MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7106abfc983c98a98aa15ef0d17cc83d601ebd66d053aa04742f0df721a7824e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7106abfc983c98a98aa15ef0d17cc83d601ebd66d053aa04742f0df721a7824e
SHA3-384 hash: a5677ec881a01e7f34c048fcf1d2b9cd8f704e530def33e5b053a577878b7c21c712ba9bd3bf403d1d18611eed4599f4
SHA1 hash: 283363fdda5704bf11dcc02f4a48eedf62e72401
MD5 hash: f3085fcc4f68600db1415b2af4fd6aac
humanhash: quebec-texas-mexico-venus
File name:f3085fcc4f68600db1415b2af4fd6aac.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:334'848 bytes
First seen:2021-11-29 17:36:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 812deb7f7900a9634d9b5efcb5c75509 (1 x DanaBot, 1 x Smoke Loader, 1 x RedLineStealer)
ssdeep 3072:Q0SV00oC61q9rAryLR47jaNRgcJdauF0nI2YBiQNLBKQUW7murMWApAHfpM9g5LF:46KsGhRauF0nIbiQZBK+SuNAW/C9yB
Threatray 7 similar samples on MalwareBazaar
TLSH T13E648E10B7E0C434F5B712B849BA93B9B53F7AB15B2491CF62D516EA5634AD0EC3130B
File icon (PE):PE icon
dhash icon badacaaecee6baa6 (16 x Stop, 10 x RedLineStealer, 8 x Smoke Loader)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
257
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f3085fcc4f68600db1415b2af4fd6aac.exe
Verdict:
No threats detected
Analysis date:
2021-11-29 17:37:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9baafd30-7ea4-4c72-b07c-c3b558cc07ce

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP POST request
Searching for the window
Launching a process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/172/overview
Behaviour
MeasuringTime
SystemUptime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61a50fc0c4c5314148220e9c/reports/c007ce5e-6a8c-4180-9356-e1e2a848f871/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e6caf510-e2ed-4437-a63e-15fa0970c66c
Result
Threat name:
Clipboard Hijacker SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/898103
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Delayed program exit found
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Clipboard Hijacker
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 530581 Sample: dltnvo8I1A.exe Startdate: 29/11/2021 Architecture: WINDOWS Score: 100 47 membro.at 2->47 57 Multi AV Scanner detection for domain / URL 2->57 59 Found malware configuration 2->59 61 Antivirus detection for URL or domain 2->61 63 10 other signatures 2->63 9 dltnvo8I1A.exe 2->9         started        12 stjgfwa 2->12         started        14 SmartClock.exe 2->14         started        signatures3 process4 signatures5 71 Detected unpacking (changes PE section rights) 9->71 73 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->73 75 Maps a DLL or memory area into another process 9->75 77 Creates a thread in another existing process (thread injection) 9->77 16 explorer.exe 2 9->16 injected 79 Multi AV Scanner detection for dropped file 12->79 81 Machine Learning detection for dropped file 12->81 83 Checks if the current machine is a virtual machine (disk enumeration) 12->83 process6 dnsIp7 41 membro.at 121.136.102.4, 49762, 80 KIXS-AS-KRKoreaTelecomKR Korea Republic of 16->41 43 petknorra.com 45.139.179.232, 49819, 49851, 80 ASBAXETNRU Russian Federation 16->43 45 5 other IPs or domains 16->45 31 C:\Users\user\AppData\Roaming\stjgfwa, PE32 16->31 dropped 33 C:\Users\user\AppData\Local\Temp\7745.exe, PE32 16->33 dropped 35 C:\Users\user\AppData\Local\Temp\349D.exe, PE32 16->35 dropped 37 C:\Users\user\...\stjgfwa:Zone.Identifier, ASCII 16->37 dropped 49 System process connects to network (likely due to code injection or exploit) 16->49 51 Benign windows process drops PE files 16->51 53 Deletes itself after installation 16->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->55 21 349D.exe 4 16->21         started        25 7745.exe 16->25         started        27 SmartClock.exe 16->27         started        file8 signatures9 process10 file11 39 C:\Users\user\AppData\...\SmartClock.exe, PE32 21->39 dropped 65 Detected unpacking (changes PE section rights) 21->65 67 Detected unpacking (overwrites its own PE header) 21->67 69 Machine Learning detection for dropped file 21->69 29 SmartClock.exe 21->29         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7106abfc983c98a98aa15ef0d17cc83d601ebd66d053aa04742f0df721a7824e/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2021-11-29 03:30:54 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oedkx7eyhsmktcvbl3ync7gihvqb5plg2bj2ubduf4g7oinhqjha._file
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
0b146e27011b69ff39ebf85dcd1459aaf66584ef728aab4786970d6f9c2072ad
Smoke Loader
5285ffebc00e0e75efcb1944329d1708d658eb5b4e5928d191323d933a3673e4
Smoke Loader
61a70fdae6040d08c4f66f5d5ba95aba1987cda5e4715903696c3139a33d8e05
Smoke Loader
773b40c8007545afd1b563bdf17dab8225acd4bd6def35e4db95f70fca16371c
Smoke Loader
8a76fd10a479dbf5bb5d60f6ef949641d2ef4f1262a6d9dd273cf93b7be934b3
Smoke Loader
d1b138a211d4b9ce4d825f82669ba211e585a87eec0e877a2b8ef87a9e43ccb6
Smoke Loader
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:smokeloader backdoor collection discovery evasion spyware stealer trojan
Link:
https://tria.ge/reports/211129-v65raafee7/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Enumerates processes with tasklist
Gathers network information
Gathers system information
Modifies Internet Explorer settings
Runs net.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Drops startup file
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
CryptBot
SmokeLoader
Malware Config
C2 Extraction:
http://membro.at/upload/
http://jeevanpunetha.com/upload/
http://misipu.cn/upload/
http://zavodooo.ru/upload/
http://targiko.ru/upload/
http://vues3d.com/upload/
https://cinems.club/search.php
https://clothes.surf/search.php
Unpacked files
SH256 hash:
38b50520397a48d6dc0044fb2aca06b6789cfbe921488422471eab7def65e820
MD5 hash:
67c9034e01a3a23f977b8aa138e88b57
SHA1 hash:
e430b48053c15d914edc1eca59be4964292648c2
Link:
https://www.unpac.me/results/2c92c372-9007-416a-a2fa-0a0e3fede2d8/
SH256 hash:
7106abfc983c98a98aa15ef0d17cc83d601ebd66d053aa04742f0df721a7824e
MD5 hash:
f3085fcc4f68600db1415b2af4fd6aac
SHA1 hash:
283363fdda5704bf11dcc02f4a48eedf62e72401
Link:
https://www.unpac.me/results/2c92c372-9007-416a-a2fa-0a0e3fede2d8/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7106abfc983c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7106abfc983c98a98aa15ef0d17cc83d601ebd66d053aa04742f0df721a7824e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments