MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4254915796d8d129d36f443ed779f94cdb001bae40707806a11679e322864d85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4254915796d8d129d36f443ed779f94cdb001bae40707806a11679e322864d85
SHA3-384 hash: 292f16b5762065a8475b9b945864c3b1e27ddfe8da9e379acfa4de8215b022807fcffafc9a2914f7a0efe78a6dc09641
SHA1 hash: 89385cb53103198932e98d7ecadc25ffaa7ed675
MD5 hash: 6ec371eb3f7f86595a8793b16179b0b1
humanhash: iowa-texas-cardinal-failed
File name:6ec371eb3f7f86595a8793b16179b0b1.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:320'000 bytes
First seen:2021-07-28 18:03:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c6ebbfd08d361ef29153e4487e25f820 (2 x RedLineStealer, 1 x Cryptbot, 1 x DanaBot)
ssdeep 6144:R3Xh7ZBiUdDd/GslM9c8DXC30hNUeBP1PfgBPX05rWcWy9SbKLtEzE3e:RBdBTdD5JlM9cgC3gUenYv0dZ39P+zEu
Threatray 2'514 similar samples on MalwareBazaar
TLSH T1F0649D20ABA1C034F5F212F8557693BCA53E3A715B3450CB93E52AEE12346E5ED31B4B
dhash icon ead8a89cc6e68ae0 (2 x RaccoonStealer, 1 x Smoke Loader, 1 x CryptBot)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://crackedfine.com/microsoft-office-activation-key/
Verdict:
Malicious activity
Analysis date:
2021-07-27 16:46:36 UTC
Tags:
evasion trojan stealer vidar rat redline phishing autoit
Link:
https://app.any.run/tasks/318ee040-b2c1-4abf-9d5b-fcb66901a11f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174768/
Detection(s):
Win.Malware.Generic-9881904-0
Create hunting rule

Win.Packed.Mokes-9881941-0
Create hunting rule

Win.Malware.Generic-9881959-0
Create hunting rule

Win.Packed.Raccoon-9882053-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6bb2edcb-2cc3-4572-9f9f-c4b5fccabfc1
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/823289
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 455701 Sample: nKfPRJL4kW.exe Startdate: 28/07/2021 Architecture: WINDOWS Score: 100 58 mx3.hotmail.com 2->58 60 peoplepc.com 2->60 62 59 other IPs or domains 2->62 76 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 Antivirus detection for URL or domain 2->80 86 18 other signatures 2->86 9 nKfPRJL4kW.exe 2->9         started        12 daevtwj 2->12         started        14 svchost.exe 2->14         started        16 10 other processes 2->16 signatures3 82 Tries to resolve many domain names, but no domain seems valid 58->82 84 System process connects to network (likely due to code injection or exploit) 60->84 process4 dnsIp5 106 Detected unpacking (changes PE section rights) 9->106 19 nKfPRJL4kW.exe 9->19         started        108 Machine Learning detection for dropped file 12->108 110 Contains functionality to inject code into remote processes 12->110 112 Injects a PE file into a foreign processes 12->112 114 Changes security center settings (notifications, updates, antivirus, firewall) 14->114 56 127.0.0.1 unknown unknown 16->56 signatures6 process7 signatures8 88 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 19->88 90 Maps a DLL or memory area into another process 19->90 92 Checks if the current machine is a virtual machine (disk enumeration) 19->92 94 Creates a thread in another existing process (thread injection) 19->94 22 explorer.exe 26 19->22 injected process9 dnsIp10 64 readinglistforjuly9.xyz 22->64 66 readinglistforjuly8.xyz 22->66 68 14 other IPs or domains 22->68 38 C:\Users\user\AppData\Roaming\daevtwj, PE32 22->38 dropped 40 C:\Users\user\AppData\Local\Temp\FC5E.exe, PE32 22->40 dropped 42 C:\Users\user\AppData\Local\Temp\F96F.exe, PE32 22->42 dropped 44 10 other files (6 malicious) 22->44 dropped 96 System process connects to network (likely due to code injection or exploit) 22->96 98 Benign windows process drops PE files 22->98 100 Performs DNS queries to domains with low reputation 22->100 104 4 other signatures 22->104 27 49D.exe 92 22->27         started        32 F96F.exe 2 22->32         started        34 FC5E.exe 3 22->34         started        36 F335.exe 1 22->36         started        file11 102 Tries to resolve many domain names, but no domain seems valid 66->102 signatures12 process13 dnsIp14 70 xeronxikxxx.tumblr.com 27->70 72 116.202.183.50, 49735, 80 HETZNER-ASDE Germany 27->72 74 xeronxikxxx.tumblr.com 74.114.154.22, 443, 49734 AUTOMATTICUS Canada 27->74 46 C:\Users\user\AppData\...\softokn3[1].dll, PE32 27->46 dropped 48 C:\Users\user\AppData\...\freebl3[1].dll, PE32 27->48 dropped 50 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 27->50 dropped 54 9 other files (none is malicious) 27->54 dropped 116 Detected unpacking (changes PE section rights) 27->116 118 Detected unpacking (overwrites its own PE header) 27->118 120 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->120 132 2 other signatures 27->132 52 C:\Users\user\AppData\Local\...\asbjgtfz.exe, PE32 32->52 dropped 122 Machine Learning detection for dropped file 32->122 124 Uses netsh to modify the Windows network and firewall settings 32->124 126 Modifies the windows firewall 32->126 128 Injects a PE file into a foreign processes 34->128 file15 130 Tries to resolve many domain names, but no domain seems valid 70->130 signatures16
Gathering data
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-07-27 16:57:07 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ijkjcv4w3distu3piq7no6pzjtnqag5oibyhqbvbcz46giugjwcq._file
Verdict:
suspicious
Similar samples:
6942f06c0718cbc965d52519949816c8c77bc9bca7cc654802ea6841c35fe3b3
Smoke Loader
76526cd30725afafe90b7f19fbb607571ac7f827aece34bf1d1cc41c595f2a93
Smoke Loader
79894af8bd699d14ae712c0a8c8ce0e5e613c462ec7d2f29b5541ca87b9d397c
Smoke Loader
7b608f567cdbb7a9ccce2a9937b34bb3b73e178efc3d2b9bc29e5fe905462bee
Smoke Loader
c97f7b2a1d29e6ab8e802c3c814e1962452a9ab375a0f0c13ef6d4e4edefe9c2
Smoke Loader
d3849946eb2dd2aa6bebcddb30751a4a99bc05ee5011db3f5081df2f970a1854
Smoke Loader
fa04b562a9b95f20ba6ae99375dec999128843910969bc5ccf964df3b5ee7882
Smoke Loader
fa49ec9a6afac3db69d66e560157aee92bfffa30c24d2a7855a4d3bcf2d894e2
Smoke Loader
+ 2'504 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:tofsee family:vidar family:xmrig botnet:824 botnet:828 backdoor discovery evasion infostealer miner persistence spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210728-wvs5gnyxzj/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
XMRig Miner Payload
Raccoon
RedLine
SmokeLoader
Tofsee
Vidar
Windows security bypass
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
xmrig
Malware Config
C2 Extraction:
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
https://xeronxikxxx.tumblr.com/
Unpacked files
SH256 hash:
d065c8a41c2287cb3ed4fd55a1a76c13995937723c7b44cf6d4763a15dea89c1
MD5 hash:
3c9f95cbbd5f3e4ee70435e06de00ddf
SHA1 hash:
7dee35214654080e76fc275eedd5c2d7b1e1453d
Link:
https://www.unpac.me/results/115a4ae4-11d3-46e6-a628-066c9645ccd5/
SH256 hash:
4254915796d8d129d36f443ed779f94cdb001bae40707806a11679e322864d85
MD5 hash:
6ec371eb3f7f86595a8793b16179b0b1
SHA1 hash:
89385cb53103198932e98d7ecadc25ffaa7ed675
Link:
https://www.unpac.me/results/115a4ae4-11d3-46e6-a628-066c9645ccd5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4254915796d8d129d36f443ed779f94cdb001bae40707806a11679e322864d85

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 4254915796d8d129d36f443ed779f94cdb001bae40707806a11679e322864d85

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1476557/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/174768/

Comments