MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 303de99f3a658f14a927ae269d1f5858f67a72cb6aa4e162c3f2a9dd2f0e20da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 303de99f3a658f14a927ae269d1f5858f67a72cb6aa4e162c3f2a9dd2f0e20da
SHA3-384 hash: 81a07fb6f6ff7b9160a3f04354140798aac33a7376f47f4558f408d0e895058a736d97103ae7a3cc395c6e9a52faa568
SHA1 hash: 3d150b9176b71abafc44a5e5cf7aed1ed9cad827
MD5 hash: ae1e179bde5dd7bc86c7bf00155234e3
humanhash: salami-mars-leopard-north
File name:ae1e179bde5dd7bc86c7bf00155234e3.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:229'376 bytes
First seen:2021-09-06 06:29:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9c3501e221e7e06d3e51bfb52c2b6518 (4 x ArkeiStealer, 4 x Stop, 2 x RaccoonStealer)
ssdeep 3072:0aPrnxAyAsthuA+HeB5R1nF95F683Tm7uNuJq0jhZDuHHx4br:0WrnZt++B37DauNu80F4W
Threatray 7'487 similar samples on MalwareBazaar
TLSH T1F7249C12B6D0F427E2D60A348424CAF06EFEBC761964818B7758E76F6E303D19E62357
dhash icon 4839b2b0e8c38890 (105 x RaccoonStealer, 38 x Smoke Loader, 33 x RedLineStealer)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
724
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ae1e179bde5dd7bc86c7bf00155234e3.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-06 06:39:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ed4d8cb5-6ec9-47b5-bd6d-955f2a7deb80

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185531/
Detection(s):
SecuriteInfo.com.Variant.Babar.28486.2884.12808.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a service
Deleting a recently created file
Reading critical registry keys
Replacing files
Creating a file
Launching the process to change the firewall settings
Sending an HTTP GET request to an infection source
Creating a file in the Windows subdirectories
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a custom TCP request
Searching for analyzing tools
Searching for the window
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Moving a file to the Windows subdirectory
Launching a process
Creating a service
Launching the default Windows debugger (dwwin.exe)
Enabling autorun for a service
Stealing user critical data
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Deleting of the original file
Enabling autorun by creating a file
Unauthorized injection to a system process
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/84d5c083-3a13-4101-905c-5ed712fcc069
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845741
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download HTTP data from a sinkholed server
Tries to resolve many domain names, but no domain seems valid
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 478169 Sample: wA55X0EbFS.exe Startdate: 06/09/2021 Architecture: WINDOWS Score: 100 32 Tries to download HTTP data from a sinkholed server 2->32 34 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->34 36 Multi AV Scanner detection for domain / URL 2->36 38 8 other signatures 2->38 7 wA55X0EbFS.exe 2->7         started        10 aahgejw 2->10         started        process3 signatures4 50 Detected unpacking (changes PE section rights) 7->50 52 Contains functionality to inject code into remote processes 7->52 54 Injects a PE file into a foreign processes 7->54 12 wA55X0EbFS.exe 7->12         started        56 Multi AV Scanner detection for dropped file 10->56 58 Machine Learning detection for dropped file 10->58 15 aahgejw 10->15         started        process5 signatures6 60 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->60 62 Maps a DLL or memory area into another process 12->62 64 Checks if the current machine is a virtual machine (disk enumeration) 12->64 17 explorer.exe 2 12->17 injected 66 Creates a thread in another existing process (thread injection) 15->66 process7 dnsIp8 26 xsedfgtbh14.store 17->26 28 wnlonevkiju16.site 17->28 30 28 other IPs or domains 17->30 22 C:\Users\user\AppData\Roaming\aahgejw, PE32 17->22 dropped 24 C:\Users\user\...\aahgejw:Zone.Identifier, ASCII 17->24 dropped 40 System process connects to network (likely due to code injection or exploit) 17->40 42 Benign windows process drops PE files 17->42 44 Performs DNS queries to domains with low reputation 17->44 48 2 other signatures 17->48 file9 46 Tries to resolve many domain names, but no domain seems valid 28->46 signatures10
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/303de99f3a658f14a927ae269d1f5858f67a72cb6aa4e162c3f2a9dd2f0e20da/
Threat name:
Win32.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2021-09-06 05:04:39 UTC
AV detection:
17 of 41 (41.46%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2719fd90e145c3520563231bf1e70417e5dc84cf275046f01ce1fe81f52c5381
Smoke Loader
2ff77816fa6b9e2fdbc630e06a003b09228f39887f8dfea7f8020d9346bd2324
Smoke Loader
3fe70737f4c556e55f6ff23ebde2d84d9867059847105623d9414a57abfda632
Smoke Loader
42dbfa5efe80e105779d68ff235e542aea125899495f2c7feea11471531238fd
Smoke Loader
4dd3b8c14d77c4099c86f0fe88a0e58995f45da816eeb36845b1192b91c48e66
Smoke Loader
560d1e1c846bb66402c793a3e44991b637d82d1ce3ef6c89e443b9b2602b6e3b
Smoke Loader
5b742d7fc7f00ec13442daf22ff2bb2b856e5083eee18fffc267185bfbb7720b
Smoke Loader
6c7390a207bf7d3ce9df2c9df04609bbc6176eb958294f760e9167553fd05428
Smoke Loader
6f746dfc7c53944b60e4fdc29fdea740ae8ceaf98126262258fd38ecf166cba5
Smoke Loader
9fc2a95067df754bbafd860e8a3d5b5881ae097fe107aeff86d4945830fcbba7
Smoke Loader
+ 7'477 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:tofsee family:vidar family:xmrig botnet:200 botnet:936 botnet:937 botnet:948 botnet:973 botnet:fe582536ec580228180f270f7cb80a867860e010 botnet:newnew backdoor discovery evasion infostealer miner persistence spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210906-g8x8bsdffn/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Enumerates physical storage devices
Program crash
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
XMRig Miner Payload
Modifies Windows Defender Real-time Protection settings
Raccoon
RedLine
RedLine Payload
SmokeLoader
Tofsee
Vidar
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
xmrig
Malware Config
C2 Extraction:
http://fioajfoiarjfoi1.xyz/
http://rdukhnihioh2.xyz/
http://sdfghjklemm3.xyz/
http://eruiopijhgnn4.xyz/
http://igbyugfwbwb5.xyz/
http://shfuhfuwhhc6.xyz/
http://ersyglhjkuij7.xyz/
http://ygyguguuju8.store/
http://resbkjpokfct9.store/
http://sdfygfygu10.store/
http://hbibhibihnj11.store/
http://vfwlkjhbghg12.store/
http://poiuytrcvb13.store/
http://xsedfgtbh14.store/
http://iknhyghggh15.store/
http://wnlonevkiju16.site/
http://gfyufuhhihioh17.site/
http://nsgiuwrevi18.site/
http://oiureveiuv19.site/
http://ovrnevnriuen20.site/
http://apowkfeeifin21.site/
http://mewmofinoine22.site/
http://iefhuiehruiu23.site/
http://vjrnnvinerovn24.club/
http://roimvnnvwniov25.club/
http://fwenmfioewnjo26.club/
http://ewoijioewoif27.club/
http://fwjenfuihew28.club/
http://fwkejnfuiewn29.club/
http://fwkjenfuewnh30.club/
185.167.97.37:30904
https://romkaxarit.tumblr.com/
45.14.49.28:56898
Unpacked files
SH256 hash:
560d1e1c846bb66402c793a3e44991b637d82d1ce3ef6c89e443b9b2602b6e3b
MD5 hash:
e369a4ae59ce3b82b5ed8054f0597341
SHA1 hash:
cd3518495e662b758e3b72b6bfc409a4fdfcc0df
Link:
https://www.unpac.me/results/957f5a72-5f94-4bd1-b1ae-532970e197ec/
SH256 hash:
303de99f3a658f14a927ae269d1f5858f67a72cb6aa4e162c3f2a9dd2f0e20da
MD5 hash:
ae1e179bde5dd7bc86c7bf00155234e3
SHA1 hash:
3d150b9176b71abafc44a5e5cf7aed1ed9cad827
Link:
https://www.unpac.me/results/957f5a72-5f94-4bd1-b1ae-532970e197ec/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/303de99f3a65/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/303de99f3a658f14a927ae269d1f5858f67a72cb6aa4e162c3f2a9dd2f0e20da

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 303de99f3a658f14a927ae269d1f5858f67a72cb6aa4e162c3f2a9dd2f0e20da

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1558724/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/185531/

Comments