes PE section rights) 10->81 83 Contains functionality to inject code into remote processes 10->83 85 Injects a PE file into a foreign processes 10->85 15 NKqz6BNPdi.exe 10->15         started        87 Machine Learning detection for dropped file 13->87 18 truwwfv 13->18         started        process6 signatures7 89 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->89 91 Maps a DLL or memory area into another process 15->91 93 Checks if the current machine is a virtual machine (disk enumeration) 15->93 20 explorer.exe 22 15->20 injected 95 Creates a thread in another existing process (thread injection) 18->95 process8 dnsIp9 51 45.150.67.148, 80 ASDETUKhttpwwwheficedcomGB Montenegro 20->51 53 readinglistforjuly9.xyz 141.136.0.194, 49735, 80 NANO-ASLV Latvia 20->53 55 11 other IPs or domains 20->55 35 C:\Users\user\AppData\Roaming\truwwfv, PE32 20->35 dropped 37 C:\Users\user\AppData\Local\Temp\F021.exe, PE32 20->37 dropped 39 C:\Users\user\AppData\Local\Temp8DC.exe, PE32 20->39 dropped 41 8 other files (7 malicious) 20->41 dropped 65 System process connects to network (likely due to code injection or exploit) 20->65 67 Benign windows process drops PE files 20->67 69 Performs DNS queries to domains with low reputation 20->69 71 2 other signatures 20->71 25 17B8.exe 3 20->25         started        28 42F.exe 1 20->28         started        30 FEB0.exe 3 20->30         started        file10 signatures11 process12 signatures13 73 Multi AV Scanner detection for dropped file 25->73 75 Detected unpacking (changes PE section rights) 25->75 77 Query firmware table information (likely to detect VMs) 25->77 79 3 other signatures 25->79 32 FEB0.exe 15 2 30->32         started        process14 dnsIp15 43 194.233.74.11 NEXINTO-DE Germany 32->43
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0cd327d648018f31e5a411a72c839b8b74bb188488a32ddf7289990ae516fa7d/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-03 16:09:05 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=btjspvsiaghtdznecgtsza43rn2lwgeercrs3x3srgmqvziw7j6q._file
Verdict:
malicious
Similar samples:
1b7769f85c3874451b85f83ab1ddc08b0d07fe76f354e0c7b397308894095673
Smoke Loader
2b4e74f6d31e2ce71fa3de3caba5fbf6b070885d43c956aa57deced79e79826b
Smoke Loader
45d8a91be1d071837969fc7801a224b06e918bdc813e7ec14348abf8d0810312
Smoke Loader
4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6
Smoke Loader
63761462358e1f880dafe51b3de8036f10bc60354b981cddc8075aed22e1251d
Smoke Loader
8b7e447356ade4824db0565f713751a6c0b37cc560269ced9cc6176e1d1fdd24
Smoke Loader
ce1a457a5bd8763fde41a27081d5a885b66aca31b123ee42885e29bc8cfdbda5
Smoke Loader
d6206c05051cd22da3912b1d30df468f0c0571b4b34a8fe2c912f82ff05a8e6a
Smoke Loader
e11501c9e16a2f69751da6f5d8d2e5ff3023eea48baf5008a197e20a2ffd66be
Smoke Loader
e5748b9c18c3e264c771b8abe50805fe070719b459493d37eec86f972fd1d5ac
Smoke Loader
+ 1'355 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader backdoor evasion infostealer themida trojan
Link:
https://tria.ge/reports/210803-frfg9969vj/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
SmokeLoader
Malware Config
C2 Extraction:
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Unpacked files
SH256 hash:
724edd23fc07029a4d4c38196bbacb5af4fc7cfcb631b488a3f49da832abedf3
MD5 hash:
8e1422260456bdc7b82459c4223a2ebd
SHA1 hash:
7fa4df5b7be34d32641a70c321228d4d4e77f918
Link:
https://www.unpac.me/results/1d8611c4-19bc-4def-9307-7f1095c0281e/
SH256 hash:
0cd327d648018f31e5a411a72c839b8b74bb188488a32ddf7289990ae516fa7d
MD5 hash:
7b45ecfd38a20fdfdeaf3fe062e11a47
SHA1 hash:
6ec6c203d1fed2cf6a2e3f56c1eed019cc5dcf9c
Link:
https://www.unpac.me/results/1d8611c4-19bc-4def-9307-7f1095c0281e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0cd327d64801/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0cd327d648018f31e5a411a72c839b8b74bb188488a32ddf7289990ae516fa7d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 0cd327d648018f31e5a411a72c839b8b74bb188488a32ddf7289990ae516fa7d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1502814/
Cape
Cape
https://www.capesandbox.com/analysis/176125/

Comments


Avatar
zbet commented on 2021-08-03 16:08:41 UTC

url : hxxp://2freeprivacytoolsforyou.xyz/downloads/toolspab1.exe