MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63761462358e1f880dafe51b3de8036f10bc60354b981cddc8075aed22e1251d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63761462358e1f880dafe51b3de8036f10bc60354b981cddc8075aed22e1251d
SHA3-384 hash: ed2b40e64276006cda6952b9e35ddaba2cf46952502cc54b42969c29f4568eb8fef0c3a056cc256e912da073b436dc79
SHA1 hash: dd25501c1958af1885ec0b47c10e0cad54c6d994
MD5 hash: d3095534ef1a54fcc96985729c70c932
humanhash: freddie-uncle-venus-march
File name:d3095534ef1a54fcc96985729c70c932
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:303'104 bytes
First seen:2021-06-13 19:50:05 UTC
Last seen:2021-06-13 20:35:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f48d40448beb628ea5f30fab00d7ea57 (3 x Smoke Loader, 1 x RaccoonStealer)
ssdeep 6144:8Qsv02LxBGSZSl4QxbZeBQ51jZ3ADgbLTvRwpzC2lA:/i02LDGS4m+1nbvmzrlA
TLSH B4548D1067A1C0B5F2F312F889B69F79A5AD3AB0577450DF53C22AEE5634AE0AD30707
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
223
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d3095534ef1a54fcc96985729c70c932
Verdict:
Suspicious activity
Analysis date:
2021-06-13 19:52:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4f95b28a-56fc-43fe-ae17-2f24b9f8d092

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Troj.Kryptik-TR.27651.25271.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% directory
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending an HTTP POST request
Connection attempt to an infection source
Deleting of the original file
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6259a7f6-cef1-41dc-a997-47f9c8e870df
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/801396
Signature
.NET source code contains very large strings
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Creates files in alternative data streams (ADS)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Renames NTDLL to bypass HIPS
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 433792 Sample: 051y0i7M8q Startdate: 13/06/2021 Architecture: WINDOWS Score: 100 92 999080321test481-service10020125999080321.ru 2->92 94 a0550192.xsph.ru 2->94 96 10 other IPs or domains 2->96 122 Multi AV Scanner detection for domain / URL 2->122 124 Found malware configuration 2->124 126 Antivirus detection for URL or domain 2->126 130 14 other signatures 2->130 9 explorer.exe 20 2->9         started        14 wbhgtwb 2->14         started        16 laeiylcc.exe 2->16         started        18 9 other processes 2->18 signatures3 128 Tries to resolve many domain names, but no domain seems valid 94->128 process4 dnsIp5 110 999080321yomtest251-service10020125999080321.ru 9->110 112 999080321yirtest231-service10020125999080321.ru 9->112 116 72 other IPs or domains 9->116 78 C:\Users\user\AppData\Roaming\wbhgtwb, PE32 9->78 dropped 80 C:\Users\user\AppData\Local\Temp\FFE3.exe, PE32 9->80 dropped 82 C:\Users\user\AppData\Local\Temp\F6E9.exe, PE32 9->82 dropped 84 7 other files (5 malicious) 9->84 dropped 158 System process connects to network (likely due to code injection or exploit) 9->158 160 Benign windows process drops PE files 9->160 162 Performs DNS queries to domains with low reputation 9->162 180 2 other signatures 9->180 20 E60F.exe 9->20         started        25 DC1B.exe 9->25         started        27 explorer.exe 9->27         started        35 14 other processes 9->35 164 DLL reload attack detected 14->164 166 Detected unpacking (changes PE section rights) 14->166 168 Contains functionality to inject code into remote processes 14->168 170 Injects a PE file into a foreign processes 14->170 29 wbhgtwb 1 14->29         started        172 Detected unpacking (overwrites its own PE header) 16->172 182 2 other signatures 16->182 31 svchost.exe 16->31         started        114 127.0.0.1 unknown unknown 18->114 174 Changes security center settings (notifications, updates, antivirus, firewall) 18->174 176 DLL side loading technique detected 18->176 33 051y0i7M8q.exe 1 18->33         started        file6 178 Tries to resolve many domain names, but no domain seems valid 112->178 signatures7 process8 dnsIp9 98 tttttt.me 95.216.186.40, 443, 49732 HETZNER-ASDE Germany 20->98 100 34.76.8.115, 49734, 80 GOOGLEUS United States 20->100 64 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 20->64 dropped 66 C:\Users\user\AppData\...\vcruntime140.dll, PE32 20->66 dropped 68 C:\Users\user\AppData\...\ucrtbase.dll, PE32 20->68 dropped 76 56 other files (none is malicious) 20->76 dropped 132 Detected unpacking (changes PE section rights) 20->132 134 Detected unpacking (overwrites its own PE header) 20->134 136 Tries to steal Mail credentials (via file access) 20->136 138 Contains functionality to steal Internet Explorer form passwords 20->138 70 C:\Users\user\AppData\Local\...\laeiylcc.exe, PE32 25->70 dropped 150 2 other signatures 25->150 37 cmd.exe 25->37         started        39 cmd.exe 25->39         started        41 sc.exe 25->41         started        50 3 other processes 25->50 102 999080321newfolder1002-01362599908032135.site 27->102 140 System process connects to network (likely due to code injection or exploit) 27->140 142 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->142 144 Tries to harvest and steal browser information (history, passwords, etc) 27->144 72 C:\Users\user\AppData\Local\Temp\AE30.tmp, PE32 29->72 dropped 152 3 other signatures 29->152 104 82.202.161.188, 424, 49750, 49757 THEFIRST-ASRU Russian Federation 31->104 106 52.101.24.0, 25, 49836, 49925 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->106 108 14 other IPs or domains 31->108 74 C:\Windows\SysWOW64\...\systemprofile:.repos, data 31->74 dropped 146 Creates files in alternative data streams (ADS) 31->146 154 2 other signatures 33->154 148 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 35->148 156 2 other signatures 35->156 43 BF69.exe 15 28 35->43         started        48 conhost.exe 35->48         started        file10 signatures11 process12 dnsIp13 52 conhost.exe 37->52         started        54 conhost.exe 39->54         started        56 conhost.exe 41->56         started        118 api.ip.sb 43->118 120 87.251.71.118, 49738, 49983, 49988 RMINJINERINGRU Russian Federation 43->120 86 C:\Users\user\AppData\Local\...\intelcorp.exe, PE32 43->86 dropped 88 C:\...\XCuer5pXYHrlLvLs8Bgor9rzF5ZJuv.exe, PE32+ 43->88 dropped 90 C:\Users\user\AppData\Local\...\Seedbox.exe, PE32 43->90 dropped 184 Tries to steal Crypto Currency Wallets 43->184 58 conhost.exe 50->58         started        60 conhost.exe 50->60         started        62 conhost.exe 50->62         started        file14 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/63761462358e1f880dafe51b3de8036f10bc60354b981cddc8075aed22e1251d/
Threat name:
Win32.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2021-06-13 19:50:13 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mn3biyrvrypyqdnp4unt32adn4ilyybvjombzxoia5no2ixbeuoq._file
Result
Malware family:
tofsee
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:tofsee botnet:1 botnet:50f8ded12c46443e43915127b1219ac2fc439bb6 botnet:5339a5db91bba8fa758672b05e7eb691a224bf94 backdoor discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/210613-rbfvvhbepx/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Modifies Windows Defender Real-time Protection settings
Raccoon
RedLine
RedLine Payload
SmokeLoader
Tofsee
Windows security bypass
Malware Config
C2 Extraction:
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
136.244.96.84:4150
Unpacked files
SH256 hash:
6cc63b665ea65def9c5f8c4f1c73e2124e041cdc6c55fda6a464cdc19420a273
MD5 hash:
5cff71255f4b94a23e2bb7520601d90b
SHA1 hash:
2f236e55ba4873e11400e10755bfecd5443bf2c4
Link:
https://www.unpac.me/results/535c3908-3e5f-4692-90b4-679c5e375b7e/
SH256 hash:
63761462358e1f880dafe51b3de8036f10bc60354b981cddc8075aed22e1251d
MD5 hash:
d3095534ef1a54fcc96985729c70c932
SHA1 hash:
dd25501c1958af1885ec0b47c10e0cad54c6d994
Link:
https://www.unpac.me/results/535c3908-3e5f-4692-90b4-679c5e375b7e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63761462358e1f880dafe51b3de8036f10bc60354b981cddc8075aed22e1251d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 63761462358e1f880dafe51b3de8036f10bc60354b981cddc8075aed22e1251d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1362311/

Comments