MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57b6d02c4b8d4153680004aecf35f8328a6f33c59b2ac7c7ee4ecb4e5af46465. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57b6d02c4b8d4153680004aecf35f8328a6f33c59b2ac7c7ee4ecb4e5af46465
SHA3-384 hash: fde232980c75116d3f5bdb88fd5387cd46b3a745d1729fb13fa81e972c7e9d5512e8ed0b6557a3821176eda58ca7bd0a
SHA1 hash: cc5bf2092a79cb4fc5c129882c6ef80cecaddfd3
MD5 hash: 8905c96d588cd083bc46fae8fd019049
humanhash: sixteen-west-ohio-mike
File name:8905c96d588cd083bc46fae8fd019049.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:142'848 bytes
First seen:2021-08-24 13:44:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3e77a5228ebd8b068a37deeb2c688fdb (6 x RaccoonStealer, 3 x RedLineStealer, 2 x Smoke Loader)
ssdeep 1536:B5hDN0FQ4I74Q99kiRygOY1PIT3JNv/jjYYvexu5Z0Nqeo799BriobhO2Yp2:Y24QOgOYWT5p/jdIu5Z0Nv8BgM
Threatray 3'544 similar samples on MalwareBazaar
TLSH T1A4D3AD1131E0E077D45249B148DDDAE1F63AF9622BB54C8727E89B5F6F303D0BA29352
dhash icon 4839b2b4e8c38890 (137 x RaccoonStealer, 37 x Smoke Loader, 30 x RedLineStealer)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'214
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
assassins_1802jxa3st5ie.zip
Verdict:
Malicious activity
Analysis date:
2021-08-24 12:50:39 UTC
Tags:
evasion trojan stealer vidar opendir loader rat redline unwanted netsupport danabot phishing backdoor dcrat
Link:
https://app.any.run/tasks/ad6e51d2-1711-4a75-88cd-e8231da36e37

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181926/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.22985.12949.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending a UDP request
Connection attempt
Sending an HTTP POST request
Deleting of the original file
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/68208c43-e72f-4861-a39b-008433dacef2
Result
Threat name:
KPot RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/838367
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains VNC / remote desktop functionality (version string found)
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected KPot
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 470801 Sample: T1sh2Oit0f.exe Startdate: 24/08/2021 Architecture: WINDOWS Score: 100 52 spinogriz91076299.io 2->52 54 kpotuvorot10.bit 2->54 56 4 other IPs or domains 2->56 66 Multi AV Scanner detection for domain / URL 2->66 68 Found malware configuration 2->68 70 Antivirus detection for URL or domain 2->70 72 8 other signatures 2->72 10 T1sh2Oit0f.exe 2->10         started        13 vergwbr 2->13         started        15 vergwbr 2->15         started        signatures3 process4 signatures5 94 Detected unpacking (changes PE section rights) 10->94 96 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 10->96 98 Maps a DLL or memory area into another process 10->98 17 explorer.exe 2 10->17 injected 100 Multi AV Scanner detection for dropped file 13->100 102 Machine Learning detection for dropped file 13->102 104 Checks if the current machine is a virtual machine (disk enumeration) 13->104 106 Creates a thread in another existing process (thread injection) 15->106 process6 dnsIp7 46 atvcampingtrips.com 110.14.121.123, 49722, 49723, 49725 SKB-ASSKBroadbandCoLtdKR Korea Republic of 17->46 48 193.142.59.248, 80 HOSTSLICK-GERMANYNL Netherlands 17->48 50 4 other IPs or domains 17->50 40 C:\Users\user\AppData\Roaming\vergwbr, PE32 17->40 dropped 42 C:\Users\user\...\vergwbr:Zone.Identifier, ASCII 17->42 dropped 74 System process connects to network (likely due to code injection or exploit) 17->74 76 Benign windows process drops PE files 17->76 78 Deletes itself after installation 17->78 80 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->80 22 5146.exe 2 4 17->22         started        26 2EA9.exe 3 17->26         started        29 33A2E4F0.exe 17->29         started        31 33A2E4F0.exe 17->31         started        file8 signatures9 process10 dnsIp11 44 C:\ProgramData\...\33A2E4F0.exe, PE32 22->44 dropped 82 Detected unpacking (changes PE section rights) 22->82 84 Creates autostart registry keys with suspicious names 22->84 33 33A2E4F0.exe 22->33         started        58 188.124.36.242, 25802, 49769 SELECTELRU Russian Federation 26->58 86 Query firmware table information (likely to detect VMs) 26->86 88 Tries to detect sandboxes and other dynamic analysis tools (window names) 26->88 90 Hides threads from debuggers 26->90 92 Tries to detect sandboxes / dynamic malware analysis system (registry check) 26->92 36 conhost.exe 26->36         started        file12 signatures13 process14 signatures15 60 Detected unpacking (changes PE section rights) 33->60 62 Machine Learning detection for dropped file 33->62 64 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 33->64 38 WerFault.exe 20 1 33->38         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57b6d02c4b8d4153680004aecf35f8328a6f33c59b2ac7c7ee4ecb4e5af46465/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-24 13:45:08 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=k63nalclrvavg2aaasxm6npygkfg6m6ftmvmpr7oj3fu4wxumrsq._file
Verdict:
suspicious
Similar samples:
0b52e92d8ece1d9c7395b04335a6b95a9c744404eceb4330d88fe1237e9200c4
Smoke Loader
3b15547e53d7254ec42974dc5a1d7b72cffd722a41114944b5606a845be7b76d
Smoke Loader
8a9f3452db181e6a402c1c2b5f4848c657535bf94572a12eee70a57721f9931b
Smoke Loader
8eea00bd7d1db820c7a1b5622119b76944215e5803c2e8b772b9548e9ee91c66
Smoke Loader
8f6aeab4ba06d05d419fa32d5d13df4c21636e926549ea58cb686e4b1b6c92ba
Smoke Loader
959ed9b65f2c1dff0e7f16367b4f8b04dc091350219a80b63d58e50799e58ce3
Smoke Loader
95d9e11ec01f83253ab4bd861de609f52b101c160214612d5ffa615f3c931a7c
Smoke Loader
d775f62d097e069293b27267d7efd95862e55e7ecc5e23e9c3ea532c39321b0e
Smoke Loader
dbb1ffb8a8b13b389fd8aff976808226333bc23d8aafc33111b88206f498fcea
Smoke Loader
+ 3'534 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader botnet:mix1 backdoor discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/210824-q94d4ht9mn/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
SmokeLoader
Malware Config
C2 Extraction:
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
185.215.113.29:8678
185.167.97.37:30900
Unpacked files
SH256 hash:
18cd8e90fcd46329480f24d43baa489683b3ee2fcd274bf1714947ef307a6ab2
MD5 hash:
f2fecf6872ad4c61a3a506159fddd4fc
SHA1 hash:
28e039eb96dcf58841992280c66433a2bbab8e84
Link:
https://www.unpac.me/results/97202a2a-7255-4eb0-8d6b-46fc2061a722/
SH256 hash:
57b6d02c4b8d4153680004aecf35f8328a6f33c59b2ac7c7ee4ecb4e5af46465
MD5 hash:
8905c96d588cd083bc46fae8fd019049
SHA1 hash:
cc5bf2092a79cb4fc5c129882c6ef80cecaddfd3
Link:
https://www.unpac.me/results/97202a2a-7255-4eb0-8d6b-46fc2061a722/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/57b6d02c4b8d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/57b6d02c4b8d4153680004aecf35f8328a6f33c59b2ac7c7ee4ecb4e5af46465

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 57b6d02c4b8d4153680004aecf35f8328a6f33c59b2ac7c7ee4ecb4e5af46465

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/181926/
  
URLhaus
https://urlhaus.abuse.ch/url/1545011/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1559349/

Comments