MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c159ff2d426778dc4da2ddace2e2b6baf4d46d0fd724f5d8f73c2a77688b3fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c159ff2d426778dc4da2ddace2e2b6baf4d46d0fd724f5d8f73c2a77688b3fc
SHA3-384 hash: b971ff8e9c701ab158758a28ff0c185a49b04e61166e9788a08b59f24d570ab61e619aac7eaa48b04a76c1eac6e641c6
SHA1 hash: a54cbd0e05b443b6046cd375a27364ec63f2c880
MD5 hash: 0eb072ff4837ba3c56e39c934535c73e
humanhash: connecticut-floor-utah-cola
File name:0eb072ff4837ba3c56e39c934535c73e.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:272'384 bytes
First seen:2022-04-14 13:50:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 94b2a109e36c2af8f2a1ba35e83f978c (1 x AZORult, 1 x Smoke Loader, 1 x DanaBot)
ssdeep 6144:4EeVlztAdH1bnQZg8yjzYAFfyemib6gm8bbu:nMBtAdVbnQG8yoAhyqOgmAa
Threatray 170 similar samples on MalwareBazaar
TLSH T1DF449E40BBB0D03DE1B752F87D7983AC683A7DA15B2451CB62D62AEE16342D0DCB531B
TrID 40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.0% (.SCR) Windows screen saver (13101/52/3)
13.6% (.EXE) Win64 Executable (generic) (10523/12/4)
8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon badacabecee6baa6 (95 x Stop, 87 x RedLineStealer, 62 x Smoke Loader)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
515
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0eb072ff4837ba3c56e39c934535c73e.exe
Verdict:
No threats detected
Analysis date:
2022-04-14 17:38:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/62232429-5d24-4695-b893-65f2c5d8e0bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263758/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.39670.25349.4760.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13879/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/625826cbeab80a7a6c135cea/reports/5279f40b-ec32-4ad1-b15c-169b7dd28555/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e4244955-bdfe-4c07-8af5-ff88b199e438
Result
Threat name:
DanaBot RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/976915
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Delayed program exit found
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May use the Tor software to hide its network traffic
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Call by Ordinal
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected DanaBot stealer dll
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 609403 Sample: 6nB45p9h7n.exe Startdate: 14/04/2022 Architecture: WINDOWS Score: 100 46 gerer.at 2->46 68 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->68 70 Multi AV Scanner detection for domain / URL 2->70 72 Found malware configuration 2->72 74 13 other signatures 2->74 9 6nB45p9h7n.exe 2->9         started        12 uurthgu 2->12         started        signatures3 process4 signatures5 90 Detected unpacking (changes PE section rights) 9->90 92 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->92 94 Maps a DLL or memory area into another process 9->94 96 Creates a thread in another existing process (thread injection) 9->96 14 explorer.exe 4 9->14 injected 98 Multi AV Scanner detection for dropped file 12->98 100 Machine Learning detection for dropped file 12->100 102 Checks if the current machine is a virtual machine (disk enumeration) 12->102 process6 dnsIp7 54 37.75.37.31, 49769, 49815, 80 VFM-ASVodafoneMaltaLtdASMT Malta 14->54 56 189.156.119.68, 49735, 49738, 49781 UninetSAdeCVMX Mexico 14->56 58 6 other IPs or domains 14->58 38 C:\Users\user\AppData\Roaming\uurthgu, PE32 14->38 dropped 40 C:\Users\user\AppData\Local\Temp\B18F.exe, PE32 14->40 dropped 42 C:\Users\user\AppData\Local\Temp\4A78.exe, PE32 14->42 dropped 44 C:\Users\user\...\uurthgu:Zone.Identifier, ASCII 14->44 dropped 60 System process connects to network (likely due to code injection or exploit) 14->60 62 Benign windows process drops PE files 14->62 64 Deletes itself after installation 14->64 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->66 19 4A78.exe 15 5 14->19         started        23 B18F.exe 3 14->23         started        file8 signatures9 process10 dnsIp11 48 193.150.103.38, 49816, 80 ASGENERALTELRU Russian Federation 19->48 50 api.ip.sb 19->50 76 Multi AV Scanner detection for dropped file 19->76 78 Detected unpacking (changes PE section rights) 19->78 80 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->80 88 6 other signatures 19->88 82 Machine Learning detection for dropped file 23->82 84 Overwrites code with function prologues 23->84 86 Tries to detect virtualization through RDTSC time measurements 23->86 25 rundll32.exe 13 23->25         started        30 WerFault.exe 10 23->30         started        32 WerFault.exe 10 23->32         started        34 3 other processes 23->34 signatures12 process13 dnsIp14 52 104.168.167.51, 443, 49832 HOSTWINDSUS United States 25->52 36 C:\Users\user\AppData\Local\...\Ywsqofqth.tmp, DOS 25->36 dropped 104 System process connects to network (likely due to code injection or exploit) 25->104 106 Delayed program exit found 25->106 file15 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c159ff2d426778dc4da2ddace2e2b6baf4d46d0fd724f5d8f73c2a77688b3fc/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-04-14 13:51:07 UTC
File Type:
PE (Exe)
Extracted files:
23
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1b2ff2a125694851ba8469c670bc5d3a741d67a62f3c0d12704ee6c6b161c688
Smoke Loader
4a4a4c441355bbf90def9ab2aec89335f93237487e670df04b3d63c65b5be25a
Smoke Loader
5d3bfab0a36f78c6d14878a9a5dba9fd896a9d515aa5f7cd3b9dc5587bdd9a02
Smoke Loader
8704c0b6842fd04928290c56a7cacb70e920c1af0ebad2bc981d5005345377b8
Smoke Loader
b8077e0188612ac0f1e80dfe7fb572fb177c9555aab732c59dd825c5166fa349
Smoke Loader
+ 160 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor evasion trojan
Link:
https://tria.ge/reports/220414-q5tkeabchm/
Behaviour
Checks SCSI registry key(s)
Gathers network information
Gathers system information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Deletes itself
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
SmokeLoader
Malware Config
C2 Extraction:
http://gerer.at/upload/
http://pass-finger.com/upload/
http://meet-ru.ru/upload/
http://elroisolutions.com/upload/
http://gebzetuning.com/upload/
http://les-pub.com/upload/
http://mordo.ru/upload/
http://pkodev.net/upload/
http://autocarsjames.com/upload/
https://oakland-studio.video/search.php
https://seattle-university.video/search.php
Unpacked files
SH256 hash:
03e66ab958e02f11af35c3ac6c828630b305942bb299c3533072494bcaed20ce
MD5 hash:
60f5fffaffc0f24c3c69b2254df239ed
SHA1 hash:
2df0b0a759ec0b066f8398c2c19db87f6c07dc30
Link:
https://www.unpac.me/results/bb5119fd-dc6b-4042-bd93-2be07905a185/
SH256 hash:
5c159ff2d426778dc4da2ddace2e2b6baf4d46d0fd724f5d8f73c2a77688b3fc
MD5 hash:
0eb072ff4837ba3c56e39c934535c73e
SHA1 hash:
a54cbd0e05b443b6046cd375a27364ec63f2c880
Link:
https://www.unpac.me/results/bb5119fd-dc6b-4042-bd93-2be07905a185/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5c159ff2d426778dc4da2ddace2e2b6baf4d46d0fd724f5d8f73c2a77688b3fc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/263758/

Comments