MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0fe70947f77741fac09da7aa80e82896d92bc08450b4fc029c04c5e803bf3259. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0fe70947f77741fac09da7aa80e82896d92bc08450b4fc029c04c5e803bf3259
SHA3-384 hash: 33a28cd7809d49ec61027c0ff2fa36ce76a2bed1047f7b9d3b952a5503b33fc8a84fa6d006dca640dfe7d74d637d958a
SHA1 hash: c175728d6211ddefdf7a0f38f8ebaa9e60c4ecd1
MD5 hash: a78a3de06f7544da1d902d6891ce3b63
humanhash: nitrogen-massachusetts-paris-illinois
File name:SecuriteInfo.com.W32.AIDetect.malware1.12122.19128
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:218'112 bytes
First seen:2021-07-23 21:43:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d09a478840961ad890ac4dc4d59be69d (10 x Smoke Loader, 4 x RaccoonStealer, 2 x RedLineStealer)
ssdeep 3072:Jfmi7E3ADCzJFkWjRW+I0iLq8zp70BPuxaWC8C:BrQ3ADwCl/LLlOBPAn
Threatray 3'629 similar samples on MalwareBazaar
TLSH T18824BE11FAB0C872C0A50A7054EAC6A0272DFC61BA64DD47765B3B6F2F313D2667921F
dhash icon 48b9b2b0e8c38c90 (6 x Smoke Loader, 5 x RedLineStealer, 3 x CryptBot)
Reporter SecuriteInfoCom
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Data_v2.zip
Verdict:
Malicious activity
Analysis date:
2021-07-23 19:18:08 UTC
Tags:
evasion stealer loader
Link:
https://app.any.run/tasks/9b9a516f-0e08-49e9-822a-fd09b6ff1f95

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173781/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.12122.19128.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c0b780b9-fde5-41bc-8f32-36e1a602b42f
Result
Threat name:
Raccoon RedLine SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/821084
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 453495 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 23/07/2021 Architecture: WINDOWS Score: 100 85 cdn.discordapp.com 2->85 87 api.ip.sb 2->87 123 Multi AV Scanner detection for domain / URL 2->123 125 Multi AV Scanner detection for submitted file 2->125 127 Yara detected SmokeLoader 2->127 129 12 other signatures 2->129 11 SecuriteInfo.com.W32.AIDetect.malware1.12122.exe 2->11         started        14 fbeuuub 2->14         started        signatures3 process4 signatures5 151 Detected unpacking (changes PE section rights) 11->151 16 SecuriteInfo.com.W32.AIDetect.malware1.12122.exe 11->16         started        19 fbeuuub 14->19         started        process6 signatures7 115 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 16->115 117 Maps a DLL or memory area into another process 16->117 119 Checks if the current machine is a virtual machine (disk enumeration) 16->119 21 explorer.exe 21 16->21 injected 121 Creates a thread in another existing process (thread injection) 19->121 process8 dnsIp9 89 readinglistforjuly9.xyz 21->89 91 readinglistforjuly8.xyz 21->91 93 11 other IPs or domains 21->93 59 C:\Users\user\AppData\Roaming\fbeuuub, PE32 21->59 dropped 61 C:\Users\user\AppData\Local\Temp4FB.exe, PE32 21->61 dropped 63 C:\Users\user\AppData\Local\Temp\9B95.exe, PE32 21->63 dropped 65 8 other files (5 malicious) 21->65 dropped 131 System process connects to network (likely due to code injection or exploit) 21->131 133 Benign windows process drops PE files 21->133 135 Performs DNS queries to domains with low reputation 21->135 139 4 other signatures 21->139 26 91CF.exe 80 21->26         started        31 8E44.exe 88 21->31         started        33 E4FB.exe 21->33         started        35 14 other processes 21->35 file10 137 Tries to resolve many domain names, but no domain seems valid 91->137 signatures11 process12 dnsIp13 101 telete.in 26->101 103 185.234.247.50, 49722, 80 INTERKONEKT-ASPL Russian Federation 26->103 105 telete.in 195.201.225.248, 443, 49721 HETZNER-ASDE Germany 26->105 67 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 26->67 dropped 69 C:\Users\user\AppData\...\vcruntime140.dll, PE32 26->69 dropped 81 57 other files (none is malicious) 26->81 dropped 153 Detected unpacking (changes PE section rights) 26->153 155 Detected unpacking (overwrites its own PE header) 26->155 157 Tries to steal Mail credentials (via file access) 26->157 159 Contains functionality to steal Internet Explorer form passwords 26->159 107 116.202.183.50, 49724, 80 HETZNER-ASDE Germany 31->107 109 shpak125.tumblr.com 74.114.154.18, 443, 49723 AUTOMATTICUS Canada 31->109 71 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 31->71 dropped 73 C:\Users\user\AppData\...\softokn3[1].dll, PE32 31->73 dropped 75 C:\Users\user\AppData\...\freebl3[1].dll, PE32 31->75 dropped 83 9 other files (none is malicious) 31->83 dropped 161 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->161 163 Tries to harvest and steal browser information (history, passwords, etc) 31->163 165 Tries to steal Crypto Currency Wallets 31->165 37 cmd.exe 31->37         started        111 193.56.146.22, 47861, 49745 LVLT-10753US unknown 33->111 167 Query firmware table information (likely to detect VMs) 33->167 169 Tries to detect sandboxes and other dynamic analysis tools (window names) 33->169 177 2 other signatures 33->177 39 conhost.exe 33->39         started        113 readinglistforjuly10.xyz 35->113 77 C:\Users\user\AppData\Local\Temp\Hyphal.exe, PE32 35->77 dropped 79 C:\Users\user\AppData\Local\Temp\555.exe, PE32 35->79 dropped 171 System process connects to network (likely due to code injection or exploit) 35->171 173 Performs DNS queries to domains with low reputation 35->173 41 555.exe 35->41         started        45 8838.exe 35->45         started        47 Hyphal.exe 35->47         started        49 3 other processes 35->49 file14 175 Tries to resolve many domain names, but no domain seems valid 101->175 signatures15 process16 dnsIp17 51 conhost.exe 37->51         started        53 taskkill.exe 37->53         started        95 xaiandaran.xyz 212.224.105.106, 49743, 80 DE-FIRSTCOLOwwwfirst-colonetDE Germany 41->95 141 Detected unpacking (changes PE section rights) 41->141 143 Detected unpacking (overwrites its own PE header) 41->143 145 Performs DNS queries to domains with low reputation 41->145 55 conhost.exe 41->55         started        97 45.32.235.238, 45555, 49738, 49755 AS-CHOOPAUS United States 45->97 99 api.ip.sb 45->99 147 Tries to steal Crypto Currency Wallets 45->147 149 Sample uses process hollowing technique 47->149 57 conhost.exe 47->57         started        signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0fe70947f77741fac09da7aa80e82896d92bc08450b4fc029c04c5e803bf3259/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-07-23 19:44:16 UTC
AV detection:
20 of 46 (43.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b7tqsr7xo5a7vqe5u6vib2bis3msxqeekc2pyau4atc6qa57gjmq._file
Verdict:
suspicious
Similar samples:
201f2b8cd0d15399da2d0b98ff9b7d50d515deeea3f9435062b4b0a4548b0082
Smoke Loader
29ccf6b2c0b229845df6086bd26c33cb3da426d34344aaaedde7f5d7703c1598
Smoke Loader
8567ac320d50d1a5ea18ffe81f2d4e9a7255e3df0ac69fd98df890108586f60f
Smoke Loader
948bae9510601455f2ba50d694a6561bf2e85071b86161a0186672616ae17a77
Smoke Loader
a0b246bae327f318bf41f1920cffadfab1ee2e49625b6b360a7c999c55053ee6
Smoke Loader
b5f6dd8ed8b59d1928f750db19e5c04d74892c9890eeff8d9805ef2f7152411e
Smoke Loader
dd916ca374eb31b71376b4ff95b4763bc625787d6dce73331893eb47df94c9f5
Smoke Loader
fa1409fe184c11483708f197504246fb15ae88942e1b18a9266e0d0f4dca8290
Smoke Loader
fa49ec9a6afac3db69d66e560157aee92bfffa30c24d2a7855a4d3bcf2d894e2
Smoke Loader
fc5f8356ee7ba0be1f0f4c24ac4944481759352d665bbc1208295d39cd3da30f
Smoke Loader
+ 3'619 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:vidar botnet:123123123 botnet:408 botnet:444 botnet:555 botnet:aggre botnet:newinstallshop backdoor discovery evasion infostealer spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210723-l3sqb53jgs/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Raccoon
RedLine
RedLine Payload
SmokeLoader
Vidar
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Malware Config
C2 Extraction:
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
https://shpak125.tumblr.com/
45.32.235.238:45555
xaiandaran.xyz:80
135.148.139.222:33569
37.46.128.40:2787
Unpacked files
SH256 hash:
d065c8a41c2287cb3ed4fd55a1a76c13995937723c7b44cf6d4763a15dea89c1
MD5 hash:
3c9f95cbbd5f3e4ee70435e06de00ddf
SHA1 hash:
7dee35214654080e76fc275eedd5c2d7b1e1453d
Link:
https://www.unpac.me/results/bcdefd99-e381-4b76-824c-1d087af7b273/
SH256 hash:
0fe70947f77741fac09da7aa80e82896d92bc08450b4fc029c04c5e803bf3259
MD5 hash:
a78a3de06f7544da1d902d6891ce3b63
SHA1 hash:
c175728d6211ddefdf7a0f38f8ebaa9e60c4ecd1
Link:
https://www.unpac.me/results/bcdefd99-e381-4b76-824c-1d087af7b273/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0fe70947f77741fac09da7aa80e82896d92bc08450b4fc029c04c5e803bf3259

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 0fe70947f77741fac09da7aa80e82896d92bc08450b4fc029c04c5e803bf3259

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1476557/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/173781/

Comments