MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2be70f815e1bea93dfa56396f69f0c38e4d2732a254a29e5307426958e296133. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2be70f815e1bea93dfa56396f69f0c38e4d2732a254a29e5307426958e296133
SHA3-384 hash: 4fd75d2c95b35b9ef16a2da7b3c963c2ac4d8ea7f7a231bc9857489dfa3e95a29c60edefc41421f5e0c71bc0db9258c2
SHA1 hash: 984e27643a7e6fe46d7944073ce57fd52cc278e9
MD5 hash: 7fcd73b1f787ef886832a7af7170bc56
humanhash: low-spring-social-alanine
File name:7fcd73b1f787ef886832a7af7170bc56
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:137'728 bytes
First seen:2021-09-26 17:59:00 UTC
Last seen:2021-09-26 20:54:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d219b4c81d3038e0b353f2c453352508 (12 x RaccoonStealer, 4 x Smoke Loader, 2 x ArkeiStealer)
ssdeep 1536:z+6RF4Gc7MPGVoHliOMcOq90UCJVb1j8FfVPX9F5owZzze8HaQsE9mPt/CD6H:zJy0NL90o3XP5ptKyaQs8m0O
Threatray 6'213 similar samples on MalwareBazaar
TLSH T171D3BE1DB690C432C5B629324A25D6A09A6A78327F67FD433748275F0E701D29E37F87
File icon (PE):PE icon
dhash icon fcfc94d4d4d4d8c0 (24 x RaccoonStealer, 21 x RedLineStealer, 9 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7fcd73b1f787ef886832a7af7170bc56
Verdict:
No threats detected
Analysis date:
2021-09-26 18:08:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cb42822a-aa26-4bcd-92a6-943bb886f563

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/191829/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.7702.27289.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aab3bc85-9645-4691-ba72-b43f8f005640
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/858500
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 490931 Sample: SGe0iL5d7u Startdate: 26/09/2021 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Found malware configuration 2->50 52 Antivirus detection for URL or domain 2->52 54 9 other signatures 2->54 8 SGe0iL5d7u.exe 2->8         started        11 wabgjht 2->11         started        process3 signatures4 72 Detected unpacking (changes PE section rights) 8->72 74 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->74 76 Maps a DLL or memory area into another process 8->76 13 explorer.exe 4 8->13 injected 78 Checks if the current machine is a virtual machine (disk enumeration) 11->78 80 Creates a thread in another existing process (thread injection) 11->80 process5 dnsIp6 42 govsurplusstore.com 187.212.180.10, 49771, 49791, 80 UninetSAdeCVMX Mexico 13->42 44 kamikirim.id 103.247.9.207, 49865, 80 RUMAHWEB-AS-IDRumahwebIndonesiaCVID Indonesia 13->44 46 11 other IPs or domains 13->46 28 C:\Users\user\AppData\Roaming\wabgjht, PE32 13->28 dropped 30 C:\Users\user\AppData\Local\Temp\334C.exe, PE32 13->30 dropped 32 C:\Users\user\...\wabgjht:Zone.Identifier, ASCII 13->32 dropped 82 System process connects to network (likely due to code injection or exploit) 13->82 84 Benign windows process drops PE files 13->84 86 Deletes itself after installation 13->86 88 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->88 18 334C.exe 15 30 13->18         started        22 816D.exe 14 3 13->22         started        file7 signatures8 process9 dnsIp10 34 94.26.228.204, 32917, 49866 PTC-YEMENNETYE Russian Federation 18->34 36 api.ip.sb 18->36 56 Multi AV Scanner detection for dropped file 18->56 58 Detected unpacking (overwrites its own PE header) 18->58 60 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->60 68 3 other signatures 18->68 24 conhost.exe 18->24         started        38 api.ip.sb 22->38 40 84.38.189.175, 49876, 54144 SELECTELRU Russian Federation 22->40 62 Detected unpacking (changes PE section rights) 22->62 64 Query firmware table information (likely to detect VMs) 22->64 66 Tries to detect sandboxes and other dynamic analysis tools (window names) 22->66 70 2 other signatures 22->70 26 conhost.exe 22->26         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2be70f815e1bea93dfa56396f69f0c38e4d2732a254a29e5307426958e296133/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-26 17:59:06 UTC
AV detection:
19 of 45 (42.22%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
112222e358613dd59bab7d3c0901b6f1ad0490c95cc89e3dc3de51b9e80545c4
Smoke Loader
1a258df93de3955089e869e2348df88c72444d09930ff31cba0fab7022701da1
Smoke Loader
56c5a8642b999065ce73f5a07bb3bd112a63b8ce13a43f65f2396692b8de274d
Smoke Loader
64cb3ce12c5cdfdf4e0dd3e9f0bcd9e43745ee83c3289a27c73f6c6f4243049c
Smoke Loader
84b57d3d7fdabaebcd85cf01dbf14b9cb94e08fe081abcb60b218c1298c55995
Smoke Loader
c75b223b462ba88c62c1c8d848a845e7aeacc0ec0c96a7ecf1644e782accdd52
Smoke Loader
dad310f9c291800939286d91b2b3206ca1f53661eed6c9c819d269780eb37b63
Smoke Loader
ebcecaf7cc142a2954b15d4390e5275aed5a7c8f70a7c777c0288b5f3c2312ac
Smoke Loader
f8a24f64412f44222e72d8a2c396bf1472eafbd41c5abbbaf9c4fc2a655175ce
Smoke Loader
fe182a93d10cf8b048cb1a72b07f80ded9f6e2e0177f74f2baf9f17ede242ee9
Smoke Loader
+ 6'203 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:redline family:smokeloader family:vidar botnet:paladin backdoor discovery evasion infostealer persistence ransomware spyware stealer themida trojan
Link:
https://tria.ge/reports/210926-wkqwnsfbh6/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Deletes itself
Drops startup file
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Detected Djvu ransomware
Djvu Ransomware
Modifies security service
RedLine
RedLine Payload
SmokeLoader
Vidar
Malware Config
C2 Extraction:
http://govsurplusstore.com/upload/
http://best-forsale.com/upload/
http://chmxnautoparts.com/upload/
http://kwazone.com/upload/
94.26.228.204:32917
Unpacked files
SH256 hash:
5e52071fd7832c439965575105f0a8d309fc5c923523689f94c6aaaa4230ec8a
MD5 hash:
0723090cb25a2ec591eb170730b0e737
SHA1 hash:
d6e2422a17cfe0de3cc43053cf595b7a28897386
Link:
https://www.unpac.me/results/b2e674c1-f50f-4721-a7a7-238b4b19fc91/
SH256 hash:
2be70f815e1bea93dfa56396f69f0c38e4d2732a254a29e5307426958e296133
MD5 hash:
7fcd73b1f787ef886832a7af7170bc56
SHA1 hash:
984e27643a7e6fe46d7944073ce57fd52cc278e9
Link:
https://www.unpac.me/results/b2e674c1-f50f-4721-a7a7-238b4b19fc91/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2be70f815e1bea93dfa56396f69f0c38e4d2732a254a29e5307426958e296133

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 2be70f815e1bea93dfa56396f69f0c38e4d2732a254a29e5307426958e296133

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1644574/
Cape
Cape
https://www.capesandbox.com/analysis/191829/

Comments


Avatar
zbet commented on 2021-09-26 17:59:02 UTC

url : hxxp://yangsenguanfang.com/pub3.exe