MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 15

Intelligence 15 IOCs 2 YARA File information Comments

SHA256 hash:	7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
SHA3-384 hash:	f34644f62071a571a6c2213c8c241f48a78ac86c71b263f72aba68d2f0882d107809ec910a97ad08947342f778cbed38
SHA1 hash:	59beeba0a1e82ae41cbfcbec56ba8d30e3702f03
MD5 hash:	556412f983de13496bbee4fd87e1a966
humanhash:	whiskey-jig-ack-jersey
File name:	7140765CD0D5F61BB453F0511E24786E21D950C2CB3B3.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	3'326'144 bytes
First seen:	2022-10-01 01:20:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep	98304:JhXlDXkM77yrTrLG7Xk0+G94TksGWQKx7+g:JdVXkM3qrCzk0+G6IshhxCg
Threatray	4'122 similar samples on MalwareBazaar
TLSH	T1D9F53386A6A04031DA5790F62F958F550C37CD35CABCC7230A92746DF621A53EFCA2DB
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe Smoke Loader

abuse_ch

Smoke Loader C2:
79.110.62.196:35726

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
79.110.62.196:35726	https://threatfox.abuse.ch/ioc/858753/
http://116.202.5.121/	https://threatfox.abuse.ch/ioc/865816/

Intelligence

File Origin

# of uploads :

# of downloads :

310

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/315333/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Сreating synchronization primitives

Creating a process from a recently created file

Creating a file

Searching for the window

Moving a recently created file

Running batch commands

Sending a custom TCP request

DNS request

Searching for synchronization primitives

Creating a window

Launching the default Windows debugger (dwwin.exe)

Creating a process with a hidden window

Launching cmd.exe command interpreter

Launching a process

Unauthorized injection to a recently created process

Query of malicious DNS domain

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/40315/overview

Behaviour

MalwareBazaar

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63379600c9e2f34354315f2c/reports/e2cb166b-6fe2-42ad-a4f7-345380b868be/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Bsymem

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/12deb8eb-7270-48ef-bfc9-1a6e94940592

Result

Threat name:

Nymaim, PrivateLoader, RedLine, SmokeLoa

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1081296

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Creates HTML files with .exe extension (expired dropper behavior)

Detected VMProtect packer

Disable Windows Defender real time protection (registry)

Drops PE files to the document folder of the user

Drops PE files with a suspicious file extension

Found C&C like URL pattern

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Obfuscated command line found

PE file contains section with special chars

PE file has a writeable .text section

PE file has nameless sections

Performs DNS queries to domains with low reputation

Snort IDS alert for network traffic

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Writes to foreign memory regions

Yara detected Nymaim

Yara detected PrivateLoader

Yara detected RedLine Stealer

Yara detected SmokeLoader

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5/

Threat name:

Win32.Trojan.Crypzip

Status:

Malicious

First seen:

2021-07-29 01:20:53 UTC

File Type:

PE (Exe)

Extracted files:

123

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ofahmxgq2x3bxnct6bir4jdynyq5sugczm5tbkrjiw5bqrve4csq._file

Verdict:

malicious

Smoke Loader

65341b1f7f4018e163e564b546012d5bfa41a70c9b9926a0b48781ae4e3f9ec3

Smoke Loader

962793c4decea8dd718bd96ccc4209ce744414a62e4afb93c79db64df4b792e2

Smoke Loader

a651672f98fba458ca8b6861557119c81d12afcb705c457d65dd2b44dcc499fe

Smoke Loader

db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c

Smoke Loader

ec306f0a108c77a02ab48c5c85296c4b3b7d4b690245f9dd8a67df774b641cf8

Smoke Loader

f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234

Smoke Loader

+ 4'112 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:djvu family:nullmixer family:nymaim family:privateloader family:smokeloader family:vidar botnet:1679 botnet:706 aspackv2 backdoor dropper evasion loader ransomware spyware stealer themida trojan vmprotect

Link:

https://tria.ge/reports/221001-bqnchsgccm/

Behaviour

Checks SCSI registry key(s)

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies system certificate store

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

Executes dropped EXE

VMProtect packed file

ASPack v2.12-2.42

Downloads MZ/PE file

Vidar Stealer

Detected Djvu ransomware

Detects Smokeloader packer

Djvu Ransomware

Modifies Windows Defender Real-time Protection settings

NullMixer

NyMaim

PrivateLoader

SmokeLoader

Vidar

Malware Config

C2 Extraction:

http://watira.xyz/
https://xeronxikxxx.tumblr.com/
http://winnlinne.com/test3/get.php
208.67.104.97
85.31.46.167
https://t.me/trampapanam
https://nerdculture.de/@yoxhyp

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/fa814e63-ee92-4916-9e41-1cff6ebec2aa

Unpacked files

SH256 hash:

64939754308d10b596016bedc01b4c4d45ddce712435ccf738e9571551b70f71

MD5 hash:

0c90240d7ddd30bf1cdfa650a1f21ee3

SHA1 hash:

ca60f66f95613785875456b4fb3b2c405edc7379

Link:

https://www.unpac.me/results/55e12c9d-9f67-45e5-81c9-1c756073d556/

SH256 hash:

f3809c2693d85812d0ed4f06fd2af9f4299d7de6c1d57633c50bc74c1de21f4e

MD5 hash:

0a8ab9fed28f10d3980e2c13eff9a23c

SHA1 hash:

12fe116ab580975ca777febdba37021e13a51b27

Link:

https://www.unpac.me/results/55e12c9d-9f67-45e5-81c9-1c756073d556/

SH256 hash:

ff5b7e9a2d5af436c13951d0746015237e3b12f4d4dc845a92b4e430c098e224

MD5 hash:

8ecc287212bb08f80f80c4ec1a7c6c4c

SHA1 hash:

59d08bda2e494600ed25fd608582b25261ec13b0

Detections:

win_vidar_auto

Link:

https://www.unpac.me/results/55e12c9d-9f67-45e5-81c9-1c756073d556/

Parent samples :

7fa24025283e6b745f20c81e15a8cdb866905fb079579b71efd9e659398cb574
65341b1f7f4018e163e564b546012d5bfa41a70c9b9926a0b48781ae4e3f9ec3
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818

SH256 hash:

207056003b4b6e55dfe2557a2d1ca119c7785cfe626328a4a8c74323238933e9

MD5 hash:

4955a27a03f35933fdbd801f425b6c58

SHA1 hash:

97f3b8f33fd1a49cf9db5a246d996047beef3c12

Detections:

win_smokeloader_a2

SmokeLoaderStage2

Link:

https://www.unpac.me/results/55e12c9d-9f67-45e5-81c9-1c756073d556/

Parent samples :

db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818

SH256 hash:

c916a8706f49a43b43cd58dd129234541fcc8642ca0d3014010a50d45f1bab40

MD5 hash:

9d69fe12fa6d4e6f0ddbc06a6fc462df

SHA1 hash:

b1b41c900cde2da580efdbd10cd33dd4deed5993

Link:

https://www.unpac.me/results/55e12c9d-9f67-45e5-81c9-1c756073d556/

SH256 hash:

640df13e7605d0fd539eaac1474643d4e6ab2f3519cab2450f9b755778dfac6e

MD5 hash:

94fed52e8630b37790927fc7cf29f71c

SHA1 hash:

d9ba132522803b81eb70ca81f7ff5922fab33527

Link:

https://www.unpac.me/results/55e12c9d-9f67-45e5-81c9-1c756073d556/

SH256 hash:

71f5bb7d9ace05cfb89e95843499c1c19ca1d6c8b1cd66561d24ceb9ffa94862

MD5 hash:

7a99d0912a3371081b8a866c6ff48351

SHA1 hash:

6b1d33d1afec238f49a23be639790145ee0b3dfd

Detections:

PrivateLoader

win_privateloader_w0

win_privateloader_auto

win_privateloader_a0

Link:

https://www.unpac.me/results/55e12c9d-9f67-45e5-81c9-1c756073d556/

Parent samples :

7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765

SH256 hash:

bfebe04424e0a8621eb53d2d6da9d5c969e4b94e33ea532bb70e9212869ee9eb

MD5 hash:

28ddc420be08a62b8da803d14d0bcb93

SHA1 hash:

587ca5df9f7fdd3c6915f801f8cd15057342193f

Link:

https://www.unpac.me/results/55e12c9d-9f67-45e5-81c9-1c756073d556/

SH256 hash:

6ea92579c10ff6128399ec8092b44388da56b89e83103797601d334d6c866ca0

MD5 hash:

f14bcba48fb3817154228ed4cf9df6cb

SHA1 hash:

26ae758142d6dd0d69d5f4ff127a0d9c633b6690

Link:

https://www.unpac.me/results/55e12c9d-9f67-45e5-81c9-1c756073d556/

SH256 hash:

78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

MD5 hash:

c0d18a829910babf695b4fdaea21a047

SHA1 hash:

236a19746fe1a1063ebe077c8a0553566f92ef0f

Link:

https://www.unpac.me/results/55e12c9d-9f67-45e5-81c9-1c756073d556/

SH256 hash:

e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963

MD5 hash:

f707252b9c9579677fffb013e0cfc646

SHA1 hash:

8ab483023fa8773afb8c13464c39c5b8e687f126

Link:

https://www.unpac.me/results/55e12c9d-9f67-45e5-81c9-1c756073d556/

SH256 hash:

e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4

MD5 hash:

0dedd909aae9aa0a89b4422106310e9e

SHA1 hash:

271d36afa5b729ee590cf8066166ca5e9c9d0340

Link:

https://www.unpac.me/results/55e12c9d-9f67-45e5-81c9-1c756073d556/

SH256 hash:

0fb6e44e0abe166c767d8755ec2d5197bfcddc70fddcf1ff8016bb4042bba176

MD5 hash:

70ed60542fd6b63798819c81e6297d18

SHA1 hash:

e88b2a00cee6c060401d83ee0c3ab069c354d0c1

Link:

https://www.unpac.me/results/55e12c9d-9f67-45e5-81c9-1c756073d556/

SH256 hash:

e8671420b6b74ebbad9e63e51aded1c2121b63174a266677f4839e630e192705

MD5 hash:

5dadcdca68e273088ad5f7e3ec3a1b19

SHA1 hash:

8683f3dfda34c51f4a26c4ae05a8bdf845dec784

Link:

https://www.unpac.me/results/55e12c9d-9f67-45e5-81c9-1c756073d556/

SH256 hash:

d97f6c9a42157b01cdd6ac11ea6fff45a3a8d4c4483d1ba3d68c47761a242224

MD5 hash:

1347606800fd85705b595296aa3d8db3

SHA1 hash:

9ea2b85c750ddb4ae1f61bc2ef0bb3ef0aeeee0f

Link:

https://www.unpac.me/results/55e12c9d-9f67-45e5-81c9-1c756073d556/

SH256 hash:

7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5

MD5 hash:

556412f983de13496bbee4fd87e1a966

SHA1 hash:

59beeba0a1e82ae41cbfcbec56ba8d30e3702f03

Link:

https://www.unpac.me/results/55e12c9d-9f67-45e5-81c9-1c756073d556/

Malware family:

Djvu

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7140765cd0d5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/315333/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample