MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49ad4fd1bd40286214edaee6edfa7ce8915b6bbd39758a4a93175f48626a478b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49ad4fd1bd40286214edaee6edfa7ce8915b6bbd39758a4a93175f48626a478b
SHA3-384 hash: 5c428a72f73dbe7e148ea96cb5637479628445ed48a8a762dcbb33d823b3960ec131a0de008ef84e8dc1aa933ef66515
SHA1 hash: d0b6e75602ebbd7113b268cce2be2ebe5da5ecac
MD5 hash: bbf8e67c20e51b2e10f4cbc731e9c7f0
humanhash: sodium-delta-mockingbird-grey
File name:bbf8e67c20e51b2e10f4cbc731e9c7f0.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:177'664 bytes
First seen:2021-10-12 08:46:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 613eed189326e5150348769c0b41fcc9 (3 x RedLineStealer, 3 x Smoke Loader)
ssdeep 3072:LWiJ5o2Bf055XwKYC+xa0+DdXsoS9D98aShyuy6Yxe3E:LNjHBfQ5X3Y3xa0Y8Vx98aCbcyE
Threatray 5'675 similar samples on MalwareBazaar
TLSH T15104CF1071A1C476C5A7D5B108B48BF25BBBBD21163291CFBB6C3A3F5EA22C01A7535B
File icon (PE):PE icon
dhash icon 83bcdcac9c8cb484 (3 x Smoke Loader, 2 x RedLineStealer, 2 x Loki)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bbf8e67c20e51b2e10f4cbc731e9c7f0.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-12 10:04:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c7c24ed8-22c3-40b0-b5b0-0054af5e086e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196831/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader43.42506.31912.12691.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/96fec809-0733-44cf-9280-d36120948354
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/868504
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Copying Sensitive Files with Credential Data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 500934 Sample: Cu71vDdE5w.exe Startdate: 12/10/2021 Architecture: WINDOWS Score: 100 70 185.215.113.75, 49845, 80 WHOLESALECONNECTIONSNL Portugal 2->70 72 zbv.ckauni.ru 2->72 74 5 other IPs or domains 2->74 94 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->94 96 Multi AV Scanner detection for domain / URL 2->96 98 Antivirus detection for URL or domain 2->98 100 13 other signatures 2->100 10 Cu71vDdE5w.exe 2->10         started        13 avffgsr 2->13         started        15 svchost.exe 1 2->15         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 126 Detected unpacking (changes PE section rights) 10->126 20 Cu71vDdE5w.exe 10->20         started        128 Contains functionality to inject code into remote processes 13->128 130 Injects a PE file into a foreign processes 13->130 92 192.168.2.1 unknown unknown 15->92 signatures6 process7 signatures8 102 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->102 104 Maps a DLL or memory area into another process 20->104 106 Checks if the current machine is a virtual machine (disk enumeration) 20->106 108 Creates a thread in another existing process (thread injection) 20->108 23 explorer.exe 18 20->23 injected process9 dnsIp10 76 192.162.246.70, 49800, 80 DATACHEAP-LLC-ASRU Russian Federation 23->76 78 iselaharty12.club 91.224.22.228, 49780, 49782, 49786 AS-REGRU Russian Federation 23->78 80 3 other IPs or domains 23->80 44 C:\Users\user\AppData\Roaming\avffgsr, PE32 23->44 dropped 46 C:\Users\user\AppData\Local\Temp\CF44.exe, PE32 23->46 dropped 48 C:\Users\user\AppData\Local\Temp\C604.exe, PE32 23->48 dropped 50 7 other files (5 malicious) 23->50 dropped 110 System process connects to network (likely due to code injection or exploit) 23->110 112 Benign windows process drops PE files 23->112 114 Deletes itself after installation 23->114 116 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->116 28 CF44.exe 80 23->28         started        33 A3A5.exe 23->33         started        35 C2FE.exe 3 23->35         started        37 2 other processes 23->37 file11 signatures12 process13 dnsIp14 82 5.181.156.229, 49836, 80 MIVOCLOUDMD Moldova Republic of 28->82 84 tgmirror.top 104.21.61.215, 49835, 80 CLOUDFLARENETUS United States 28->84 86 telemirror.top 28->86 52 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 28->52 dropped 54 C:\Users\user\AppData\...\vcruntime140.dll, PE32 28->54 dropped 56 C:\Users\user\AppData\...\ucrtbase.dll, PE32 28->56 dropped 66 56 other files (none is malicious) 28->66 dropped 132 Detected unpacking (changes PE section rights) 28->132 134 Detected unpacking (overwrites its own PE header) 28->134 136 Tries to steal Mail credentials (via file access) 28->136 138 Contains functionality to steal Internet Explorer form passwords 28->138 88 mas.to 88.99.75.82, 443, 49833 HETZNER-ASDE Germany 33->88 90 65.108.80.190, 49837, 80 ALABANZA-BALTUS United States 33->90 58 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 33->58 dropped 60 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 33->60 dropped 62 C:\Users\user\AppData\...\freebl3[1].dll, PE32 33->62 dropped 68 9 other files (none is malicious) 33->68 dropped 140 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 33->140 142 Tries to harvest and steal browser information (history, passwords, etc) 33->142 144 Tries to steal Crypto Currency Wallets 33->144 146 Query firmware table information (likely to detect VMs) 35->146 148 Tries to detect sandboxes and other dynamic analysis tools (window names) 35->148 150 Hides threads from debuggers 35->150 152 Tries to detect sandboxes / dynamic malware analysis system (registry check) 35->152 39 conhost.exe 35->39         started        64 C:\Users\user\AppData\Local\...\nhqanqvh.exe, PE32 37->64 dropped 154 Injects a PE file into a foreign processes 37->154 41 A572.exe 37->41         started        file15 signatures16 process17 signatures18 118 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 41->118 120 Maps a DLL or memory area into another process 41->120 122 Checks if the current machine is a virtual machine (disk enumeration) 41->122 124 Creates a thread in another existing process (thread injection) 41->124
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/49ad4fd1bd40286214edaee6edfa7ce8915b6bbd39758a4a93175f48626a478b/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jgwu7un5iaugefhnv3to36t45civw255hf2yusutc5puqytki6fq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
0091825486c2d7cfdee49e98c6795be8d32a7f50a68e0d33542b1f047fb7ed7a
Smoke Loader
1561d6849d0b3394ab23968ba921e3c9af313ecf90cf2911b64889536c080dd4
Smoke Loader
323a27a7f2a664921d46c965f0c8d5977fb6c8fce20ba04e208c2945b7abdbba
Smoke Loader
3f19653a117fe3c7b00b53a2ac212503b2d4a0d4650a2e95788d2b2b5cc7a981
Smoke Loader
4eb02a90be27af84c49a2f62da8e179e5117d82db4e25c7a2c80e2954583bdb3
Smoke Loader
8136e992f634fec74c2c923edc4cf43ab8601dd3dc229bb3fde7d798e644beae
Smoke Loader
8694a45a295efd9a5114eca3c41fd4338e6ba029f497be4f66035ebf375cbd38
Smoke Loader
8b59d8f1ea4fb412eb2064b4243c6f2dcc4efd26b78e3eae92c9daf6f6a70b7b
Smoke Loader
8e0bf87628ea9c37fd9a0ca40fbbac0bf8d219f2f514efad2f63e0ba90cf7dd4
Smoke Loader
9535b07e3af3a051c0de3169f11aed4e5f7dd52d651e739f16db250bc631def5
Smoke Loader
+ 5'665 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:raccoon family:redline family:smokeloader family:vidar botnet:1033 botnet:159 botnet:8d179b9e611eee525425544ee8c6d77360ab7cd9 botnet:fbe5e97e7d069407605ee9138022aa82166657e6 backdoor discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/211012-kpv6eabhg3/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Arkei Stealer Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
RedLine Payload
SmokeLoader
Vidar
Arkei
Raccoon
RedLine
Malware Config
C2 Extraction:
http://linavanandr11.club/
http://iselaharty12.club/
http://giovaninardo13.club/
http://zayneliann14.club/
http://zorinosali15.club/
https://mas.to/@oleg98
190.2.136.29:3279
Unpacked files
SH256 hash:
44d561fa45b325317126cacc8ebdb223235f76b34e0ed76dd50e7b0710d62a8d
MD5 hash:
f41ebae062405a696d868198d645f6d6
SHA1 hash:
17dac108dc94c7493289ff6a53fb96b3682af20a
Link:
https://www.unpac.me/results/910c5a6d-1e56-4aee-ae18-1e6301a756f0/
SH256 hash:
49ad4fd1bd40286214edaee6edfa7ce8915b6bbd39758a4a93175f48626a478b
MD5 hash:
bbf8e67c20e51b2e10f4cbc731e9c7f0
SHA1 hash:
d0b6e75602ebbd7113b268cce2be2ebe5da5ecac
Link:
https://www.unpac.me/results/910c5a6d-1e56-4aee-ae18-1e6301a756f0/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/49ad4fd1bd40/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49ad4fd1bd40286214edaee6edfa7ce8915b6bbd39758a4a93175f48626a478b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 49ad4fd1bd40286214edaee6edfa7ce8915b6bbd39758a4a93175f48626a478b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1660824/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/196831/

Comments