MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f746dfc7c53944b60e4fdc29fdea740ae8ceaf98126262258fd38ecf166cba5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	6f746dfc7c53944b60e4fdc29fdea740ae8ceaf98126262258fd38ecf166cba5
SHA3-384 hash:	60cf939d9e05b2e29fbeaa0ea037ff448779460f78a6620e1c5624e09960663f92f6a653fd63eadf0871aa79d1154eca
SHA1 hash:	ec64d3990711a645e7d46a5c74788a12d154bd7e
MD5 hash:	fd7ca43a078ad2812cb9d129bce72931
humanhash:	lion-butter-montana-mexico
File name:	fd7ca43a078ad2812cb9d129bce72931.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	271'360 bytes
First seen:	2021-09-04 14:18:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	193b8a18b82d2d8f5b36c7239901d2c7 (4 x ArkeiStealer, 3 x Glupteba, 3 x Stop)
ssdeep	3072:5Y0nfnFbYP1eOqvueQwGy6CpHXR+iXvh7IxSgE6pAy6TAD+YDWATOPclIlm6Ou8e:5Y4nFbeAvueQLqth+dAC/1O9lmkHP4
Threatray	1'670 similar samples on MalwareBazaar
TLSH	T1F2448C30A6A0C035F6F721F45ABA83BDB5297EA15B3050CF92D52AEA07346E5EC31747
dhash icon	e8e8e8e8aa66a499 (51 x RaccoonStealer, 27 x ArkeiStealer, 22 x RedLineStealer)
Reporter	abuse_ch
Tags:	Dofoil exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

850

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

fd7ca43a078ad2812cb9d129bce72931.exe

Verdict:

Suspicious activity

Analysis date:

2021-09-04 14:18:53 UTC

Tags:

installer

Link:

https://app.any.run/tasks/d1fbd92d-ff08-41d1-84f3-912f0fd12f6f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/185313/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader42.8185.18123.20518.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Connection attempt

Sending an HTTP POST request

Creating a file in the %temp% directory

Creating a process from a recently created file

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Deleting of the original file

Enabling autorun by creating a file

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/33856a31-6247-41af-95d8-18cd2af54a22

Result

Threat name:

Raccoon RedLine SmokeLoader Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/845282

Signature

Benign windows process drops PE files

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to steal Internet Explorer form passwords

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Performs DNS queries to domains with low reputation

Query firmware table information (likely to detect VMs)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected Raccoon Stealer

Yara detected RedLine Stealer

Yara detected SmokeLoader

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6f746dfc7c53944b60e4fdc29fdea740ae8ceaf98126262258fd38ecf166cba5/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-09-04 07:39:30 UTC

AV detection:

20 of 27 (74.07%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=n52g37d4kokewyhe7xbj7xvhicxiz2xzqetcmisy7u4oz4lgzosq._file

Verdict:

suspicious

Smoke Loader

560d1e1c846bb66402c793a3e44991b637d82d1ce3ef6c89e443b9b2602b6e3b

Smoke Loader

71c0a6fb3c31d1fa82fb99ddda7811810d9bf6306ce7e3377547035fe6b512f2

Smoke Loader

948bae9510601455f2ba50d694a6561bf2e85071b86161a0186672616ae17a77

Smoke Loader

948f89b7ef250934f34b2be496ddebcd546651da7fc7b5f6daf5cd08b1cb0b84

Smoke Loader

9fc2a95067df754bbafd860e8a3d5b5881ae097fe107aeff86d4945830fcbba7

Smoke Loader

b08e7b20a96d4bf0d2795d783b2b066abff7c0d82ccb15e616df533835193f5d

Smoke Loader

ce1a457a5bd8763fde41a27081d5a885b66aca31b123ee42885e29bc8cfdbda5

Smoke Loader

eddbfe52ba633950c388e0303d5a04453f9ba9e3a3cdc60f9a1355707cd209e6

Smoke Loader

+ 1'660 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:raccoon family:redline family:smokeloader family:vidar botnet:1009 botnet:fe582536ec580228180f270f7cb80a867860e010 botnet:newproliv botnet:ytoobe botnet:zhinstalls backdoor discovery evasion infostealer persistence spyware stealer themida trojan

Link:

https://tria.ge/reports/210904-rmvkesecc3/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Delays execution with timeout.exe

Kills process with taskkill

Modifies registry class

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Checks BIOS information in registry

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Themida packer

Downloads MZ/PE file

Executes dropped EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vidar Stealer

Modifies WinLogon for persistence

Raccoon

RedLine

RedLine Payload

SmokeLoader

Vidar

Malware Config

C2 Extraction:

http://fioajfoiarjfoi1.xyz/
http://rdukhnihioh2.xyz/
http://sdfghjklemm3.xyz/
http://eruiopijhgnn4.xyz/
http://igbyugfwbwb5.xyz/
http://shfuhfuwhhc6.xyz/
http://ersyglhjkuij7.xyz/
http://ygyguguuju8.store/
http://resbkjpokfct9.store/
http://sdfygfygu10.store/
http://hbibhibihnj11.store/
http://vfwlkjhbghg12.store/
http://poiuytrcvb13.store/
http://xsedfgtbh14.store/
http://iknhyghggh15.store/
http://wnlonevkiju16.site/
http://gfyufuhhihioh17.site/
http://nsgiuwrevi18.site/
http://oiureveiuv19.site/
http://ovrnevnriuen20.site/
http://apowkfeeifin21.site/
http://mewmofinoine22.site/
http://iefhuiehruiu23.site/
http://vjrnnvinerovn24.club/
http://roimvnnvwniov25.club/
http://fwenmfioewnjo26.club/
http://ewoijioewoif27.club/
http://fwjenfuihew28.club/
http://fwkejnfuiewn29.club/
http://fwkjenfuewnh30.club/
http://rigtestforum.ru/board/
http://rigtestforum.click/board/
http://rigtestforum.to/board/
77.232.38.196:59743
45.129.236.6:21588
45.14.49.232:63850
https://romkaxarit.tumblr.com/