MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17bb183c9e8f262c2bd91228e788f4613279c795573b558c3981501ee02811ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17bb183c9e8f262c2bd91228e788f4613279c795573b558c3981501ee02811ba
SHA3-384 hash: 8d4cf797121db18a2c23b85bd106a6863a7cd80f10a1372a79db3c9bd29f659458482d10ee2f8a48f497b736b9a18a57
SHA1 hash: 7d43f8a6c25934e4299316ad7c9c8e8ce61416e3
MD5 hash: 537ad79dd97c59fcd1df5d8a26256192
humanhash: moon-delta-paris-muppet
File name:537ad79dd97c59fcd1df5d8a26256192.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:349'184 bytes
First seen:2021-10-29 18:41:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8554f137e95e1371295faad9355adee2 (5 x RaccoonStealer, 1 x Smoke Loader, 1 x AZORult)
ssdeep 6144:KsJKwfGUwb7+K6jGYVG+tYuibQCMe/SEEt:K6bte7P6jGYV/tYuiP/S
Threatray 5'306 similar samples on MalwareBazaar
TLSH T1DF748C10A7A1C435F5F252F849BAA36AB93F79B16B3890CF12D516EE46746E0EC30317
File icon (PE):PE icon
dhash icon b2dacaaecee6baa6 (23 x RedLineStealer, 22 x Stop, 13 x Smoke Loader)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Malware overload installer.bin
Verdict:
Malicious activity
Analysis date:
2021-10-29 08:31:06 UTC
Tags:
trojan rat redline evasion opendir loader stealer vidar formbook raccoon
Link:
https://app.any.run/tasks/9f18c8e4-4870-4f70-93e4-8dce8dc86eca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.27942.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7abce107-37f5-4781-8f20-02fd9e5decd9
Result
Threat name:
Amadey Raccoon RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/879543
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
DLL reload attack detected
Early bird code injection technique detected
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 511974 Sample: F7E3DjYJpC.exe Startdate: 29/10/2021 Architecture: WINDOWS Score: 100 81 api.2ip.ua 2->81 105 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->105 107 Antivirus detection for URL or domain 2->107 109 Antivirus detection for dropped file 2->109 111 12 other signatures 2->111 11 F7E3DjYJpC.exe 2->11         started        13 iwbavbe 2->13         started        15 iwbavbe 2->15         started        signatures3 process4 signatures5 18 F7E3DjYJpC.exe 11->18         started        21 iwbavbe 13->21         started        121 Machine Learning detection for dropped file 15->121 23 iwbavbe 15->23         started        process6 signatures7 97 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 18->97 99 Maps a DLL or memory area into another process 18->99 101 Checks if the current machine is a virtual machine (disk enumeration) 18->101 103 Creates a thread in another existing process (thread injection) 18->103 25 explorer.exe 14 18->25 injected process8 dnsIp9 91 216.128.137.31, 80 AS-CHOOPAUS United States 25->91 93 sysaheu90.top 185.98.87.159, 49764, 49765, 49766 VM-HOSTINGRU Russian Federation 25->93 95 6 other IPs or domains 25->95 65 C:\Users\user\AppData\Roaming\ssbavbe, PE32 25->65 dropped 67 C:\Users\user\AppData\Roaming\iwbavbe, PE32 25->67 dropped 69 C:\Users\user\AppData\Roaming\abbavbe, PE32 25->69 dropped 71 14 other files (13 malicious) 25->71 dropped 113 System process connects to network (likely due to code injection or exploit) 25->113 115 Benign windows process drops PE files 25->115 117 Deletes itself after installation 25->117 119 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->119 30 20BD.exe 1 25->30         started        34 69B.exe 21 6 25->34         started        37 46D6.exe 25->37         started        39 7 other processes 25->39 file10 signatures11 process12 dnsIp13 73 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 30->73 dropped 123 Multi AV Scanner detection for dropped file 30->123 125 DLL reload attack detected 30->125 127 Detected unpacking (changes PE section rights) 30->127 143 2 other signatures 30->143 83 cdn.discordapp.com 162.159.130.233, 443, 49800, 49804 CLOUDFLARENETUS United States 34->83 75 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 34->75 dropped 129 Machine Learning detection for dropped file 34->129 131 Writes to foreign memory regions 34->131 133 Allocates memory in foreign processes 34->133 145 3 other signatures 34->145 41 AdvancedRun.exe 34->41         started        43 powershell.exe 34->43         started        45 aspnet_regbrowsers.exe 34->45         started        147 3 other signatures 37->147 85 91.219.236.97, 49865, 80 SERVERASTRA-ASHU Hungary 39->85 87 162.159.129.233, 443, 49841, 49856 CLOUDFLARENETUS United States 39->87 89 2 other IPs or domains 39->89 77 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 39->77 dropped 79 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 39->79 dropped 135 Antivirus detection for dropped file 39->135 137 Early bird code injection technique detected 39->137 139 Tries to harvest and steal browser information (history, passwords, etc) 39->139 141 Queues an APC in another process (thread injection) 39->141 47 9A4B.exe 39->47         started        50 31F4.exe 39->50         started        53 AdvancedRun.exe 39->53         started        55 2 other processes 39->55 file14 signatures15 process16 file17 57 AdvancedRun.exe 41->57         started        59 conhost.exe 43->59         started        149 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 47->149 151 Maps a DLL or memory area into another process 47->151 153 Checks if the current machine is a virtual machine (disk enumeration) 47->153 155 Creates a thread in another existing process (thread injection) 47->155 63 C:\Users\user\AppData\Local\...\sqtvvs.exe, PE32 50->63 dropped 61 AdvancedRun.exe 53->61         started        signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/17bb183c9e8f262c2bd91228e788f4613279c795573b558c3981501ee02811ba/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2021-10-29 18:42:07 UTC
AV detection:
24 of 44 (54.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c65rqpe6r4tcyk6zciuopchumezhtr4vk45vldbzqfib5ybicg5a._file
Verdict:
malicious
Similar samples:
58cac1dad224e9c26dd2017c25b184c7e688ae127310ba2f10b1fd2e1b6c3fa3
Smoke Loader
7ccbf3b294594e8217e4ca62fae730624db9a300e388f3215570154cd00617dd
Smoke Loader
9efdd1358f8d37219f5a6b36ef82d03fa5612c5e54c72cd1507c7c2bcf71e2af
Smoke Loader
aed2ef2307581edfdc8ebb2342ff7b10e383a91b17512dcb4a2f49d1344af27d
Smoke Loader
dd3b7c750d4debae8a008400189657be324b956b23bcc781392b3b8548fe9ef8
Smoke Loader
+ 5'296 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:djvu family:raccoon family:redline family:smokeloader family:vidar botnet:517 botnet:68e2d75238f7c69859792d206401b6bde2b2515c botnet:706 botnet:936 botnet:999888988 botnet:z0rm1on agilenet backdoor collection discovery evasion infostealer persistence ransomware spyware stealer trojan
Link:
https://tria.ge/reports/211029-xccjradhd4/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Modifies file permissions
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
Nirsoft
Vidar Stealer
Amadey
Detected Djvu ransomware
Djvu Ransomware
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Turns off Windows Defender SpyNet reporting
Vidar
Windows security bypass
Malware Config
C2 Extraction:
http://xacokuo8.top/
http://hajezey1.top/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
http://193.56.146.214/
https://193.56.146.214/
93.115.20.139:28978
185.215.113.45/g4MbvE/index.php
https://mas.to/@lilocc
185.215.113.94:15564
https://mas.to/@xeroxxx
http://rlrz.org/lancer
Unpacked files
SH256 hash:
7504bf3fa2768578ecf547d7ad5ee704bb32a345726f4d6007e4905db82c873c
MD5 hash:
67832761c9fb6dcaa2caaa433aeef1e9
SHA1 hash:
1f40855c5efb001c8dff2d10e10b8c68d573d68f
Link:
https://www.unpac.me/results/a26d6b3a-3ba7-46af-90ad-8ec7cfa856e4/
SH256 hash:
17bb183c9e8f262c2bd91228e788f4613279c795573b558c3981501ee02811ba
MD5 hash:
537ad79dd97c59fcd1df5d8a26256192
SHA1 hash:
7d43f8a6c25934e4299316ad7c9c8e8ce61416e3
Link:
https://www.unpac.me/results/a26d6b3a-3ba7-46af-90ad-8ec7cfa856e4/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/17bb183c9e8f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/17bb183c9e8f262c2bd91228e788f4613279c795573b558c3981501ee02811ba

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 17bb183c9e8f262c2bd91228e788f4613279c795573b558c3981501ee02811ba

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1719493/
  
Delivery method
Distributed via web download

Comments