MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57fb96b12db08b18906ce22c7e55b81a214ede326166e772ae87412281044497. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57fb96b12db08b18906ce22c7e55b81a214ede326166e772ae87412281044497
SHA3-384 hash: 375954d8cec520c5acbc861552d3d9460009526aff6c037dfbcb75fe5de9868eaa02699e84549e03c9795421d62af0c6
SHA1 hash: 76ab68f1517d039d9ea6d7ab3bca9aed456e4466
MD5 hash: 231871298cc5d5fe7445dfad16f2dbf9
humanhash: maryland-robin-bakerloo-burger
File name:231871298cc5d5fe7445dfad16f2dbf9.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:142'848 bytes
First seen:2021-08-24 15:36:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3e77a5228ebd8b068a37deeb2c688fdb (6 x RaccoonStealer, 3 x RedLineStealer, 2 x Smoke Loader)
ssdeep 1536:Fah9990FQ4Ir4Q99k45XxO9/EBJKMbBW8aIyznu2xAB5PfmeDKcBriobhO2Yp2:AgG4QFQxEBMUBRalnC5POw3gM
Threatray 5'603 similar samples on MalwareBazaar
TLSH T17ED3AD1235E0C437D4564A7148D1DBA0EA3BF8222BB55B8337E85B6E7E253D0772D3A2
dhash icon 4839b2b0e8c38890 (105 x RaccoonStealer, 38 x Smoke Loader, 33 x RedLineStealer)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
231871298cc5d5fe7445dfad16f2dbf9.exe
Verdict:
No threats detected
Analysis date:
2021-08-24 15:39:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4b094ad5-a55f-42d7-a344-73e73fbd171a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181960/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.63863.22582.28651.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending an HTTP POST request
Deleting of the original file
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b460e21-5838-4c6f-93ea-505faef7cd7d
Result
Threat name:
KPot RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/838416
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains VNC / remote desktop functionality (version string found)
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected KPot
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 470848 Sample: CZ1mbObuMY.exe Startdate: 24/08/2021 Architecture: WINDOWS Score: 100 45 kpotuvorot10.bit 2->45 47 gorokborotun782699.com 2->47 49 2 other IPs or domains 2->49 69 Found malware configuration 2->69 71 Antivirus detection for URL or domain 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 7 other signatures 2->75 9 CZ1mbObuMY.exe 2->9         started        12 wagseej 2->12         started        signatures3 process4 signatures5 97 Detected unpacking (changes PE section rights) 9->97 99 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->99 101 Maps a DLL or memory area into another process 9->101 103 Creates a thread in another existing process (thread injection) 9->103 14 explorer.exe 4 9->14 injected 105 Multi AV Scanner detection for dropped file 12->105 107 Machine Learning detection for dropped file 12->107 109 Checks if the current machine is a virtual machine (disk enumeration) 12->109 process6 dnsIp7 55 193.142.59.123, 49752, 49767, 49778 HOSTSLICK-GERMANYNL Netherlands 14->55 57 193.142.59.248, 80 HOSTSLICK-GERMANYNL Netherlands 14->57 59 4 other IPs or domains 14->59 39 C:\Users\user\AppData\Roaming\wagseej, PE32 14->39 dropped 41 C:\Users\user\AppData\Local\Temp\3976.exe, PE32 14->41 dropped 43 C:\Users\user\...\wagseej:Zone.Identifier, ASCII 14->43 dropped 61 System process connects to network (likely due to code injection or exploit) 14->61 63 Benign windows process drops PE files 14->63 65 Deletes itself after installation 14->65 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->67 19 B168.exe 2 4 14->19         started        23 8565.exe 3 14->23         started        25 3976.exe 15 25 14->25         started        28 33A2E4F0.exe 14->28         started        file8 signatures9 process10 dnsIp11 37 C:\ProgramData\...\33A2E4F0.exe, PE32 19->37 dropped 77 Detected unpacking (changes PE section rights) 19->77 79 Creates autostart registry keys with suspicious names 19->79 30 33A2E4F0.exe 19->30         started        81 Query firmware table information (likely to detect VMs) 23->81 83 Tries to detect sandboxes and other dynamic analysis tools (window names) 23->83 85 Hides threads from debuggers 23->85 87 Tries to detect sandboxes / dynamic malware analysis system (registry check) 23->87 33 conhost.exe 23->33         started        51 185.215.113.29, 49763, 8678 WHOLESALECONNECTIONSNL Portugal 25->51 53 api.ip.sb 25->53 89 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->89 91 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 25->91 93 Tries to harvest and steal browser information (history, passwords, etc) 25->93 95 Tries to steal Crypto Currency Wallets 25->95 35 conhost.exe 25->35         started        file12 signatures13 process14 signatures15 111 Detected unpacking (changes PE section rights) 30->111 113 Machine Learning detection for dropped file 30->113 115 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 30->115
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57fb96b12db08b18906ce22c7e55b81a214ede326166e772ae87412281044497/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-24 15:21:57 UTC
AV detection:
26 of 46 (56.52%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0b52e92d8ece1d9c7395b04335a6b95a9c744404eceb4330d88fe1237e9200c4
Smoke Loader
3f3fecd695146b28e051593aabcd535dc366932c08bf0011ae997ad6b7e39147
Smoke Loader
493c4a7f6cdc0c6b3388b268aa38975c1bb52ea67f6415723a06a14213ee5d14
Smoke Loader
57b6d02c4b8d4153680004aecf35f8328a6f33c59b2ac7c7ee4ecb4e5af46465
Smoke Loader
60ab0131b6fa420a6a8039b60ac948db87033e9a8db69b16344e3d9222859556
Smoke Loader
7fefb4ac689e7334f5d66e01673dda50a293bbd7bca0bf3da972f01d32f54587
Smoke Loader
8f6aeab4ba06d05d419fa32d5d13df4c21636e926549ea58cb686e4b1b6c92ba
Smoke Loader
c55df5e9d0ea176321a29f8957c7a43188796ae0fc0ffe1ae94ad6092d30ba77
Smoke Loader
ecc608dedd0b55df6c75aeffcd51e11f3fd50d7422e4a1b26d4515a18419b9c4
Smoke Loader
f74c97d626730018ba9a8dd5e6fb806bfcc42d15a8b20ef328cc5f0d6a052ccc
Smoke Loader
+ 5'593 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader botnet:mix1 backdoor discovery infostealer persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210824-ssel1rqf36/
Behaviour
Checks SCSI registry key(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
SmokeLoader
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
185.215.113.29:8678
185.167.97.37:30900
Unpacked files
SH256 hash:
18cd8e90fcd46329480f24d43baa489683b3ee2fcd274bf1714947ef307a6ab2
MD5 hash:
f2fecf6872ad4c61a3a506159fddd4fc
SHA1 hash:
28e039eb96dcf58841992280c66433a2bbab8e84
Link:
https://www.unpac.me/results/df5c6e62-4492-4340-8563-a42072a3da3e/
SH256 hash:
57fb96b12db08b18906ce22c7e55b81a214ede326166e772ae87412281044497
MD5 hash:
231871298cc5d5fe7445dfad16f2dbf9
SHA1 hash:
76ab68f1517d039d9ea6d7ab3bca9aed456e4466
Link:
https://www.unpac.me/results/df5c6e62-4492-4340-8563-a42072a3da3e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/57fb96b12db0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/57fb96b12db08b18906ce22c7e55b81a214ede326166e772ae87412281044497

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 57fb96b12db08b18906ce22c7e55b81a214ede326166e772ae87412281044497

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1545011/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1559349/
Cape
Cape
https://www.capesandbox.com/analysis/181960/

Comments