MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4429d7bb14f60e8b2673db64a7f3e9550947d40cd53eadd1006f3c3959201fb7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	4429d7bb14f60e8b2673db64a7f3e9550947d40cd53eadd1006f3c3959201fb7
SHA3-384 hash:	8a68f58338e8778eaf67d5b51e23b8449af2f3c9d8a66da8210cf77e520607609c846732fea4db9cd54e519d2310fe38
SHA1 hash:	05c4da8a7e8ffac6ac90424d53b83be16df7814f
MD5 hash:	ca53d7c908eff8fbefc337406939a07d
humanhash:	iowa-alanine-alabama-robin
File name:	ca53d7c908eff8fbefc337406939a07d.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	279'040 bytes
First seen:	2021-12-05 07:28:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ace494ecc2c2c2c7ecf836ae6aa78574 (14 x RedLineStealer, 4 x RaccoonStealer, 1 x CryptBot)
ssdeep	3072:pA7a5PP224bY7osYlx/JjxI3vJiNYeigin0Nt6bE5PJJDGWEZvZ4WWv1oC5KL:p4qU+o9JjxImDqBbEtJJaVZ4TNa
Threatray	10'920 similar samples on MalwareBazaar
TLSH	T148549E2133E0C033D59725764525CBB58EBA74316A666ACBBFC80EBC9F247D1A73530A
File icon (PE):
dhash icon	d2b1e4c4ecb987f9 (17 x RedLineStealer, 10 x Smoke Loader, 4 x Amadey)
Reporter	abuse_ch
Tags:	Dofoil exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

325

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ca53d7c908eff8fbefc337406939a07d.exe

Verdict:

No threats detected

Analysis date:

2021-12-05 07:32:32 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/aacc739d-db62-42e6-a8ea-0898e4b28f45

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/211426/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

DNS request

Searching for synchronization primitives

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Sending an HTTP GET request

Query of malicious DNS domain

Unauthorized injection to a system process

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Result

Malware family:

n/a

Score:

4/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/880/overview

Behaviour

CPUID_Instruction

SystemUptime

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61ac6a5347ed217c0132041e/reports/ea4d7c9c-279c-48fb-93e0-2f465c6ecb70/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

STOP Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/46f38248-5340-42be-b864-09890820e33a

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/901617

Signature

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4429d7bb14f60e8b2673db64a7f3e9550947d40cd53eadd1006f3c3959201fb7/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-12-05 04:18:29 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=iqu5poyu6yhiwjtt3nskp47jkueupvam2u7k3uian46dswjad63q._file

Verdict:

malicious

Smoke Loader

6f54181807e2995147e132e7bf87ed669966b4f68a49b29fdaf4467864aa946a

Smoke Loader

8b9e05937557c312981409e1107aa75b580f170138d0a7abf3cfaa93dd9113aa

Smoke Loader

be032b655d9a935fbca887adfc5e478085b7d64c96720c57da870c2d463ed881

Smoke Loader

c37feba7ad29a50f566e779edd2c5514edcbd6e87909ca4d8e6d1f9727362d94

Smoke Loader

d2b72372d1f6ff858237a0804714acfb2afa47ad2c2530a749ba738d2e0cf416

Smoke Loader

ebe82a7d2f2f9989a5e4ef6a4602a8224abdff7aef5baa6beacb5977c02ac3e0

Smoke Loader

fbb99570b341367a86c2c23b56862bfb3d3ea91c06e7c15750f7d36bf82f494b

Smoke Loader

+ 10'910 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:cryptbot family:raccoon family:redline family:smokeloader family:vidar botnet:706 botnet:a1fcef6b211f7efaa652483b438c193569359f50 botnet:b620be4c85b4051a92040003edbc322be4eb082d botnet:newyear2022 backdoor collection discovery infostealer persistence spyware stealer trojan

Link:

https://tria.ge/reports/211205-jbe2laehd2/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Creates scheduled task(s)

Delays execution with timeout.exe

Kills process with taskkill

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Drops file in Windows directory

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

Vidar Stealer

CryptBot

Process spawned unexpected child process

Raccoon

RedLine

RedLine Payload

SmokeLoader

Vidar

Malware Config

C2 Extraction:

http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
http://planilhasvba.com.br/wp-admin/js/k/index.php
http://rpk32ubon.ac.th/backup/k/index.php
http://4urhappiness.com/app/k/index.php
http://swedenkhabar.com/wp-admin/js/k/index.php
http://cio.lankapanel.net/wp-admin/js/k/index.php
http://fcmsites.com.br/canal/wp-admin/js/k/index.php
http://lacoibipitanga.com.br/maxart/k/index.php
http://lacoibipitanga.com.br/cgi-bin/k/index.php
http://video.nalahotel.com/k/index.php
http://diving-phocea.com/wp-admin/k/index.php
http://phocea-sudan.com/cgi-bin/k/index.php
http://rpk32ubon.ac.th/wp-admin/js/k/index.php
https://www.twinrealty.com/vworker/k/index.php
179.43.187.40:13040
https://qoto.org/@mniami
https://noc.social/@menaomi