MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 364bcd3b0a74ff15848f1e2c286922fb84ac88a85785e7821544b0539f4e1ff9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 364bcd3b0a74ff15848f1e2c286922fb84ac88a85785e7821544b0539f4e1ff9
SHA3-384 hash: b2ac3b22dfb30bc617a19900afb11ad9689f9331b64c31e63b676ea0a3f61e2871c56ea51222ab9c7336e040ef4ae706
SHA1 hash: 1ea4f09525f98f6d2eac29c3c97e55868831b119
MD5 hash: bd6395fc5c922319cb17f6e6e05b2283
humanhash: carbon-october-salami-maryland
File name:9b3d7f02.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:227'840 bytes
First seen:2021-04-23 23:01:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 526fe4b73ae0b7c8133f48c9bbea9505 (2 x RaccoonStealer, 1 x Smoke Loader, 1 x ArkeiStealer)
ssdeep 3072:b3jJSNXR/z1Fkzn1Tn5m8FhSD3Y1ofT5PAaGoUn+L8TZltkugTA:bMhcZYmn1ofhAaGo5LebkugTA
Threatray 145 similar samples on MalwareBazaar
TLSH 3E249DC1B680C173C016357185B39BBCA634A933EB19D1C76798B66E6FF33D1263264A
Reporter r3dbU7z
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9b3d7f02.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-24 08:23:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/092eceb3-3dee-4d43-91aa-cd98aa97c262

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/143953/
Detection(s):
Win.Packed.Generic-9853074-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending an HTTP POST request
Deleting of the original file
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Tofsee Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/696218
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to infect the boot sector
Creates a thread in another existing process (thread injection)
Creates files in alternative data streams (ADS)
Deletes itself after installation
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Renames NTDLL to bypass HIPS
System process connects to network (likely due to code injection or exploit)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Tofsee
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 397031 Sample: 9b3d7f02.exe Startdate: 24/04/2021 Architecture: WINDOWS Score: 100 74 al-commandoz.com 2->74 76 z-p42-instagram.c10r.facebook.com 2->76 78 8 other IPs or domains 2->78 92 Malicious sample detected (through community Yara rule) 2->92 94 Antivirus detection for URL or domain 2->94 96 Antivirus detection for dropped file 2->96 98 8 other signatures 2->98 10 9b3d7f02.exe 1 2->10         started        13 wrvndoqo.exe 2->13         started        15 grhvegh 1 2->15         started        18 4 other processes 2->18 signatures3 process4 file5 114 Detected unpacking (changes PE section rights) 10->114 116 Renames NTDLL to bypass HIPS 10->116 118 Maps a DLL or memory area into another process 10->118 20 explorer.exe 6 10->20 injected 120 Detected unpacking (overwrites its own PE header) 13->120 122 Writes to foreign memory regions 13->122 124 Allocates memory in foreign processes 13->124 126 Injects a PE file into a foreign processes 13->126 25 svchost.exe 3 1 13->25         started        70 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 15->70 dropped 128 Multi AV Scanner detection for dropped file 15->128 130 Checks if the current machine is a virtual machine (disk enumeration) 15->130 132 Creates a thread in another existing process (thread injection) 15->132 signatures6 process7 dnsIp8 80 91.203.5.155, 49765, 80 VOLIA-ASUA Ukraine 20->80 82 37.120.239.108, 49752, 80 SECURE-DATA-ASRO Romania 20->82 88 5 other IPs or domains 20->88 58 C:\Users\user\AppData\Roaming\grhvegh, PE32 20->58 dropped 60 C:\Users\user\AppData\Local\Temp\A3BA.exe, PE32 20->60 dropped 62 C:\Users\user\AppData\Local\Temp\6AD7.exe, PE32 20->62 dropped 64 C:\Users\user\...\grhvegh:Zone.Identifier, ASCII 20->64 dropped 100 System process connects to network (likely due to code injection or exploit) 20->100 102 Benign windows process drops PE files 20->102 104 Deletes itself after installation 20->104 106 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->106 27 A3BA.exe 2 20->27         started        31 6AD7.exe 20->31         started        84 195.242.110.99, 417, 49788, 49794 PROMARKET-ASPL unknown 25->84 86 3.52.17.84.cbl.abuseat.org 25->86 90 15 other IPs or domains 25->90 66 C:\Windows\SysWOW64\...\systemprofile:.repos, data 25->66 dropped 108 Creates files in alternative data streams (ADS) 25->108 110 Injects a PE file into a foreign processes 25->110 33 svchost.exe 1 25->33         started        file9 112 Detected Stratum mining protocol 84->112 signatures10 process11 dnsIp12 68 C:\Users\user\AppData\Local\...\wrvndoqo.exe, PE32 27->68 dropped 134 Antivirus detection for dropped file 27->134 136 Detected unpacking (changes PE section rights) 27->136 138 Detected unpacking (overwrites its own PE header) 27->138 144 2 other signatures 27->144 36 netsh.exe 3 27->36         started        38 cmd.exe 1 27->38         started        40 cmd.exe 2 27->40         started        44 3 other processes 27->44 140 Machine Learning detection for dropped file 31->140 142 Contains functionality to infect the boot sector 31->142 72 masari.miner.rocks 88.198.47.78, 30162, 49806 HETZNER-ASDE Germany 33->72 42 conhost.exe 33->42         started        file13 signatures14 process15 process16 46 conhost.exe 36->46         started        48 conhost.exe 38->48         started        50 conhost.exe 40->50         started        52 conhost.exe 44->52         started        54 conhost.exe 44->54         started        56 conhost.exe 44->56         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/364bcd3b0a74ff15848f1e2c286922fb84ac88a85785e7821544b0539f4e1ff9/
Verdict:
malicious
Similar samples:
0868a2a7b5e276d3a4a40cdef994de934d33d62a689d7207a31fd57d012ef948
Smoke Loader
207be23ccd62d0e3d9aefe12f5c2ab142a42a25b1e246e27e0ae9087c2fe96d3
Smoke Loader
2cad1d5cd3e145f720e3da8825183d78545b834fe146a8d1ec26c0e876980a66
Smoke Loader
2ce81e2dd2330f10eb414e56222cd1ba4c26591381f07e199b08f623b8c4b8f9
Smoke Loader
6da762e6a282e959a607c046a3b33dd71baaf6c7fe5d49c97a8e2de2a60e4c5d
Smoke Loader
90a286ac5b49100aeb8038af277dbabc3853e6fe5557c19d5a64885f015596b1
Smoke Loader
c059548509d5ca453810776ad5bdea3440fb122b361211616d7300cc3b25fac0
Smoke Loader
e15820902d036f76c33cd6e8b2efdf4aed6e43a434680320aa7aba1ffca2ec17
Smoke Loader
ecee44992b84f86f98c14b5af66451c9e6306e7db33d038cef6d7292988da559
Smoke Loader
fc2a8472021c1f37e7ba14fd51259d37d10bd030ecd33134ebf42d3279ab860a
Smoke Loader
+ 135 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader botnet:dasha backdoor discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/210423-pxercgt4xx/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
SmokeLoader
Malware Config
C2 Extraction:
http://al-commandoz.com/upload/
http://antalya-belek.com/upload/
http://luxurysv.com/upload/
http://massagespijkenisse.com/upload/
http://rexgorellhondaevent.com/upload/
86.105.252.237:17660
Unpacked files
SH256 hash:
c2d578cfc945130f0dcfd60de3bbd7ecc462379cc3d9b5eb60bfa0bde6e7cd02
MD5 hash:
cb489cfa3df7d6b0b6354ed7d5dd1c1e
SHA1 hash:
7728047068420d747fff420318e88fdbf0b20ec9
Link:
https://www.unpac.me/results/8d55e10a-ce5e-454e-aa8c-fb69c6f62dc8/
SH256 hash:
364bcd3b0a74ff15848f1e2c286922fb84ac88a85785e7821544b0539f4e1ff9
MD5 hash:
bd6395fc5c922319cb17f6e6e05b2283
SHA1 hash:
1ea4f09525f98f6d2eac29c3c97e55868831b119
Link:
https://www.unpac.me/results/8d55e10a-ce5e-454e-aa8c-fb69c6f62dc8/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/143953/

Comments