MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 146d3fce49ad11628f5cc44bd1b018982c04f610e55a4a9d0ed7c1fede7c6ffd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 146d3fce49ad11628f5cc44bd1b018982c04f610e55a4a9d0ed7c1fede7c6ffd
SHA3-384 hash: be7eb4eb5ae03007030cb92e40648c15cb6fb0dffb504e467c04bab3e2392b9a69bc75fa31d26825032582ef6812c47b
SHA1 hash: 04179f1d6479ab57c108b53c6ca6412f05f65f65
MD5 hash: 01301ddcbe63fb91b46266811d40119a
humanhash: carbon-rugby-oranges-summer
File name:i864x__setup__621e87182cb9a.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:7'722'080 bytes
First seen:2022-03-01 21:11:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JI57+942P3MnStZag4LNfIuf/MysZb5P4rEUEdWgEIRAdhUgPP1iPt7qoDq/Ka8L:JI57C6SegeJIufcRdJHALPg3Dqf8chu7
Threatray 6'201 similar samples on MalwareBazaar
TLSH T1277633284EB5DEEDECA2E335A7118F637FBA10170906EB4586E855DC5D5B0A3330E878
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter adm1n_usa32
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
i864x__setup__621e87182cb9a.exe
Verdict:
Malicious activity
Analysis date:
2022-03-01 21:09:02 UTC
Tags:
trojan rat redline loader evasion stealer phishing
Link:
https://app.any.run/tasks/3e985728-7795-4369-a498-2e11f7723dde

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector03
Create hunting rule
Link:
https://www.capesandbox.com/analysis/246029/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Tiny-9901377-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
Sending a custom TCP request
Launching a process
Using the Windows Management Instrumentation requests
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/7806/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys control.exe manuscrypt overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/621e8c28b94fb38cb431dc0f/reports/9c8a6aa0-5965-4e8a-9e8b-ba9c6955d7b4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/30236901-aa2b-456c-acd7-1953b6cc489f
Result
Threat name:
RedLine SmokeLoader Socelars onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/948641
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Disables Windows Defender (via service or powershell)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to evade analysis by execution special instruction which cause usermode exception
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 581118 Sample: i864x__setup__621e87182cb9a.exe Startdate: 01/03/2022 Architecture: WINDOWS Score: 100 55 185.18.52.211 WORLDSTREAMNL Spain 2->55 57 ip-api.com 208.95.112.1, 49759, 80 TUT-ASUS United States 2->57 59 8 other IPs or domains 2->59 69 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus detection for URL or domain 2->73 75 20 other signatures 2->75 10 i864x__setup__621e87182cb9a.exe 10 2->10         started        signatures3 process4 file5 45 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->45 dropped 13 setup_installer.exe 22 10->13         started        process6 file7 47 C:\Users\user\AppData\...\setup_install.exe, PE32 13->47 dropped 49 C:\Users\...\621e87100b52d_Tue2006ed9dd.exe, PE32 13->49 dropped 51 C:\...\621e870faf034_Tue206d570f6248.exe, PE32 13->51 dropped 53 17 other files (11 malicious) 13->53 dropped 16 setup_install.exe 1 13->16         started        process8 signatures9 67 Adds a directory exclusion to Windows Defender 16->67 19 cmd.exe 16->19         started        21 cmd.exe 1 16->21         started        23 cmd.exe 1 16->23         started        25 5 other processes 16->25 process10 signatures11 28 621e86fda0047_Tue20e32a8c7.exe 19->28         started        32 621e86fa5e9ad_Tue20fcf00de0.exe 1 21->32         started        34 621e86fb2599e_Tue2028eb4e.exe 14 4 23->34         started        77 Adds a directory exclusion to Windows Defender 25->77 79 Disables Windows Defender (via service or powershell) 25->79 37 621e86fbd68b3_Tue20a2b0ae5e15.exe 25->37         started        39 621e86fe688e2_Tue20d0a138057.exe 25->39         started        41 powershell.exe 26 25->41         started        process12 dnsIp13 61 iplogger.org 148.251.234.83, 443, 49760 HETZNER-ASDE Germany 28->61 63 www.icodeps.com 149.28.253.196, 443, 49758 AS-CHOOPAUS United States 28->63 81 Antivirus detection for dropped file 28->81 83 Multi AV Scanner detection for dropped file 28->83 85 May check the online IP address of the machine 28->85 87 Detected unpacking (changes PE section rights) 32->87 89 Machine Learning detection for dropped file 32->89 91 Disables Windows Defender (via service or powershell) 32->91 65 onenew-cloudapps.com 188.114.96.7, 49763, 80 CLOUDFLARENETUS European Union 34->65 43 dd51355f-e3d7-41cb-87fb-9a0a338b4e33.exe, PE32 34->43 dropped file14 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/146d3fce49ad11628f5cc44bd1b018982c04f610e55a4a9d0ed7c1fede7c6ffd/
Threat name:
Win32.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2022-03-01 21:13:33 UTC
File Type:
PE (Exe)
Extracted files:
444
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=crwt7tsjvuiwfd24yrf5dmaytawaj5qq4vnevhio27a75xt4n76q._file
Verdict:
malicious
Similar samples:
00b5c410d204d6a92f6636e23998777d2716e8928f96b56826b093c9177afaae
Smoke Loader
190f4fb1b115015c5953c32d83b90e4574b371611ca78f6d37f6c0839b7be9b5
Smoke Loader
1c57e67bf823c9c15d3afb19746746df06a218fb70816a26b150efb072660d6d
Smoke Loader
1e769ecd87928bf1e50a23f6e159c7326a1c6724f66e53d0f3d920784bb15257
Smoke Loader
7ba745d20db94b41924bd88906cbc2e813c95c586232b5659ad0679a3cac2813
Smoke Loader
c5061cf2961513f91ee1b2c0f50bf8a11928ac068b02ba825b3b0410de507224
Smoke Loader
d23c6e45bb29e2aba8b63bcd30e7aa86b5069d26c4e4441c1224a524a90fc67a
Smoke Loader
+ 6'191 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:redline family:smokeloader family:socelars botnet:alltop botnet:media60602 botnet:vnew2 aspackv2 backdoor discovery infostealer loader persistence spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/220301-z16tlsdbej/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
OnlyLogger Payload
OnlyLogger
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
https://sa-us-bucket.s3.us-east-2.amazonaws.com/qwwgh/
http://host-data-coin-11.com/
http://file-coin-host-12.com/
116.203.252.195:11112
92.255.57.154:11841
deyneyab.xyz:80
Unpacked files
SH256 hash:
7a974583f5389aee9210e60865f1a96975ff921ba09e6e7728fc1df1271ce447
MD5 hash:
5cdc2fda0c9829db1d2f19f86cd6d613
SHA1 hash:
39a1325b16001a1028633a4783c7cd4e4abafefa
Link:
https://www.unpac.me/results/719470e0-64f8-4c57-b68b-e3eef33f33d9/
SH256 hash:
565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c
MD5 hash:
83b531c1515044f8241cd9627fbfbe86
SHA1 hash:
d2f7096e18531abb963fc9af7ecc543641570ac8
Link:
https://www.unpac.me/results/719470e0-64f8-4c57-b68b-e3eef33f33d9/
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Link:
https://www.unpac.me/results/719470e0-64f8-4c57-b68b-e3eef33f33d9/
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
e16f68152fa7be7dd8aff55aeff59ddeae48b4b95e3d3ba33016f65e632a6706
MD5 hash:
a8e7034f8220f722f4aca2edcc9c42eb
SHA1 hash:
656d7d88fffd3820deb1741564807990c3851114
Link:
https://www.unpac.me/results/719470e0-64f8-4c57-b68b-e3eef33f33d9/
SH256 hash:
e718a2f50e72d94ee2c9455603d98f67e7705aefc283351c182b5e503d59f6d8
MD5 hash:
5264c8567cf762e7cd37971a88b28a45
SHA1 hash:
ffd23a453665086713bbeccf0029c5b026d4c47e
Link:
https://www.unpac.me/results/719470e0-64f8-4c57-b68b-e3eef33f33d9/
SH256 hash:
22d70fd2684427ae9886c5337dd16222469f468ae4e6f1315ab809635f68dd49
MD5 hash:
b17ca1f4cd99de707e6c5104c2ae1dd3
SHA1 hash:
e156b60450ee1efa9761a68fd0eeb7b54df71ec1
Link:
https://www.unpac.me/results/719470e0-64f8-4c57-b68b-e3eef33f33d9/
SH256 hash:
6e418814af628d4bcf972d639feadc2f83f5fa77f6ad4e1f79e8e9e809dee339
MD5 hash:
e589cdedae8fe007012485b28d56c1d7
SHA1 hash:
8a5776ac651ff845bf360dc98f9efc5964f52878
Link:
https://www.unpac.me/results/719470e0-64f8-4c57-b68b-e3eef33f33d9/
SH256 hash:
d2afb86ffba3344344ac111c199d873674a6c2b03d337b02e0e02a377c4bb1fa
MD5 hash:
e26921ebf5345fc263f29c8b995ea140
SHA1 hash:
303b3d925f8f9d66a9e7853d6ee5487a90cabceb
Link:
https://www.unpac.me/results/719470e0-64f8-4c57-b68b-e3eef33f33d9/
SH256 hash:
abca3ef4971ea9cf196e429902da91fb3f0db2b502ed8dbe33bee639bb4d0b2c
MD5 hash:
e63b0af4990bdfb854b09570164175e1
SHA1 hash:
2363fd653143e88f92e8bc388d7cc5ed28e66ac2
Link:
https://www.unpac.me/results/719470e0-64f8-4c57-b68b-e3eef33f33d9/
SH256 hash:
d415be37ed5b52be4550cc30184db8e342150cb562ad358bf3b3b2537cfe6f57
MD5 hash:
3ea61e8e41bd6094b906172cb3172e18
SHA1 hash:
073f023d47a1b070c614e999a23d70e37b7ba522
Link:
https://www.unpac.me/results/719470e0-64f8-4c57-b68b-e3eef33f33d9/
SH256 hash:
7cb44671c2b4bb56f99cde175d969c903a58bbf06104e8ad456419761f264821
MD5 hash:
b653343e5c701720bb92ed19abef4f81
SHA1 hash:
968602dd34add2a908cb07b382438c9e5c131d16
Link:
https://www.unpac.me/results/719470e0-64f8-4c57-b68b-e3eef33f33d9/
SH256 hash:
245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa
MD5 hash:
4f93004835598b36011104e6f25dbdba
SHA1 hash:
6cb45092356c54f68d26f959e4a05ce80ef28483
Link:
https://www.unpac.me/results/719470e0-64f8-4c57-b68b-e3eef33f33d9/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/719470e0-64f8-4c57-b68b-e3eef33f33d9/
SH256 hash:
1423f1ab92ba581fb49fc299213df0fc6d7f29f13d6ee96b2188d4fde28e6223
MD5 hash:
0e9a538590759e50af37279d11af7f60
SHA1 hash:
3a5dd1fadb5143b9ed9daedce957b622aa60087b
Link:
https://www.unpac.me/results/719470e0-64f8-4c57-b68b-e3eef33f33d9/
SH256 hash:
ead50bdc9895a83615c53af3d920f12b5b536db4bca084e0df6e1d6c6fa67e86
MD5 hash:
b384c508bd8554910b1f560b66fbafc8
SHA1 hash:
2675b40f782bb671f78783bcc0d1b5f89f8a3c4b
Link:
https://www.unpac.me/results/719470e0-64f8-4c57-b68b-e3eef33f33d9/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/719470e0-64f8-4c57-b68b-e3eef33f33d9/
SH256 hash:
29f3b34e4db08241bb75c78de4b344d91ee47eaefab2a4fcd57b82aa15d84deb
MD5 hash:
5741c1aea19d2ce7c01fd58fd431644f
SHA1 hash:
b51a6b915945d637bfc0255efa9ed68467642925
Link:
https://www.unpac.me/results/719470e0-64f8-4c57-b68b-e3eef33f33d9/
SH256 hash:
606a487d049566f010db2fbd263b1be46a0a003ed68276929229fcb819a148ff
MD5 hash:
a10b397b15dc38a6872c56196dc7932d
SHA1 hash:
7fa0e7308a33f292ba9059dbc97b33b4d582bf82
Link:
https://www.unpac.me/results/719470e0-64f8-4c57-b68b-e3eef33f33d9/
SH256 hash:
889f081103890dbc7db20120976e31ed240dfc5db05fdf7a3f5472754322d0bb
MD5 hash:
716aa6d5be568e7199e1a55a40e76f65
SHA1 hash:
5e58953871966538d9920177f2a34402b257dd8a
Link:
https://www.unpac.me/results/719470e0-64f8-4c57-b68b-e3eef33f33d9/
SH256 hash:
6143802928785ac160f05b138ec73a0f2d17e357d91ae78106c8656b3f206008
MD5 hash:
319c2b6020cc876db87fc3b2c45906e8
SHA1 hash:
78364ff671f038949e1e103acee6fb787efa3ab3
Link:
https://www.unpac.me/results/719470e0-64f8-4c57-b68b-e3eef33f33d9/
SH256 hash:
ae020425996cfc7e70671caeed020d70ae0ed3241147f90e13c466056a7898f1
MD5 hash:
aed762f71c6f0fd029cb772df673ac2b
SHA1 hash:
efdb104c03acf82ec82d822c678afa0a1d763da7
Link:
https://www.unpac.me/results/719470e0-64f8-4c57-b68b-e3eef33f33d9/
SH256 hash:
146d3fce49ad11628f5cc44bd1b018982c04f610e55a4a9d0ed7c1fede7c6ffd
MD5 hash:
01301ddcbe63fb91b46266811d40119a
SHA1 hash:
04179f1d6479ab57c108b53c6ca6412f05f65f65
Link:
https://www.unpac.me/results/719470e0-64f8-4c57-b68b-e3eef33f33d9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/146d3fce49ad11628f5cc44bd1b018982c04f610e55a4a9d0ed7c1fede7c6ffd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 146d3fce49ad11628f5cc44bd1b018982c04f610e55a4a9d0ed7c1fede7c6ffd

(this sample)

anyrun
any.run
https://app.any.run/tasks/3e985728-7795-4369-a498-2e11f7723dde
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/246029/

Comments