MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 661619bee5d7b2c990720d645d7def09c3de41a964acc6ddc77866b8e283a37b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RecordBreaker

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments

SHA256 hash:	661619bee5d7b2c990720d645d7def09c3de41a964acc6ddc77866b8e283a37b
SHA3-384 hash:	0ac42fc5f68e22482ee71fc99b2e4e1aed2d597b10fa73a011b68aaa38ca633ee2f8cec09998430c18308d68d4fade41
SHA1 hash:	d2f6dba2cdbbd2675f82fbfa62dee7115158bfb9
MD5 hash:	1a35df4d953c7c7f011f4a03bb047d47
humanhash:	north-fourteen-chicken-table
File name:	1a35df4d953c7c7f011f4a03bb047d47.exe
Download:	download sample
Signature	RecordBreaker Create hunting rule
File size:	228'352 bytes
First seen:	2023-10-11 05:41:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1779cddf5976b55ff16f4e4d4c8ed385 (2 x Tofsee, 2 x RecordBreaker, 2 x Smoke Loader)
ssdeep	3072:HXpXmbVOfni3ylom62SkAvRHN84LYkWA96g5sbgTzTyh:3tMVqi3YHVsRVYK96RMTzT
Threatray	37 similar samples on MalwareBazaar
TLSH	T1C324CF217982C8B3C44643388824CAF4B57ABC729A59B98737A83F6F7D313527767325
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	1070c09030341000 (1 x RecordBreaker, 1 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe recordbreaker

abuse_ch

RecordBreaker C2:
http://93.185.166.154/

Intelligence

File Origin

# of uploads :

# of downloads :

332

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1a35df4d953c7c7f011f4a03bb047d47.exe

Verdict:

Malicious activity

Analysis date:

2023-10-11 05:43:44 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c26a5cc8-4c01-448e-bf7b-4081f0586d1a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

SmokeLoader

Link:

https://www.capesandbox.com/analysis/453112/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/652635ab1e07d7e1e9beb832/reports/6528d53e-a8e6-4fdd-b55c-c7aa9ea9de6f/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/661619bee5d7b2c990720d645d7def09c3de41a964acc6ddc77866b8e283a37b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/983468d2-2a6b-46a4-acc7-0a243c85db43

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1323458

Signature

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

smokeloader

Link:

https://mwdb.cert.pl/sample/661619bee5d7b2c990720d645d7def09c3de41a964acc6ddc77866b8e283a37b/

Threat name:

Win32.Trojan.Smokeloader

Status:

Malicious

First seen:

2023-10-11 05:42:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 23 (69.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mylbtpxf26zmtedsbvsf27ppbhb54qnjmswmnxohpbtlryudun5q._file

Verdict:

malicious

RecordBreaker

46ac0ab158fc001e4dca1d72667b8302470526bb97c0832f7ce2c0814943a667

RecordBreaker

4fde35f203cdacb88a85df5622b3b0b4e3f572c616b124c007d6158534d36896

RecordBreaker

6a6aeffae09bf99332b3641d39606ebc0d6ae27d4502df6fa3cfe93ce7e3736e

RecordBreaker

806345cafc7b457a4db43eb7872e1366cada2f75eba357874498368d22591b1a

RecordBreaker

8282c76d3fbe900b90d4cc171b116191362effd2ca851d3552742aabbf77ecf9

RecordBreaker

9a528b2b31d9d59018878fdf3b9d8db235df606500c67a4b8be3075701b014fc

RecordBreaker

b94fbe4609f164fb43bcf2a48b07b1306d8444e78b35791a5bfafa79bad53472

RecordBreaker

f1e65ef292a881bcd0b8bb82bc9f386cf78195ad04a4c139b55f359a5aa1f0c5

RecordBreaker

f787d409487f3708c014ad8ab5165251b7ac2d621afa2d2ec54c8477e67fca3e

RecordBreaker

+ 27 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader botnet:pub4 backdoor trojan

Link:

https://tria.ge/reports/231011-gd1d7sef68/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

Deletes itself

Executes dropped EXE

SmokeLoader

Malware Config

C2 Extraction:

http://wirtshauspost.at/tmp/
http://msktk.ru/tmp/
http://soetegem.com/tmp/
http://gromograd.ru/tmp/
http://talesofpirates.net/tmp/

Unpacked files

SH256 hash:

1841ba0efee1c1739a985c5ce8ba50499b1d9a3998179f8c60cad37de06e94cf

MD5 hash:

e160632d3059af565697d32002485b5a

SHA1 hash:

b3a5839301c9cd4fefec03d8468bf84cb61451a3

Detections:

SmokeLoaderStage2

win_smokeloader_a2

Link:

https://www.unpac.me/results/d92165e8-cac5-4853-956b-55252182931a/

Parent samples :

ed3d3c7ea2def6256c7c068239abf27ad41589859675386a391dbb30b07eb57c
6a302e65ae3cd7ceb6a94b2753f1a3223b189355eecbe443b0fd45722a495f48
661619bee5d7b2c990720d645d7def09c3de41a964acc6ddc77866b8e283a37b
f3690441d255e923934221ee1e394f3536a11ce793d34c6466ce7a29e2577857
19119a6c77015d4648fb38250614b86fd3f6ffd5e1b4ebc457eef2f90db46e6a
99063294db6384dbe30caa07b0dccca9a8c62276f2987d0c643d0ea7bb8b4ff2
ed5858af8476036c1914ff346745b794c74a98bbb2fa8edba77bfc497a6471a8
35416fc3b1be5d63574fab368830e544a73a1dd15a6b68f0859f85f2097d7355
212f3f74cd96e2e08855fabc350bd0e96af86c025eebfcec8a9b78d153b70985
359c7a9295f5c54a78cde6981f6637e134fc7a23819e80f928ea805bcf98430f
898a57544bdfbaac62372f1b7bc63610750c0f377c66c372e34909e6c5f474c5

SH256 hash:

661619bee5d7b2c990720d645d7def09c3de41a964acc6ddc77866b8e283a37b

MD5 hash:

1a35df4d953c7c7f011f4a03bb047d47

SHA1 hash:

d2f6dba2cdbbd2675f82fbfa62dee7115158bfb9

Link:

https://www.unpac.me/results/d92165e8-cac5-4853-956b-55252182931a/

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/661619bee5d7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/661619bee5d7b2c990720d645d7def09c3de41a964acc6ddc77866b8e283a37b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.