MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29d358633a06305d5facd9d1e290254a4a925f0b50f61473e4094fd8ca7a0a70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29d358633a06305d5facd9d1e290254a4a925f0b50f61473e4094fd8ca7a0a70
SHA3-384 hash: 55d7feb0383ea72eede228aac2e1731c9051c366ff9158a9e01d501f0f84bf8d0012e08a4850f8cb48ecb0c9e6e20a4a
SHA1 hash: d3fc1cdec9c424511261335cc144bb80bd8e6229
MD5 hash: 7807ae2f5d4c1c497ef541b09ef8c85f
humanhash: mockingbird-undress-fourteen-pizza
File name:7807ae2f5d4c1c497ef541b09ef8c85f
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:342'528 bytes
First seen:2021-12-04 01:05:41 UTC
Last seen:2021-12-04 02:28:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 55ae6049290b1a231db6697392c2b841 (2 x RedLineStealer, 2 x RaccoonStealer, 1 x CryptBot)
ssdeep 3072:o0SLJ004hrAU6CBURXeA/b1cSSzIAENopEFKeBnqBMOHtG3EEGeoYWcrYTqokG04:CQAJyUVeA/GwopEFlqBdY35OMYZ4y
Threatray 2'847 similar samples on MalwareBazaar
TLSH T13A748E1077A0C435F5B716F849B993A9793F7EE1AB2891CF62D42AEA56346D0EC30307
File icon (PE):PE icon
dhash icon b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7807ae2f5d4c1c497ef541b09ef8c85f
Verdict:
No threats detected
Analysis date:
2021-12-04 01:06:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/12ae8abc-fd87-4f1f-a178-345b1d112626

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/211161/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.80820.2633.19439.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
DNS request
Reading critical registry keys
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/719/overview
Behaviour
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer glupteba greyware
Link:
https://www.filescan.io/uploads/61aabefefa72c81b5b0a39e8/reports/29e1d2eb-f4ce-4d6a-a820-242e5fa76342/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4b1a70eb-178a-4cc6-b9d5-0efecddd022d
Result
Threat name:
Clipboard Hijacker SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/901238
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Delayed program exit found
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Clipboard Hijacker
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 533716 Sample: cf4lO4fPid Startdate: 04/12/2021 Architecture: WINDOWS Score: 100 47 zavodooo.ru 2->47 57 Multi AV Scanner detection for domain / URL 2->57 59 Found malware configuration 2->59 61 Antivirus detection for URL or domain 2->61 63 9 other signatures 2->63 9 cf4lO4fPid.exe 2->9         started        12 aihhajt 2->12         started        14 SmartClock.exe 2->14         started        signatures3 process4 signatures5 71 Detected unpacking (changes PE section rights) 9->71 73 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->73 75 Maps a DLL or memory area into another process 9->75 77 Creates a thread in another existing process (thread injection) 9->77 16 explorer.exe 2 9->16 injected 79 Multi AV Scanner detection for dropped file 12->79 81 Machine Learning detection for dropped file 12->81 83 Checks if the current machine is a virtual machine (disk enumeration) 12->83 process6 dnsIp7 41 misipu.cn 64.32.26.89, 80 ST-BGPUS United States 16->41 43 zavodooo.ru 118.33.109.122, 49790, 49793, 49829 KIXS-AS-KRKoreaTelecomKR Korea Republic of 16->43 45 8 other IPs or domains 16->45 31 C:\Users\user\AppData\Roaming\aihhajt, PE32 16->31 dropped 33 C:\Users\user\AppData\Local\Temp\DF4E.exe, PE32 16->33 dropped 35 C:\Users\user\AppData\Local\Temp\A6A9.exe, PE32 16->35 dropped 37 C:\Users\user\...\aihhajt:Zone.Identifier, ASCII 16->37 dropped 49 System process connects to network (likely due to code injection or exploit) 16->49 51 Benign windows process drops PE files 16->51 53 Deletes itself after installation 16->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->55 21 A6A9.exe 4 16->21         started        25 DF4E.exe 16->25         started        27 SmartClock.exe 16->27         started        file8 signatures9 process10 file11 39 C:\Users\user\AppData\...\SmartClock.exe, PE32 21->39 dropped 65 Detected unpacking (changes PE section rights) 21->65 67 Detected unpacking (overwrites its own PE header) 21->67 69 Machine Learning detection for dropped file 21->69 29 SmartClock.exe 21->29         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/29d358633a06305d5facd9d1e290254a4a925f0b50f61473e4094fd8ca7a0a70/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2021-11-29 11:07:11 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
33 of 45 (73.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fhjvqyz2ayyf2x5m3hi6febfjjfjexylkd3bi47ebfh5rst2bjya._file
Verdict:
malicious
Similar samples:
7106abfc983c98a98aa15ef0d17cc83d601ebd66d053aa04742f0df721a7824e
Smoke Loader
81c62d3a5523b804ee83aadc9ca7d648fa028073d8f8e6f0d39123ca402d739e
Smoke Loader
a8b37d6b073ee045ae63473cb1a592c974e896b19e3db06d552f955901c06db7
Smoke Loader
af64f5b2b6c4cc63b0ca4bb48f369eba1629886d85e289a469a5c9612c4a5ee3
Smoke Loader
c54ca1df46d817348c9bdf18f857459d7ca05c51f7f309e4d4de085136e3ed76
Smoke Loader
cf22cfc5cf9a55cf39f9559e13ee84f183b566b52481b62d0d464ea45bf36420
Smoke Loader
+ 2'837 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:redline family:smokeloader botnet:1 backdoor collection discovery evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/211204-bf4lracef8/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Enumerates processes with tasklist
Gathers network information
Gathers system information
Modifies Internet Explorer settings
Modifies registry class
Runs net.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
CryptBot
RedLine
RedLine Payload
SmokeLoader
Malware Config
C2 Extraction:
http://membro.at/upload/
http://jeevanpunetha.com/upload/
http://misipu.cn/upload/
http://zavodooo.ru/upload/
http://targiko.ru/upload/
http://vues3d.com/upload/
https://cinems.club/search.php
https://clothes.surf/search.php
92.255.76.197:38637
45.9.20.59:46287
Unpacked files
SH256 hash:
38b50520397a48d6dc0044fb2aca06b6789cfbe921488422471eab7def65e820
MD5 hash:
67c9034e01a3a23f977b8aa138e88b57
SHA1 hash:
e430b48053c15d914edc1eca59be4964292648c2
Link:
https://www.unpac.me/results/39838eb7-7d07-4b3d-bb01-1183b13ddb0d/
SH256 hash:
29d358633a06305d5facd9d1e290254a4a925f0b50f61473e4094fd8ca7a0a70
MD5 hash:
7807ae2f5d4c1c497ef541b09ef8c85f
SHA1 hash:
d3fc1cdec9c424511261335cc144bb80bd8e6229
Link:
https://www.unpac.me/results/39838eb7-7d07-4b3d-bb01-1183b13ddb0d/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/29d358633a06/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/29d358633a06305d5facd9d1e290254a4a925f0b50f61473e4094fd8ca7a0a70

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 29d358633a06305d5facd9d1e290254a4a925f0b50f61473e4094fd8ca7a0a70

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1850200/
Cape
Cape
https://www.capesandbox.com/analysis/211161/

Comments


Avatar
zbet commented on 2021-12-04 01:05:42 UTC

url : hxxp://amzrouting.com/tmp/setup3.exe