MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1fffb7b4db61e8b90788aa5d0a8385433f8c361f4729c8e463d180712ce05fe1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1fffb7b4db61e8b90788aa5d0a8385433f8c361f4729c8e463d180712ce05fe1
SHA3-384 hash: baeb791bea0e51fadb8c670bb0cbbf4f23f9b122ebb6d87911f990830e225ec48a73074dd3862df249976c135feffdbb
SHA1 hash: e3ea3322039b61c7040d8fb68a008507665e3abe
MD5 hash: bbd46196e4c45fc02073b3b0fb984807
humanhash: arizona-earth-table-delaware
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:1'071'104 bytes
First seen:2023-10-16 13:31:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:Py5ruHyEPdmf8StS17TJiFH81sp9F24d1N0QLSBcv:a5rsUf8Eq7ToHs4d16Qum
TLSH T14A352316AAE56172D9612BB098FB0593153A3D939C30873B1741FA270CB3EC9AC72777
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter andretavare5
Tags:exe Smoke Loader


Avatar
andretavare5
Sample downloaded from http://77.91.68.249/navi/kur90.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
302
Origin country :
US US
Vendor Threat Intelligence
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/454878/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a service
Sending a custom TCP request
Creating a file
Launching a process
Сreating synchronization primitives
Creating a window
Running batch commands
Searching for synchronization primitives
Blocking the Windows Defender launch
Disabling the operating system update service
Forced shutdown of a system process
Unauthorized injection to a system process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/652d3b548d16e62970c80022/reports/79057792-8029-4fb8-9647-3a88702838cf/overview
Verdict:
Malicious
Labled as:
Kryptik.JKR.gen
Link:
https://www.hybrid-analysis.com/sample/1fffb7b4db61e8b90788aa5d0a8385433f8c361f4729c8e463d180712ce05fe1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/42c4fefe-e0a3-49b5-869e-6c4514626b0f
Result
Threat name:
Amadey, Babadeda, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1326508
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1326508 Sample: file.exe Startdate: 16/10/2023 Architecture: WINDOWS Score: 100 141 youtube-ui.l.google.com 2->141 143 www.youtube.com 2->143 145 6 other IPs or domains 2->145 191 Snort IDS alert for network traffic 2->191 193 Found malware configuration 2->193 195 Malicious sample detected (through community Yara rule) 2->195 197 18 other signatures 2->197 15 file.exe 1 4 2->15         started        18 rundll32.exe 2->18         started        20 hgwduga 2->20         started        signatures3 process4 file5 129 C:\Users\user\AppData\Local\...\gf1Xg94.exe, PE32 15->129 dropped 131 C:\Users\user\AppData\Local\...\5ID5fP8.exe, PE32 15->131 dropped 22 gf1Xg94.exe 1 4 15->22         started        process6 file7 113 C:\Users\user\AppData\Local\...\Vw2ZQ93.exe, PE32 22->113 dropped 115 C:\Users\user\AppData\Local\...\4gj066dp.exe, PE32 22->115 dropped 199 Antivirus detection for dropped file 22->199 201 Machine Learning detection for dropped file 22->201 26 Vw2ZQ93.exe 1 4 22->26         started        30 4gj066dp.exe 22->30         started        signatures8 process9 file10 125 C:\Users\user\AppData\Local\...\wR1Gx06.exe, PE32 26->125 dropped 127 C:\Users\user\AppData\Local\...\3cL21JD.exe, PE32 26->127 dropped 241 Antivirus detection for dropped file 26->241 243 Machine Learning detection for dropped file 26->243 32 3cL21JD.exe 26->32         started        35 wR1Gx06.exe 1 4 26->35         started        245 Writes to foreign memory regions 30->245 247 Allocates memory in foreign processes 30->247 249 Injects a PE file into a foreign processes 30->249 38 AppLaunch.exe 4 30->38         started        signatures11 process12 dnsIp13 159 Machine Learning detection for dropped file 32->159 161 Writes to foreign memory regions 32->161 163 Allocates memory in foreign processes 32->163 165 Injects a PE file into a foreign processes 32->165 41 AppLaunch.exe 32->41         started        109 C:\Users\user\AppData\Local\...\2Pv1295.exe, PE32 35->109 dropped 111 C:\Users\user\AppData\Local\...\1cg56NG2.exe, PE32 35->111 dropped 167 Antivirus detection for dropped file 35->167 44 2Pv1295.exe 35->44         started        46 1cg56NG2.exe 9 1 35->46         started        153 77.91.124.55, 19071, 49703, 49709 ECOTEL-ASRU Russian Federation 38->153 169 Found many strings related to Crypto-Wallets (likely being stolen) 38->169 file14 signatures15 process16 signatures17 213 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 41->213 215 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 41->215 217 Maps a DLL or memory area into another process 41->217 233 2 other signatures 41->233 48 explorer.exe 41->48 injected 219 Contains functionality to inject code into remote processes 44->219 221 Writes to foreign memory regions 44->221 223 Allocates memory in foreign processes 44->223 225 Injects a PE file into a foreign processes 44->225 53 AppLaunch.exe 12 44->53         started        227 Antivirus detection for dropped file 46->227 229 Machine Learning detection for dropped file 46->229 231 Found many strings related to Crypto-Wallets (likely being stolen) 46->231 235 3 other signatures 46->235 process18 dnsIp19 133 5.42.65.80, 49766, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 48->133 135 77.91.68.29, 49704, 49744, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 48->135 139 3 other IPs or domains 48->139 97 C:\Users\user\AppData\Local\Temp\F5E7.exe, PE32 48->97 dropped 99 C:\Users\user\AppData\Local\Temp\F26C.exe, PE32 48->99 dropped 101 C:\Users\user\AppData\Local\Temp\AEA.exe, PE32 48->101 dropped 103 9 other files (8 malicious) 48->103 dropped 175 System process connects to network (likely due to code injection or exploit) 48->175 177 Benign windows process drops PE files 48->177 179 Hides that the sample has been downloaded from the Internet (zone.identifier) 48->179 55 F26C.exe 48->55         started        59 98.exe 48->59         started        61 F5E7.exe 48->61         started        63 2 other processes 48->63 137 5.42.92.88, 49701, 49708, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 53->137 181 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 53->181 183 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 53->183 file20 signatures21 process22 file23 117 C:\Users\user\AppData\Local\...\Lm8TP3JO.exe, PE32 55->117 dropped 119 C:\Users\user\AppData\Local\...\6qr31BN.exe, PE32 55->119 dropped 203 Antivirus detection for dropped file 55->203 205 Machine Learning detection for dropped file 55->205 65 Lm8TP3JO.exe 55->65         started        207 Writes to foreign memory regions 59->207 209 Allocates memory in foreign processes 59->209 211 Injects a PE file into a foreign processes 59->211 69 AppLaunch.exe 59->69         started        71 AppLaunch.exe 61->71         started        73 chrome.exe 63->73         started        76 chrome.exe 63->76         started        78 conhost.exe 63->78         started        signatures24 process25 dnsIp26 105 C:\Users\user\AppData\Local\...\Dt0IR3Hi.exe, PE32 65->105 dropped 107 C:\Users\user\AppData\Local\...\5rM46Qk.exe, PE32 65->107 dropped 185 Antivirus detection for dropped file 65->185 187 Machine Learning detection for dropped file 65->187 80 Dt0IR3Hi.exe 65->80         started        189 Tries to harvest and steal browser information (history, passwords, etc) 69->189 155 192.168.2.7, 19071, 37515, 37637 unknown unknown 73->155 157 239.255.255.250 unknown Reserved 73->157 84 chrome.exe 73->84         started        87 chrome.exe 76->87         started        file27 signatures28 process29 dnsIp30 93 C:\Users\user\AppData\Local\...\Kn4SH4by.exe, PE32 80->93 dropped 95 C:\Users\user\AppData\Local\...\4lb649aR.exe, PE32 80->95 dropped 171 Antivirus detection for dropped file 80->171 173 Machine Learning detection for dropped file 80->173 89 Kn4SH4by.exe 80->89         started        147 www.google.com 142.250.72.132, 443, 49738 GOOGLEUS United States 84->147 149 clients.l.google.com 142.250.72.142, 443, 49713 GOOGLEUS United States 84->149 151 7 other IPs or domains 84->151 file31 signatures32 process33 file34 121 C:\Users\user\AppData\Local\...\DS4ch6Fi.exe, PE32 89->121 dropped 123 C:\Users\user\AppData\Local\...\3Yr9jg62.exe, PE32 89->123 dropped 237 Antivirus detection for dropped file 89->237 239 Machine Learning detection for dropped file 89->239 signatures35
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1fffb7b4db61e8b90788aa5d0a8385433f8c361f4729c8e463d180712ce05fe1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1fffb7b4db61e8b90788aa5d0a8385433f8c361f4729c8e463d180712ce05fe1/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-10-16 13:32:08 UTC
File Type:
PE (Exe)
Extracted files:
151
AV detection:
17 of 23 (73.91%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d773png3mhulsb4ivjoqva4fim7yynq7i4u4rzdd2gahclhal7qq._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:glupteba family:redline family:sectoprat family:smokeloader botnet:5141679758_99 botnet:@ytlogsbot botnet:breha botnet:kukish botnet:pixelscloud2.0 backdoor brand:google discovery dropper evasion infostealer loader persistence phishing rat rootkit spyware stealer trojan
Link:
https://tria.ge/reports/231016-qsynlahc96/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMonFS driver.
.NET Reactor proctector
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Windows security modification
Downloads MZ/PE file
Modifies Windows Firewall
DcRat
Detected google phishing page
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
SectopRAT
SectopRAT payload
SmokeLoader
Malware Config
C2 Extraction:
77.91.124.55:19071
http://77.91.68.29/fks/
85.209.176.128:80
185.216.70.238:37515
https://pastebin.com/raw/8baCJyMF
Unpacked files
SH256 hash:
5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
MD5 hash:
53e28e07671d832a65fbfe3aa38b6678
SHA1 hash:
6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
Link:
https://www.unpac.me/results/41b26c18-a11d-4c31-9352-237d216b4308/
SH256 hash:
935c1e0c950bf30a3581d9cc8e8c76b415474af263b4fd62104add745c6ebd6b
MD5 hash:
159e819ad3db871c3f2743975ed8c0d9
SHA1 hash:
ccc760ffece14208b32d8cdd34c193d4b0df51d6
Link:
https://www.unpac.me/results/41b26c18-a11d-4c31-9352-237d216b4308/
SH256 hash:
957fd845e3941fa3294fe6bd5ecab960651a7b445b39a97eb1339e9389c2273c
MD5 hash:
b8fc3344e1a44f40c62b8c7bd170d125
SHA1 hash:
011b0c7eb44e2069e7c757bb57b4c060def52611
Link:
https://www.unpac.me/results/41b26c18-a11d-4c31-9352-237d216b4308/
SH256 hash:
e07746ebbd6ede34d8f17138c57bbc599a695ed21f30374169d511098331c2f1
MD5 hash:
e88ac92954f81b958411a2ceb3bf65a0
SHA1 hash:
67f2717b81e1fc98a382a3a9a318daad25b8e2a6
Link:
https://www.unpac.me/results/41b26c18-a11d-4c31-9352-237d216b4308/
SH256 hash:
3730263cdb7d6e6a143f5a3e18a0eb2231eb24af6eec3178e2dbba7cdf7ec9f3
MD5 hash:
e21266e5e297bc02a7e6dc09022daf68
SHA1 hash:
359383a8f327d648537aa7d075b769e4557fd858
Link:
https://www.unpac.me/results/41b26c18-a11d-4c31-9352-237d216b4308/
SH256 hash:
9cc78cc027a70dcbd50fe197b0df8f787d0861c45a330eab716c2710461134a4
MD5 hash:
3da4ac2f9591cd47838a31f2f8d64c7e
SHA1 hash:
6b7304ed2ac2bb421788ae23029c23b97c0b209a
Link:
https://www.unpac.me/results/41b26c18-a11d-4c31-9352-237d216b4308/
SH256 hash:
1fffb7b4db61e8b90788aa5d0a8385433f8c361f4729c8e463d180712ce05fe1
MD5 hash:
bbd46196e4c45fc02073b3b0fb984807
SHA1 hash:
e3ea3322039b61c7040d8fb68a008507665e3abe
Link:
https://www.unpac.me/results/41b26c18-a11d-4c31-9352-237d216b4308/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1fffb7b4db61/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1fffb7b4db61e8b90788aa5d0a8385433f8c361f4729c8e463d180712ce05fe1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/454878/

Comments