MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20b7fb765c70385518994333f6da5f7061da52ff30b24a8510880f3850aa38e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20b7fb765c70385518994333f6da5f7061da52ff30b24a8510880f3850aa38e6
SHA3-384 hash: 24ec7439169d61a1355de9324f33d4af53b278e8ce25b886598b76bbe700be7cb9d43b1951beddab28706416a83d5ecd
SHA1 hash: 5a1d425dd254546ae6ef7a449dc6309688e0e575
MD5 hash: 961783c09bca143db7889f6caf7eba82
humanhash: hawaii-west-hawaii-minnesota
File name:961783c09bca143db7889f6caf7eba82.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:30'720 bytes
First seen:2021-12-20 07:12:06 UTC
Last seen:2021-12-20 08:39:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:aOsIP7IRNWUlaMijihcIGfTAy95w5HUWCvgnvh5gG:axYfMmiokyI5HUWAS
Threatray 3'141 similar samples on MalwareBazaar
TLSH T128D2CFEABD6780BCCDAC80F358D746FE92CEA1B4B4460249D55D2A7679C137C807970D
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/215351/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader43.47262.17886.11379.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
DNS request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP POST request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process from a recently created file
Creating a window
Launching a process
Creating a process with a hidden window
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2695/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61c02cffec6c6c14a9e472a6/reports/075bbc6b-3ec6-49f2-bae9-65c472976517/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/878e9f17-4453-4d6f-b617-58b84039d0ce
Result
Threat name:
Cryptolocker RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/910038
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Deletes itself after installation
DLL reload attack detected
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Renames NTDLL to bypass HIPS
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Cryptolocker ransomware
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 542512 Sample: bkmsIZxPpv.exe Startdate: 20/12/2021 Architecture: WINDOWS Score: 100 53 107.172.191.145, 49800, 5932 AS-COLOCROSSINGUS United States 2->53 55 192.168.2.1 unknown unknown 2->55 57 4urhappiness.com 2->57 65 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->65 67 Multi AV Scanner detection for domain / URL 2->67 69 Antivirus detection for URL or domain 2->69 71 17 other signatures 2->71 8 bkmsIZxPpv.exe 1 2->8         started        12 watcvgb 1 2->12         started        14 svchost.exe 1 2->14         started        16 3 other processes 2->16 signatures3 process4 file5 51 C:\Users\user\AppData\Local\Temp\BC84.tmp, PE32 8->51 dropped 91 DLL reload attack detected 8->91 93 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->93 95 Renames NTDLL to bypass HIPS 8->95 103 3 other signatures 8->103 18 explorer.exe 9 8->18 injected 97 Antivirus detection for dropped file 12->97 99 Multi AV Scanner detection for dropped file 12->99 101 Machine Learning detection for dropped file 12->101 signatures6 process7 dnsIp8 59 musaciftci.com 185.149.100.221, 49745, 80 VERIDYENVeridyenBilisimTeknolojileriSanayiveTicaretLi Turkey 18->59 61 4urhappiness.com 192.185.26.75, 49743, 49744, 49764 UNIFIEDLAYER-AS-1US United States 18->61 63 2 other IPs or domains 18->63 31 C:\Users\user\AppData\Roaming\watcvgb, PE32 18->31 dropped 33 C:\Users\user\AppData\Local\Temp\A881.exe, PE32 18->33 dropped 35 C:\Users\user\AppData\Local\Temp\991E.exe, PE32 18->35 dropped 37 2 other malicious files 18->37 dropped 73 System process connects to network (likely due to code injection or exploit) 18->73 75 Benign windows process drops PE files 18->75 77 Injects code into the Windows Explorer (explorer.exe) 18->77 79 3 other signatures 18->79 23 8845.exe 6 18->23         started        27 A881.exe 2 12 18->27         started        29 991E.exe 3 18->29         started        file9 signatures10 process11 file12 39 C:\Users\user\AppData\...\fLTkvFqywU.exe, PE32 23->39 dropped 41 C:\Users\user\AppData\Local\...\tmp61BB.tmp, XML 23->41 dropped 81 Machine Learning detection for dropped file 23->81 83 Uses schtasks.exe or at.exe to add and modify task schedules 23->83 85 Injects a PE file into a foreign processes 23->85 43 6a5eea78-0d8d-45c6-90c8-2c4ff843d1cf.exe, PE32 27->43 dropped 45 C:\Windows\Temp\oqbs3dxw.inf, Windows 27->45 dropped 47 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 27->47 dropped 49 ef4b3caf-bc27-4545-9ee2-47f29792f24a.exe, PE32 27->49 dropped 87 Multi AV Scanner detection for dropped file 27->87 89 Adds a directory exclusion to Windows Defender 27->89 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/20b7fb765c70385518994333f6da5f7061da52ff30b24a8510880f3850aa38e6/
Threat name:
Win32.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2021-12-18 02:13:05 UTC
File Type:
PE (Exe)
AV detection:
29 of 43 (67.44%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ec37w5s4oa4fkgezimz7nws7obq5uux7gczevbiqrahtqufkhdta._file
Verdict:
malicious
Similar samples:
38dbfe3e95b603dcde4eb8b64015bf2548dda4f56611d873a12d94c5dd4af2b2
Smoke Loader
560d1e1c846bb66402c793a3e44991b637d82d1ce3ef6c89e443b9b2602b6e3b
Smoke Loader
6f746dfc7c53944b60e4fdc29fdea740ae8ceaf98126262258fd38ecf166cba5
Smoke Loader
9fc2a95067df754bbafd860e8a3d5b5881ae097fe107aeff86d4945830fcbba7
Smoke Loader
a3cf60a275c70b3b79a12f40ef477ceacc35b66209856fafe770df228df08de4
Smoke Loader
a8e4f8648ff3dbfcf882b39d32033d3ca1f6fdaef9694107aba80f36a0480e36
Smoke Loader
dac0453a1239f16a52f2b6697b3a13bac8cf4d9bb6f4a0e622e354e4b25275e3
Smoke Loader
+ 3'131 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader botnet:2246 backdoor collection evasion infostealer persistence ransomware trojan
Link:
https://tria.ge/reports/211220-h1392shha5/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks whether UAC is enabled
Drops desktop.ini file(s)
Enumerates connected drives
Deletes itself
Loads dropped DLL
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
Modifies Installed Components in the registry
Modifies extensions of user files
Nirsoft
RedLine
RedLine Payload
SmokeLoader
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
http://planilhasvba.com.br/wp-admin/js/k/index.php
http://rpk32ubon.ac.th/backup/k/index.php
http://4urhappiness.com/app/k/index.php
http://swedenkhabar.com/wp-admin/js/k/index.php
http://cio.lankapanel.net/wp-admin/js/k/index.php
http://fcmsites.com.br/canal/wp-admin/js/k/index.php
http://lacoibipitanga.com.br/maxart/k/index.php
http://lacoibipitanga.com.br/cgi-bin/k/index.php
http://video.nalahotel.com/k/index.php
http://diving-phocea.com/wp-admin/k/index.php
http://phocea-sudan.com/cgi-bin/k/index.php
http://rpk32ubon.ac.th/wp-admin/js/k/index.php
https://www.twinrealty.com/vworker/k/index.php
107.172.191.145:5932
Unpacked files
SH256 hash:
20b7fb765c70385518994333f6da5f7061da52ff30b24a8510880f3850aa38e6
MD5 hash:
961783c09bca143db7889f6caf7eba82
SHA1 hash:
5a1d425dd254546ae6ef7a449dc6309688e0e575
Link:
https://www.unpac.me/results/6f6d5c74-5f28-414f-bc18-4bd68592fe93/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.32
Link:
https://yomi.yoroi.company/submissions/20b7fb765c70385518994333f6da5f7061da52ff30b24a8510880f3850aa38e6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 20b7fb765c70385518994333f6da5f7061da52ff30b24a8510880f3850aa38e6

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/215351/
  
URLhaus
https://urlhaus.abuse.ch/url/1901098/
  
Delivery method
Distributed via web download

Comments