MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49791cea301086d06bded20b092ad7154ac774997c43e85de48d36da80a8ebaa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49791cea301086d06bded20b092ad7154ac774997c43e85de48d36da80a8ebaa
SHA3-384 hash: 6aa9892ed1bd8b892f7b8eda72ac66f7150f31ccadf0678552ea837d6d42f6f837fa21af248930c1d07df2683006abed
SHA1 hash: 636d14e8a12162714cddbfff0e0811c6b07aa716
MD5 hash: 793dcf17dbc9db275442b93296d17515
humanhash: pizza-mississippi-vegan-vermont
File name:793dcf17dbc9db275442b93296d17515.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:242'176 bytes
First seen:2021-07-28 18:27:46 UTC
Last seen:2021-07-28 19:50:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3452384b40578d4db2827c0ef7829a8d (2 x RedLineStealer, 1 x Smoke Loader)
ssdeep 3072:1pG8Rl+TStwh2933qMgfMiahYvmZRoGqSO7b/+KkqyRyi5bKJ5thJOv5Wny7ISAm:1pdj+TStt3aMqvbmZRoGC2bE5kv5IyD
Threatray 724 similar samples on MalwareBazaar
TLSH T1C834AE20B6E0C034F5F712F949B9836CB92D7AB25F2091CB62D526EE56346E4DC3139B
dhash icon ead8a89cc6e68ea0 (25 x RaccoonStealer, 8 x DanaBot, 8 x RedLineStealer)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
793dcf17dbc9db275442b93296d17515.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-28 19:01:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8b5db11b-48ff-46ec-8fed-b615ffc4367a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174804/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.47388.2120.15744.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/975080a9-ea3a-4ca8-984f-b05cee9db029
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/823352
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 455763 Sample: Xu7v9n5LLd.exe Startdate: 28/07/2021 Architecture: WINDOWS Score: 100 60 xeronxikxxx.tumblr.com 2->60 62 www.google.com 2->62 64 127 other IPs or domains 2->64 78 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->78 80 Multi AV Scanner detection for domain / URL 2->80 82 Malicious sample detected (through community Yara rule) 2->82 88 17 other signatures 2->88 9 Xu7v9n5LLd.exe 2->9         started        12 vwrwteg 2->12         started        14 svchost.exe 2->14         started        16 9 other processes 2->16 signatures3 84 Tries to resolve many domain names, but no domain seems valid 60->84 86 System process connects to network (likely due to code injection or exploit) 62->86 process4 dnsIp5 108 Detected unpacking (changes PE section rights) 9->108 19 Xu7v9n5LLd.exe 9->19         started        110 Machine Learning detection for dropped file 12->110 112 Contains functionality to inject code into remote processes 12->112 114 Sample uses process hollowing technique 12->114 116 Injects a PE file into a foreign processes 12->116 118 Changes security center settings (notifications, updates, antivirus, firewall) 14->118 56 127.0.0.1 unknown unknown 16->56 58 192.168.2.1 unknown unknown 16->58 signatures6 process7 signatures8 90 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 19->90 92 Maps a DLL or memory area into another process 19->92 94 Checks if the current machine is a virtual machine (disk enumeration) 19->94 96 Creates a thread in another existing process (thread injection) 19->96 22 explorer.exe 26 19->22 injected process9 dnsIp10 66 readinglistforjuly9.xyz 22->66 68 readinglistforjuly8.xyz 22->68 70 13 other IPs or domains 22->70 38 C:\Users\user\AppData\Roaming\vwrwteg, PE32 22->38 dropped 40 C:\Users\user\AppData\Local\Temp\8CB4.exe, PE32 22->40 dropped 42 C:\Users\user\AppData\Local\Temp\7BEA.exe, PE32 22->42 dropped 44 10 other files (6 malicious) 22->44 dropped 98 System process connects to network (likely due to code injection or exploit) 22->98 100 Benign windows process drops PE files 22->100 102 Performs DNS queries to domains with low reputation 22->102 106 4 other signatures 22->106 27 443A.exe 92 22->27         started        32 394B.exe 2 22->32         started        34 47F4.exe 22->34         started        36 2 other processes 22->36 file11 104 Tries to resolve many domain names, but no domain seems valid 68->104 signatures12 process13 dnsIp14 72 xeronxikxxx.tumblr.com 27->72 74 116.202.183.50, 49720, 80 HETZNER-ASDE Germany 27->74 76 xeronxikxxx.tumblr.com 74.114.154.18, 443, 49719 AUTOMATTICUS Canada 27->76 46 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 27->46 dropped 48 C:\Users\user\AppData\...\mozglue[1].dll, PE32 27->48 dropped 50 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 27->50 dropped 54 9 other files (none is malicious) 27->54 dropped 120 Detected unpacking (changes PE section rights) 27->120 122 Detected unpacking (overwrites its own PE header) 27->122 124 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->124 138 2 other signatures 27->138 52 C:\Users\user\AppData\Local\...\neexnmnb.exe, PE32 32->52 dropped 126 Machine Learning detection for dropped file 32->126 128 Uses netsh to modify the Windows network and firewall settings 32->128 130 Modifies the windows firewall 32->130 132 Sample uses process hollowing technique 34->132 134 Injects a PE file into a foreign processes 34->134 file15 136 Tries to resolve many domain names, but no domain seems valid 72->136 signatures16
Gathering data
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-07-28 18:28:15 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jf4rz2rqccdna2662ifqskwxcvfmo5ezprb6qxperu3nvafi5ova._file
Verdict:
suspicious
Similar samples:
4a1f935a5f94e5b3d7d0c79dcd01a96d69650bfeadc4a49d6548b118e82e1e16
Smoke Loader
5d2140c3ab1944f381206aa8d5c3ae0e5c2dad60751d3a2f631b1b08a810baa2
Smoke Loader
6942f06c0718cbc965d52519949816c8c77bc9bca7cc654802ea6841c35fe3b3
Smoke Loader
7a942e775d5086403ce49b70e34987669a6b3467c58de9114878a967039b3fb9
Smoke Loader
7b608f567cdbb7a9ccce2a9937b34bb3b73e178efc3d2b9bc29e5fe905462bee
Smoke Loader
98748a03aeda89cd33105254527ba92b2f7d070b794c648f2e7c823f68030809
Smoke Loader
d6206c05051cd22da3912b1d30df468f0c0571b4b34a8fe2c912f82ff05a8e6a
Smoke Loader
fa04b562a9b95f20ba6ae99375dec999128843910969bc5ccf964df3b5ee7882
Smoke Loader
fe74f3ee571f291acdaa6d0546bc16e7d5feb3ca1bd6ad1fb3c74b73483b871b
Smoke Loader
+ 714 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:tofsee family:vidar family:xmrig botnet:517 botnet:824 botnet:828 backdoor discovery evasion infostealer miner persistence spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210728-66r94bcjw6/
Behaviour
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Modifies file permissions
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
XMRig Miner Payload
Raccoon
RedLine
SmokeLoader
Tofsee
Vidar
Windows security bypass
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
xmrig
Malware Config
C2 Extraction:
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
https://xeronxikxxx.tumblr.com/
https://shpak125.tumblr.com/
Unpacked files
SH256 hash:
d065c8a41c2287cb3ed4fd55a1a76c13995937723c7b44cf6d4763a15dea89c1
MD5 hash:
3c9f95cbbd5f3e4ee70435e06de00ddf
SHA1 hash:
7dee35214654080e76fc275eedd5c2d7b1e1453d
Link:
https://www.unpac.me/results/e29d6a87-337c-412d-9c5d-26373dd16c5d/
SH256 hash:
49791cea301086d06bded20b092ad7154ac774997c43e85de48d36da80a8ebaa
MD5 hash:
793dcf17dbc9db275442b93296d17515
SHA1 hash:
636d14e8a12162714cddbfff0e0811c6b07aa716
Link:
https://www.unpac.me/results/e29d6a87-337c-412d-9c5d-26373dd16c5d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49791cea301086d06bded20b092ad7154ac774997c43e85de48d36da80a8ebaa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 49791cea301086d06bded20b092ad7154ac774997c43e85de48d36da80a8ebaa

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1476557/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/174804/

Comments