MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ca0e870b471602e5a5fd8e99d7e1821f12bcdccbd86bfbb240627895ad36419. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 16


Intelligence 16 IOCs YARA 39 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ca0e870b471602e5a5fd8e99d7e1821f12bcdccbd86bfbb240627895ad36419
SHA3-384 hash: 9f552078114528b7048b8dc3e965c8340cc2882a8bafef3748f29b6180540723d54acb3ef40f46dbf2b08e9b083ec04a
SHA1 hash: b88ca43ef509de9ec235aad496793715553cd61e
MD5 hash: cefb18d7fe4fbd36bcf83b46930298cc
humanhash: violet-video-two-leopard
File name:cefb18d7fe4fbd36bcf83b46930298cc.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:7'597'056 bytes
First seen:2023-02-28 22:25:08 UTC
Last seen:2023-02-28 23:34:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f9644890a52aa13e3e994733d15fcb99 (1 x RecordBreaker, 1 x TrickBot, 1 x Smoke Loader)
ssdeep 196608:9dJpzFkyz68/3vLrZxGcxZ/4F5tIBRvukMugxsuVgrGaZ9kx2:f1P68/TGcxZ/3ujHNV4GaZ9o
TLSH T10D76E122D300705AFCA20076E53B2AF6B6746630638195FB93D5A9C53F726E1FE36943
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f999c898989dbc90 (1 x Smoke Loader)
Reporter abuse_ch
Tags:exe Smoke Loader


Avatar
abuse_ch
Smoke Loader C2:
85.31.45.177:6218

Intelligence

File Origin
# of uploads :
2
# of downloads :
254
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
cefb18d7fe4fbd36bcf83b46930298cc.exe
Verdict:
Malicious activity
Analysis date:
2023-02-28 22:30:44 UTC
Tags:
evasion opendir loader trojan rat redline stealer
Link:
https://app.any.run/tasks/89629c6a-f8e4-4ea1-a035-adbd03fa5a8f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/370722/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.4839.31376.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Sending an HTTP GET request
Replacing files
DNS request
Sending a custom TCP request
Launching a service
Launching a process
Reading critical registry keys
Creating a file
Connecting to a non-recommended domain
Sending a UDP request
Forced system process termination
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Creating a window
Running batch commands
Launching the default Windows debugger (dwwin.exe)
Launching the process to change the firewall settings
Changing a file
Blocking the Windows Defender launch
Query of malicious DNS domain
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint packed shell32.dll windows
Link:
https://www.filescan.io/uploads/63fe7f7c93921fa04236115b/reports/420a69d4-e621-4a28-a38b-743d258c2e88/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/5ca0e870b471602e5a5fd8e99d7e1821f12bcdccbd86bfbb240627895ad36419
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/34e396c8-bd32-441b-a89e-cd93604d8e3f
Result
Threat name:
Fabookie, Glupteba, PrivateLoader, Racco
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1184621
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Fabookie
Yara detected Glupteba
Yara detected PrivateLoader
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 817471 Sample: HmNAeKQFxo.exe Startdate: 28/02/2023 Architecture: WINDOWS Score: 100 143 Multi AV Scanner detection for domain / URL 2->143 145 Malicious sample detected (through community Yara rule) 2->145 147 Antivirus detection for URL or domain 2->147 149 21 other signatures 2->149 10 HmNAeKQFxo.exe 11 84 2->10         started        15 svchost.exe 2->15         started        17 svchost.exe 3 2->17         started        19 9 other processes 2->19 process3 dnsIp4 121 87.240.132.78 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 10->121 123 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 10->123 125 20 other IPs or domains 10->125 109 C:\Users\...\woru2xLRSJp7ERbkUP564yIe.exe, PE32 10->109 dropped 111 C:\Users\...\iReUHqmXRB88JaH_nHN07GRr.exe, PE32 10->111 dropped 113 C:\Users\...\aTn5l6UC7JFafCdvFrGqYHyd.exe, PE32 10->113 dropped 115 21 other malicious files 10->115 dropped 163 Creates HTML files with .exe extension (expired dropper behavior) 10->163 165 Disables Windows Defender (deletes autostart) 10->165 167 Tries to harvest and steal browser information (history, passwords, etc) 10->167 173 3 other signatures 10->173 21 8f4zQvdDUbwd2h6uPG8BmJX5.exe 10->21         started        24 9mOnEGy3Wn9J_COdwUR8yT9y.exe 10->24         started        26 IBEKCoHOaHxw4IKdxUzh874f.exe 10->26         started        34 11 other processes 10->34 169 Changes security center settings (notifications, updates, antivirus, firewall) 15->169 171 Query firmware table information (likely to detect VMs) 17->171 30 WerFault.exe 19->30         started        32 WerFault.exe 19->32         started        file5 signatures6 process7 dnsIp8 103 2 other malicious files 21->103 dropped 36 plmm20Is24.exe 21->36         started        91 C:\Users\user\AppData\Local\...\is-MH1UP.tmp, PE32 24->91 dropped 39 is-MH1UP.tmp 24->39         started        127 188.114.96.3 CLOUDFLARENETUS European Union 26->127 93 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 26->93 dropped 95 C:\Users\user\AppData\Local\Temp\...\nss3.dll, PE32 26->95 dropped 97 C:\Users\user\AppData\Local\...\mozglue.dll, PE32 26->97 dropped 105 3 other malicious files 26->105 dropped 151 Tries to steal Mail credentials (via file / registry access) 26->151 153 Tries to harvest and steal browser information (history, passwords, etc) 26->153 129 149.154.167.99 TELEGRAMRU United Kingdom 34->129 131 157.240.252.35 FACEBOOKUS United States 34->131 133 3 other IPs or domains 34->133 99 C:\Users\...\ruy3DBSEDQpcXLBeWYcNUU8M.exe, PE32 34->99 dropped 101 C:\Users\user\AppData\Local\...\heyzweub.exe, PE32 34->101 dropped 107 2 other malicious files 34->107 dropped 155 Writes to foreign memory regions 34->155 157 Allocates memory in foreign processes 34->157 159 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 34->159 161 3 other signatures 34->161 41 cmd.exe 34->41         started        43 aTn5l6UC7JFafCdvFrGqYHyd.exe 34->43         started        45 WerFault.exe 34->45         started        48 10 other processes 34->48 file9 signatures10 process11 dnsIp12 75 C:\Users\user\AppData\...\pltA30WI85.exe, PE32 36->75 dropped 77 C:\Users\user\AppData\...\fugD4899Ue81.exe, PE32 36->77 dropped 50 pltA30WI85.exe 36->50         started        79 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 39->79 dropped 81 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 39->81 dropped 83 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 39->83 dropped 89 7 other files (5 malicious) 39->89 dropped 85 C:\Windows\SysWOW64\...\heyzweub.exe (copy), PE32 41->85 dropped 53 conhost.exe 41->53         started        87 C:\Users\user\AppData\Local\Temp\db.dll, PE32 43->87 dropped 135 52.182.143.212 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 45->135 55 Conhost.exe 45->55         started        137 20.189.173.22 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 48->137 139 142.250.203.100 GOOGLEUS United States 48->139 141 8 other IPs or domains 48->141 57 conhost.exe 48->57         started        59 conhost.exe 48->59         started        file13 process14 file15 71 C:\Users\user\AppData\...\plFF84xd66.exe, PE32 50->71 dropped 73 C:\Users\user\AppData\...\esIv88Ij37.exe, PE32 50->73 dropped 61 plFF84xd66.exe 50->61         started        process16 file17 117 C:\Users\user\AppData\...\plph85Eq47.exe, PE32 61->117 dropped 119 C:\Users\user\AppData\...\diur38PN27.exe, PE32 61->119 dropped 64 plph85Eq47.exe 61->64         started        process18 file19 67 C:\Users\user\AppData\...\caRa19cJ94.exe, PE32 64->67 dropped 69 C:\Users\user\AppData\...\bumc53lg93.exe, PE32 64->69 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ca0e870b471602e5a5fd8e99d7e1821f12bcdccbd86bfbb240627895ad36419/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-02-20 17:42:37 UTC
File Type:
PE (Exe)
Extracted files:
6978
AV detection:
22 of 39 (56.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lsqoq4fuofqc4ws73duz27qyehysxtomxwdl7ozeaytyswwtmqmq._file
Verdict:
malicious
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader main spyware stealer vmprotect
Link:
https://tria.ge/reports/230228-2chg8ada7z/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Malware Config
C2 Extraction:
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
23.254.227.214
23.254.227.202
23.254.227.205
208.67.104.60
Unpacked files
SH256 hash:
5ca0e870b471602e5a5fd8e99d7e1821f12bcdccbd86bfbb240627895ad36419
MD5 hash:
cefb18d7fe4fbd36bcf83b46930298cc
SHA1 hash:
b88ca43ef509de9ec235aad496793715553cd61e
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/f351deb6-521b-453d-8446-87235c495125/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5ca0e870b471/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ca0e870b471602e5a5fd8e99d7e1821f12bcdccbd86bfbb240627895ad36419

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CoinMiner_Strings
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects mining pool protocol string in Executable
Reference:https://minergate.com/faq/what-pool-address
Rule name:Detect_Tofsee
Create hunting rule
Author:@malgamy12
Description:Detect_Tofsee
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MacOS_Cryptominer_Generic_333129b7
Create hunting rule
Author:Elastic Security
Rule name:MALWARE_Win_Chebka
Create hunting rule
Author:ditekSHen
Description:Detects Chebka
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Tofsee
Create hunting rule
Author:ditekSHen
Description:Detects Tofsee
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MAL_XMR_Miner_May19_1_RID2E1B
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:MINER_monero_mining_detection
Create hunting rule
Author:Trellix ATR team
Description:Monero mining software
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:privateloader
Create hunting rule
Author:andretavare5
Description:PrivateLoader pay-per-install malware
Rule name:Privateloader_Main_Component
Create hunting rule
Description:Detects PrivateLoader Main Component
Rule name:PUA_Crypto_Mining_CommandLine_Indicators_Oct21
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects command line parameters often used by crypto mining software
Reference:https://www.poolwatch.io/coin/monero
Rule name:Redline_Hunter
Create hunting rule
Author:Potato
Description:Unpacked RedLine Hunter
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:tofsee_yhub
Create hunting rule
Author:Billy Austin
Description:Detects Tofsee botnet, also known as Gheg
Rule name:Win32_Trojan_RedLineStealer
Create hunting rule
Author:Netskope Threat Labs
Description:Identifies RedLine Stealer samples
Reference:deb95cae4ba26dfba536402318154405
Rule name:Windows_Trojan_Generic_a681f24a
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_PrivateLoader_96ac2734
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Tofsee_26124fe4
Create hunting rule
Author:Elastic Security
Rule name:win_privateloader
Create hunting rule
Rule name:win_privateloader_w0
Create hunting rule
Author:andretavare5
Reference:https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service
Rule name:win_tofsee_w0
Create hunting rule
Author:akrasuski1
Rule name:XMRIG_Monero_Miner
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Monero mining software
Reference:https://github.com/xmrig/xmrig/releases
Rule name:XMRIG_Monero_Miner_RID2DC1
Create hunting rule
Author:Florian Roth
Description:Detects Monero mining software
Reference:https://github.com/xmrig/xmrig/releases
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/370722/

Comments