MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d2140c3ab1944f381206aa8d5c3ae0e5c2dad60751d3a2f631b1b08a810baa2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d2140c3ab1944f381206aa8d5c3ae0e5c2dad60751d3a2f631b1b08a810baa2
SHA3-384 hash: d255a2b5f52c38ee9809a949c2fa234e71eb332e804f46a65f891945b4d35faf58625c3367d9007d535015cf393ca5ad
SHA1 hash: c4b1d87414151163e7ad855fe05c50fa5e7fa9bf
MD5 hash: 767c7ee8eee39d9754b4478270d270e2
humanhash: wyoming-stream-september-snake
File name:767c7ee8eee39d9754b4478270d270e2.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:244'224 bytes
First seen:2021-07-28 17:53:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1f6beecfd99c1d466bbeeed249a73f82 (1 x Smoke Loader, 1 x RaccoonStealer)
ssdeep 6144:ZKJo49WYAAOdCqrID/uEFJAf5wgUFnQ1tLdLLg9krvYzZo3lnifG0:G9WLAOdFID/9AhwgttxLg9krvYO3lnip
Threatray 4'408 similar samples on MalwareBazaar
TLSH T1A934AE20BED1C035E4B712F849B993BCA53D7AB16B2490CB62D617EE56346E8DC30357
dhash icon ead8a89cc6e68ea0 (25 x RaccoonStealer, 8 x DanaBot, 8 x RedLineStealer)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
767c7ee8eee39d9754b4478270d270e2.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-28 17:56:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/acd5961c-242a-40a9-bb34-2b4ac71df84a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/174755/
Detection(s):
Win.Malware.Generic-9881904-0
Create hunting rule

Win.Malware.Generic-9881959-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6d364bc5-9dc1-4309-83da-8a20dcd66b03
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/823411
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 455824 Sample: g5keI4ykVe.exe Startdate: 28/07/2021 Architecture: WINDOWS Score: 100 83 www.google.com 2->83 85 mx01.lytzenitmail.dk 2->85 87 86 other IPs or domains 2->87 99 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->99 101 Malicious sample detected (through community Yara rule) 2->101 103 Antivirus detection for URL or domain 2->103 109 17 other signatures 2->109 11 g5keI4ykVe.exe 2->11         started        14 svchost.exe 2->14         started        16 udjhffd 2->16         started        18 8 other processes 2->18 signatures3 105 System process connects to network (likely due to code injection or exploit) 85->105 107 Tries to resolve many domain names, but no domain seems valid 85->107 process4 dnsIp5 129 Detected unpacking (changes PE section rights) 11->129 21 g5keI4ykVe.exe 11->21         started        131 Changes security center settings (notifications, updates, antivirus, firewall) 14->131 133 Machine Learning detection for dropped file 16->133 89 127.0.0.1 unknown unknown 18->89 91 192.168.2.1 unknown unknown 18->91 signatures6 process7 signatures8 111 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->111 113 Maps a DLL or memory area into another process 21->113 115 Checks if the current machine is a virtual machine (disk enumeration) 21->115 117 Creates a thread in another existing process (thread injection) 21->117 24 explorer.exe 25 21->24 injected process9 dnsIp10 93 readinglistforjuly6.xyz 24->93 95 readinglistforjuly9.xyz 24->95 97 14 other IPs or domains 24->97 57 C:\Users\user\AppData\Roaming\udjhffd, PE32 24->57 dropped 59 C:\Users\user\AppData\Local\Temp\FD9C.exe, PE32 24->59 dropped 61 C:\Users\user\AppData\Local\Temp\F8.exe, PE32 24->61 dropped 63 10 other files (9 malicious) 24->63 dropped 119 System process connects to network (likely due to code injection or exploit) 24->119 121 Benign windows process drops PE files 24->121 123 Performs DNS queries to domains with low reputation 24->123 127 4 other signatures 24->127 29 12BD.exe 24->29         started        33 FD9C.exe 92 24->33         started        36 F2AD.exe 2 24->36         started        38 4 other processes 24->38 file11 125 Tries to resolve many domain names, but no domain seems valid 95->125 signatures12 process13 dnsIp14 65 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 29->65 dropped 135 DLL reload attack detected 29->135 137 Detected unpacking (changes PE section rights) 29->137 139 Machine Learning detection for dropped file 29->139 155 4 other signatures 29->155 77 xeronxikxxx.tumblr.com 33->77 79 116.202.183.50, 49740, 80 HETZNER-ASDE Germany 33->79 81 xeronxikxxx.tumblr.com 74.114.154.22, 443, 49739 AUTOMATTICUS Canada 33->81 67 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 33->67 dropped 69 C:\Users\user\AppData\...\softokn3[1].dll, PE32 33->69 dropped 71 C:\Users\user\AppData\...\freebl3[1].dll, PE32 33->71 dropped 75 9 other files (none is malicious) 33->75 dropped 141 Detected unpacking (overwrites its own PE header) 33->141 143 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 33->143 157 2 other signatures 33->157 73 C:\Users\user\AppData\Local\...\irzxqsvv.exe, PE32 36->73 dropped 145 Uses netsh to modify the Windows network and firewall settings 36->145 147 Modifies the windows firewall 36->147 40 cmd.exe 36->40         started        43 cmd.exe 36->43         started        45 sc.exe 36->45         started        149 Query firmware table information (likely to detect VMs) 38->149 151 Tries to detect sandboxes and other dynamic analysis tools (window names) 38->151 159 4 other signatures 38->159 47 conhost.exe 38->47         started        file15 153 Tries to resolve many domain names, but no domain seems valid 77->153 signatures16 process17 file18 55 C:\Windows\SysWOW64\...\irzxqsvv.exe (copy), PE32 40->55 dropped 49 conhost.exe 40->49         started        51 conhost.exe 43->51         started        53 conhost.exe 45->53         started        process19
Gathering data
Threat name:
Win32.Trojan.Caynamer
Create hunting rule
Status:
Malicious
First seen:
2021-07-28 14:47:35 UTC
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=luqubq5ldfcphajankunlq5obzoc3llaouotul3ddmnqrkaqxkra._file
Verdict:
suspicious
Similar samples:
1f445aea75db35206f00610e21e04bcae95c26155f9fccb3dbbb7b8601ba1404
Smoke Loader
372e3f20168cb6280781e04db5b47a84c3496bde190343f4cb54a7e80c4a0c6e
Smoke Loader
6942f06c0718cbc965d52519949816c8c77bc9bca7cc654802ea6841c35fe3b3
Smoke Loader
7a942e775d5086403ce49b70e34987669a6b3467c58de9114878a967039b3fb9
Smoke Loader
7b608f567cdbb7a9ccce2a9937b34bb3b73e178efc3d2b9bc29e5fe905462bee
Smoke Loader
c97f7b2a1d29e6ab8e802c3c814e1962452a9ab375a0f0c13ef6d4e4edefe9c2
Smoke Loader
e11501c9e16a2f69751da6f5d8d2e5ff3023eea48baf5008a197e20a2ffd66be
Smoke Loader
fa04b562a9b95f20ba6ae99375dec999128843910969bc5ccf964df3b5ee7882
Smoke Loader
+ 4'398 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:tofsee family:vidar family:xmrig botnet:517 botnet:824 botnet:828 backdoor discovery evasion infostealer miner persistence spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210728-d2ewxpznna/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Modifies file permissions
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
XMRig Miner Payload
Raccoon
RedLine
SmokeLoader
Tofsee
Vidar
Windows security bypass
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
xmrig
Malware Config
C2 Extraction:
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
https://xeronxikxxx.tumblr.com/
https://shpak125.tumblr.com/
Unpacked files
SH256 hash:
a072ff0f96f6d1860931b95dafd98722dfb43ff14bc54290451b5e81cb50bf85
MD5 hash:
2ab92457b4aaad3a2e3352a752561a92
SHA1 hash:
4b01947d263d386d8541b2d590a4d7b3f4dd8c87
Link:
https://www.unpac.me/results/455afe4c-be9d-4157-9956-9308f7d53c13/
SH256 hash:
5d2140c3ab1944f381206aa8d5c3ae0e5c2dad60751d3a2f631b1b08a810baa2
MD5 hash:
767c7ee8eee39d9754b4478270d270e2
SHA1 hash:
c4b1d87414151163e7ad855fe05c50fa5e7fa9bf
Link:
https://www.unpac.me/results/455afe4c-be9d-4157-9956-9308f7d53c13/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5d2140c3ab1944f381206aa8d5c3ae0e5c2dad60751d3a2f631b1b08a810baa2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 5d2140c3ab1944f381206aa8d5c3ae0e5c2dad60751d3a2f631b1b08a810baa2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1476590/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/174755/

Comments