MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d1ccaf2c694a1685f8334f152780a68603f7353619549a3424a33a72d118223. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d1ccaf2c694a1685f8334f152780a68603f7353619549a3424a33a72d118223
SHA3-384 hash: 89040c59a37b7fb87c37bc5c66d9537a2c0f051ef67aadf51099f4f5667e1ce9b07184da1ec5b29a94db73f92ecd3637
SHA1 hash: 784f459bb1c784e408e46bb5c7676b45c674fa6c
MD5 hash: a9955bb7308db42bbfbe87544f0f2c08
humanhash: twelve-fruit-idaho-alabama
File name:a9955bb7308db42bbfbe87544f0f2c08
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:234'496 bytes
First seen:2021-11-08 18:48:25 UTC
Last seen:2021-11-08 22:22:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c8725b7ab8753c936cc4c98a181b2488 (11 x RaccoonStealer, 8 x RedLineStealer, 1 x Smoke Loader)
ssdeep 3072:GMzE8396sFbRA6WU3FGNnffro4r6EgVWrxpzbgqruXhs7sxkgaBChU/pZa9uD6VM:1esFbRAfqsnf/FSuzbgwu6QigabwVf
TLSH T1D8349D3176E8E971E0A31E3048B586E41A7BFC625970500BF650679F1EB3F9C86E235E
File icon (PE):PE icon
dhash icon fcfc94d4d4d4d8c0 (24 x RaccoonStealer, 21 x RedLineStealer, 9 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/203354/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.31409.5420.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
emotet greyware lockbit packed virus
Link:
https://www.filescan.io/uploads/61897120a00afa9663a11bbc/reports/8c74c3db-0f07-4748-bebd-f17bcccbbca6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c65dbd8b-601c-4325-9877-93d3a9104172
Result
Threat name:
Clipboard Hijacker Raccoon RedLine Smoke
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/885489
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to infect the boot sector
Creates a thread in another existing process (thread injection)
Delayed program exit found
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Clipboard Hijacker
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 517958 Sample: 9CT2pgn9uz Startdate: 08/11/2021 Architecture: WINDOWS Score: 100 78 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->78 80 Antivirus detection for URL or domain 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 11 other signatures 2->84 9 9CT2pgn9uz.exe 2->9         started        12 SmartClock.exe 2->12         started        process3 signatures4 108 Detected unpacking (changes PE section rights) 9->108 110 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->110 112 Maps a DLL or memory area into another process 9->112 114 2 other signatures 9->114 14 explorer.exe 6 9->14 injected process5 dnsIp6 64 nutriescapa.com 85.143.175.87, 49794, 49805, 80 TRADERSOFTRU Russian Federation 14->64 66 218.51.156.7, 49782, 49798, 49822 SKB-ASSKBroadbandCoLtdKR Korea Republic of 14->66 68 9 other IPs or domains 14->68 50 C:\Users\user\AppData\Roaming\redhauw, PE32 14->50 dropped 52 C:\Users\user\AppData\Local\Temp\F3EC.exe, PE32 14->52 dropped 54 C:\Users\user\AppData\Local\Temp\ABA6.exe, PE32 14->54 dropped 56 4 other files (3 malicious) 14->56 dropped 70 System process connects to network (likely due to code injection or exploit) 14->70 72 Benign windows process drops PE files 14->72 74 Deletes itself after installation 14->74 76 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->76 19 F3EC.exe 80 14->19         started        24 redhauw 14->24         started        26 ABA6.exe 5 14->26         started        28 4 other processes 14->28 file7 signatures8 process9 dnsIp10 58 194.180.174.182, 49864, 80 MIVOCLOUDMD unknown 19->58 60 91.219.236.162, 49863, 80 SERVERASTRA-ASHU Hungary 19->60 40 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 19->40 dropped 42 C:\Users\user\AppData\...\vcruntime140.dll, PE32 19->42 dropped 44 C:\Users\user\AppData\...\ucrtbase.dll, PE32 19->44 dropped 48 56 other files (none is malicious) 19->48 dropped 86 Detected unpacking (changes PE section rights) 19->86 88 Detected unpacking (overwrites its own PE header) 19->88 90 Tries to steal Mail credentials (via file / registry access) 19->90 92 Tries to harvest and steal browser information (history, passwords, etc) 19->92 30 cmd.exe 19->30         started        94 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 24->94 96 Maps a DLL or memory area into another process 24->96 98 Checks if the current machine is a virtual machine (disk enumeration) 24->98 100 Creates a thread in another existing process (thread injection) 24->100 32 WerFault.exe 24->32         started        62 185.215.113.29, 1102, 49862 WHOLESALECONNECTIONSNL Portugal 26->62 102 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->102 104 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 26->104 46 C:\Users\user\AppData\...\SmartClock.exe, PE32 28->46 dropped 106 Contains functionality to infect the boot sector 28->106 34 SmartClock.exe 28->34         started        file11 signatures12 process13 process14 36 conhost.exe 30->36         started        38 timeout.exe 30->38         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5d1ccaf2c694a1685f8334f152780a68603f7353619549a3424a33a72d118223/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-11-08 18:49:04 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:smokeloader botnet:fcdc156d3872c18d25e3ee45499599b45e492a67 backdoor stealer trojan
Link:
https://tria.ge/reports/211108-xgb4sachc6/
Behaviour
Checks SCSI registry key(s)
Script User-Agent
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Deletes itself
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Raccoon
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://misha.at/upload/
http://roohaniinfra.com/upload/
http://0axqpcc.cn/upload/
http://mayak-lombard.ru/upload/
http://mebel-lass.ru/upload/
http://dishakhan.com/upload/
Unpacked files
SH256 hash:
2d42354cb59833a247375928187032beead3c641520e36824fce6f48b126d8a6
MD5 hash:
38fa5abed729083474ad8e1084b03b6d
SHA1 hash:
707a3feb91f1242f57bdd9fb6b3852462b64a985
Link:
https://www.unpac.me/results/a42add57-8609-4b83-a1b0-9c16adc58271/
SH256 hash:
5d1ccaf2c694a1685f8334f152780a68603f7353619549a3424a33a72d118223
MD5 hash:
a9955bb7308db42bbfbe87544f0f2c08
SHA1 hash:
784f459bb1c784e408e46bb5c7676b45c674fa6c
Link:
https://www.unpac.me/results/a42add57-8609-4b83-a1b0-9c16adc58271/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5d1ccaf2c694/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5d1ccaf2c694a1685f8334f152780a68603f7353619549a3424a33a72d118223

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 5d1ccaf2c694a1685f8334f152780a68603f7353619549a3424a33a72d118223

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1766412/
Cape
Cape
https://www.capesandbox.com/analysis/203354/

Comments


Avatar
zbet commented on 2021-11-08 18:48:26 UTC

url : hxxp://perspectivimmo.com/loads3.exe