MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20ae56e2ec11dc0b943ea744a21cfd4c166a14732683664bc846286123a18e9f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20ae56e2ec11dc0b943ea744a21cfd4c166a14732683664bc846286123a18e9f
SHA3-384 hash: 2382bce45714182438631911be233d9626a40a79c39b040428767b70add735764fe737737c47c25b92411027d5301f31
SHA1 hash: 23f42db215a021dfa596fbb72f61e94b04cd36c0
MD5 hash: be8fba1fa1536254d7aeab7b52344a2c
humanhash: bacon-fish-moon-glucose
File name:be8fba1fa1536254d7aeab7b52344a2c.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:180'736 bytes
First seen:2021-08-27 08:36:26 UTC
Last seen:2021-08-27 08:36:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a70e187b34266b8bda252cd2ef2d0837 (6 x RaccoonStealer, 1 x Glupteba, 1 x Smoke Loader)
ssdeep 3072:p2xjEfArWWDm3bCq5y5YaMzIRHwhZoWC9sI5/DuT61m:o6ArrDm2sVzsHwhZU9sI5/
Threatray 4'021 similar samples on MalwareBazaar
TLSH T1FD04BE8076A2C57BF9C209304469DBA1663BBDF35B608597B74817AF3E312C0462FAD7
dhash icon 4839b2b4e8c38890 (137 x RaccoonStealer, 37 x Smoke Loader, 30 x RedLineStealer)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
3
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
be8fba1fa1536254d7aeab7b52344a2c.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-27 08:39:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a7e229c0-999a-4ecf-a2a5-ee3f07f1ce90

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182882/
Detection(s):
Win.Packed.Generic-9888554-0
Create hunting rule

Win.Packed.Fragtor-9888685-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Connection attempt to an infection source
Launching a process
Searching for the window
Reading critical registry keys
Setting browser functions hooks
Query of malicious DNS domain
Unauthorized injection to a system process
Deleting of the original file
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Unauthorized injection to a browser process
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/356aeb28-f29b-4a0e-8223-d6444ae4d9b6
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/840291
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus detection for URL or domain
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 472724 Sample: lvsmT7Etmo.exe Startdate: 27/08/2021 Architecture: WINDOWS Score: 100 90 api.ip.sb 2->90 92 74.150.189.185.dnsbl.sorbs.net 2->92 94 36 other IPs or domains 2->94 140 Multi AV Scanner detection for domain / URL 2->140 142 Malicious sample detected (through community Yara rule) 2->142 144 Antivirus detection for URL or domain 2->144 148 19 other signatures 2->148 11 lvsmT7Etmo.exe 2->11         started        14 wwhesgg 2->14         started        16 svchost.exe 2->16         started        18 8 other processes 2->18 signatures3 146 System process connects to network (likely due to code injection or exploit) 92->146 process4 dnsIp5 158 Detected unpacking (changes PE section rights) 11->158 160 Contains functionality to inject code into remote processes 11->160 162 Injects a PE file into a foreign processes 11->162 21 lvsmT7Etmo.exe 11->21         started        24 wwhesgg 14->24         started        164 Changes security center settings (notifications, updates, antivirus, firewall) 16->164 96 127.0.0.1 unknown unknown 18->96 98 192.168.2.1 unknown unknown 18->98 166 DLL side loading technique detected 18->166 signatures6 process7 signatures8 150 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->150 152 Maps a DLL or memory area into another process 21->152 154 Checks if the current machine is a virtual machine (disk enumeration) 21->154 26 explorer.exe 18 21->26 injected 156 Creates a thread in another existing process (thread injection) 24->156 process9 dnsIp10 100 185.49.70.90, 2080, 49717 LEASEWEB-DE-FRA-10DE United Kingdom 26->100 102 readinglistforaugust2.xyz 95.213.224.6, 49713, 80 SELECTELRU Russian Federation 26->102 104 4 other IPs or domains 26->104 82 C:\Users\user\AppData\Roaming\wwhesgg, PE32 26->82 dropped 84 C:\Users\user\AppData\Local\Temp\FD33.exe, PE32 26->84 dropped 86 C:\Users\user\AppData\Local\Temp\F523.exe, PE32 26->86 dropped 88 6 other files (4 malicious) 26->88 dropped 168 System process connects to network (likely due to code injection or exploit) 26->168 170 Benign windows process drops PE files 26->170 172 Performs DNS queries to domains with low reputation 26->172 174 4 other signatures 26->174 31 EEE8.exe 80 26->31         started        36 explorer.exe 26->36         started        38 BAB5.exe 26->38         started        40 6 other processes 26->40 file11 signatures12 process13 dnsIp14 106 185.163.47.239, 49721, 80 MIVOCLOUDMD Moldova Republic of 31->106 108 telete.in 195.201.225.248, 443, 49715 HETZNER-ASDE Germany 31->108 66 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 31->66 dropped 68 C:\Users\user\AppData\...\vcruntime140.dll, PE32 31->68 dropped 70 C:\Users\user\AppData\...\ucrtbase.dll, PE32 31->70 dropped 78 56 other files (none is malicious) 31->78 dropped 112 Detected unpacking (changes PE section rights) 31->112 114 Tries to steal Mail credentials (via file access) 31->114 116 Contains functionality to steal Internet Explorer form passwords 31->116 118 Tries to harvest and steal browser information (history, passwords, etc) 31->118 110 readinglistforaugust5.xyz 36->110 120 System process connects to network (likely due to code injection or exploit) 36->120 122 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 36->122 124 Performs DNS queries to domains with low reputation 36->124 72 C:\Users\user\AppData\Local\...\vplrcmek.exe, PE32 38->72 dropped 126 Uses netsh to modify the Windows network and firewall settings 38->126 128 Modifies the windows firewall 38->128 42 cmd.exe 38->42         started        45 cmd.exe 38->45         started        47 sc.exe 38->47         started        56 2 other processes 38->56 74 C:\Users\user\AppData\...\xImzabj022kKhKW.exe, PE32 40->74 dropped 76 C:\...\MunchingHallstand_2021-08-26_19-29.exe, PE32 40->76 dropped 130 Query firmware table information (likely to detect VMs) 40->130 132 Tries to detect sandboxes and other dynamic analysis tools (window names) 40->132 134 Sample uses process hollowing technique 40->134 136 3 other signatures 40->136 49 xImzabj022kKhKW.exe 40->49         started        52 conhost.exe 40->52         started        54 conhost.exe 40->54         started        file15 signatures16 process17 file18 80 C:\Windows\SysWOW64\...\vplrcmek.exe (copy), PE32 42->80 dropped 58 conhost.exe 42->58         started        60 conhost.exe 45->60         started        62 conhost.exe 47->62         started        138 Injects a PE file into a foreign processes 49->138 64 conhost.exe 56->64         started        signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/20ae56e2ec11dc0b943ea744a21cfd4c166a14732683664bc846286123a18e9f/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-08-27 01:57:12 UTC
AV detection:
28 of 46 (60.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ecxfnyxmchoaxfb6u5ckehh5jqlgufdte2bwms6iiyugci5br2pq._file
Verdict:
suspicious
Similar samples:
236ab7da9937a781cba35cddaf2fe23ee1cfab4478f921cd73908ecf200be287
Smoke Loader
4170bbfd45d3db9b8337b1259e3bdc33840201b6c8ba1f69efa65ac41020445f
Smoke Loader
5c755d14199295a752594d0bb2a4c6bd7ede35ea7c078499fc7fff96451b2530
Smoke Loader
60ab0131b6fa420a6a8039b60ac948db87033e9a8db69b16344e3d9222859556
Smoke Loader
831c4dbfc88b4a10504a77ce20c663633e07e4f2bab5cd94eb27ba56e5427572
Smoke Loader
907f6b8f9c0e1e15fb052deaa36b96fe53c6bd8d1e3b15f9297b4f1295c16271
Smoke Loader
c55df5e9d0ea176321a29f8957c7a43188796ae0fc0ffe1ae94ad6092d30ba77
Smoke Loader
c87fe4ff57a5464c0155bd1a8a924a2d77a79fdf87cba206e9ef5ac0d0f848cf
Smoke Loader
f74c97d626730018ba9a8dd5e6fb806bfcc42d15a8b20ef328cc5f0d6a052ccc
Smoke Loader
faf49f9b1d785e077bd17c37eddec80c57d3ffc843a745e6854c9b7a6812b7e0
Smoke Loader
+ 4'011 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:buran family:redline family:smokeloader family:tofsee family:xmrig botnet:1 botnet:sergey777 backdoor discovery evasion infostealer miner persistence ransomware spyware stealer themida trojan
Link:
https://tria.ge/reports/210827-7cml8e1wba/
Behaviour
Checks SCSI registry key(s)
Interacts with shadow copies
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Deletes shadow copies
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner Payload
Buran
RedLine
RedLine Payload
SmokeLoader
Tofsee
Windows security bypass
xmrig
Malware Config
C2 Extraction:
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
51.254.68.139:15009
176.9.244.86:16284
Unpacked files
SH256 hash:
0a9a7acf77fe4f890fe2acf761fa7f369418bb1f733504acd0792f589ccc7b15
MD5 hash:
ad94a86355be2ad9348b88e8972e8320
SHA1 hash:
8c7ff71739a5194efc5c7bee9c37ad92a9e72646
Link:
https://www.unpac.me/results/fa8a9b14-4468-4808-9adb-dd03cc22edde/
SH256 hash:
20ae56e2ec11dc0b943ea744a21cfd4c166a14732683664bc846286123a18e9f
MD5 hash:
be8fba1fa1536254d7aeab7b52344a2c
SHA1 hash:
23f42db215a021dfa596fbb72f61e94b04cd36c0
Link:
https://www.unpac.me/results/fa8a9b14-4468-4808-9adb-dd03cc22edde/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/20ae56e2ec11/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/20ae56e2ec11dc0b943ea744a21cfd4c166a14732683664bc846286123a18e9f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 20ae56e2ec11dc0b943ea744a21cfd4c166a14732683664bc846286123a18e9f

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/182882/
  
URLhaus
https://urlhaus.abuse.ch/url/1558724/
  
Delivery method
Distributed via web download

Comments