MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7984865f4df4f3569df5096b7a2b6bf03f070a9ef5fb6e46d3365e40e2f92a01. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7984865f4df4f3569df5096b7a2b6bf03f070a9ef5fb6e46d3365e40e2f92a01
SHA3-384 hash: f6123280175b96d0daa0fba54cfdc6ca8822b77600a9aae4095941fac4fb0dbb9dfd12105243b6ae933b1e9f38143d5c
SHA1 hash: 81ce24f7af893885025cb184de98da3bee563169
MD5 hash: e092c290ecbe05b96a01a8557d202191
humanhash: east-saturn-mike-snake
File name:e092c290ecbe05b96a01a8557d202191.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:184'320 bytes
First seen:2021-08-13 08:09:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8dcae17739f93a54640d82b608ad24e8 (4 x RaccoonStealer, 4 x Smoke Loader, 3 x RedLineStealer)
ssdeep 3072:aCLfs/WwaeUQungr6RRsMEXh1FBgXNgVRq8a4ROJB0fCZA9:aCLfKl4RPLOROJB0fCi
Threatray 4'941 similar samples on MalwareBazaar
TLSH T11B049DD279A3C47EC095D5F108A49AB42775F8607A08014FA7943F5B2E33AE352FE2D6
dhash icon 4839b2b4e8c38890 (137 x RaccoonStealer, 37 x Smoke Loader, 30 x RedLineStealer)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e092c290ecbe05b96a01a8557d202191.exe
Verdict:
No threats detected
Analysis date:
2021-08-13 08:20:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d76a607e-defe-4ad1-9fd9-cdaa82ef0976

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/178914/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.7544.26756.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Connection attempt
Sending an HTTP GET request
Running batch commands
Query of malicious DNS domain
Connection attempt to an infection source
Downloading the file
Deleting of the original file
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Launching a file downloaded from the Internet
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aa88afe9-d901-41e0-9b0a-1fbbd972509f
Result
Threat name:
GoBrut Raccoon RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/832256
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the startup folder
Found C&C like URL pattern
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses known network protocols on non-standard ports
Yara detected GoBrut
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 464685 Sample: 4VVvnNObjp.exe Startdate: 13/08/2021 Architecture: WINDOWS Score: 100 74 www.marketinghouse.lv 2->74 76 zewairelibaas.com 2->76 78 684 other IPs or domains 2->78 108 Multi AV Scanner detection for domain / URL 2->108 110 Antivirus detection for URL or domain 2->110 112 Multi AV Scanner detection for submitted file 2->112 116 13 other signatures 2->116 11 4VVvnNObjp.exe 2->11         started        14 vgtdeev 2->14         started        signatures3 114 System process connects to network (likely due to code injection or exploit) 74->114 process4 signatures5 132 Detected unpacking (changes PE section rights) 11->132 16 4VVvnNObjp.exe 11->16         started        134 Contains functionality to inject code into remote processes 14->134 136 Sample uses process hollowing technique 14->136 138 Injects a PE file into a foreign processes 14->138 19 vgtdeev 14->19         started        process6 signatures7 100 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 16->100 102 Maps a DLL or memory area into another process 16->102 104 Checks if the current machine is a virtual machine (disk enumeration) 16->104 21 explorer.exe 13 16->21 injected 106 Creates a thread in another existing process (thread injection) 19->106 process8 dnsIp9 80 91.241.19.52, 49726, 80 REDBYTES-ASRU Russian Federation 21->80 82 185.142.98.122, 49721, 80 MGNHOST-ASRU Russian Federation 21->82 84 6 other IPs or domains 21->84 56 C:\Users\user\AppData\Roaming\vgtdeev, PE32 21->56 dropped 58 C:\Users\user\AppData\Local\Temp\7BAA.exe, PE32 21->58 dropped 60 C:\Users\user\AppData\Local\Temp\640A.exe, PE32 21->60 dropped 62 4 other files (2 malicious) 21->62 dropped 118 System process connects to network (likely due to code injection or exploit) 21->118 120 Benign windows process drops PE files 21->120 122 Performs DNS queries to domains with low reputation 21->122 124 2 other signatures 21->124 26 640A.exe 3 21->26         started        28 explorer.exe 21->28         started        32 7BAA.exe 3 21->32         started        34 6 other processes 21->34 file10 signatures11 process12 dnsIp13 37 640A.exe 80 26->37         started        42 640A.exe 26->42         started        92 readinglistforjuly2.xyz 28->92 140 System process connects to network (likely due to code injection or exploit) 28->140 142 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->142 144 Tries to steal Mail credentials (via file access) 28->144 154 2 other signatures 28->154 146 Detected unpacking (changes PE section rights) 32->146 148 Query firmware table information (likely to detect VMs) 32->148 150 Tries to detect sandboxes and other dynamic analysis tools (window names) 32->150 156 2 other signatures 32->156 44 conhost.exe 32->44         started        94 185.74.252.11 WIBO-ASLT Lithuania 34->94 96 107.181.169.224 TOTAL-SERVER-SOLUTIONSUS United States 34->96 98 63 other IPs or domains 34->98 52 C:\ProgramData\Runtimebroker.exe, PE32 34->52 dropped 54 C:\Users\user\AppData\Local\...\5B10.exe.pid, ASCII 34->54 dropped 152 Detected unpacking (overwrites its own PE header) 34->152 46 cmd.exe 2 34->46         started        48 WerFault.exe 34->48         started        file14 signatures15 process16 dnsIp17 86 45.67.231.40, 49730, 80 SERVERIUS-ASNL Moldova Republic of 37->86 88 195.201.225.248, 443, 49729 HETZNER-ASDE Germany 37->88 90 telete.in 37->90 64 C:\Users\user\AppData\...\vcruntime140.dll, PE32 37->64 dropped 66 C:\Users\user\AppData\...\ucrtbase.dll, PE32 37->66 dropped 68 C:\Users\user\AppData\...\softokn3.dll, PE32 37->68 dropped 72 56 other files (none is malicious) 37->72 dropped 126 Tries to steal Mail credentials (via file access) 37->126 128 Tries to harvest and steal browser information (history, passwords, etc) 37->128 70 C:\Users\user\AppData\...\svchostsw.exe, PE32 46->70 dropped 130 Drops PE files to the startup folder 46->130 50 conhost.exe 46->50         started        file18 signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7984865f4df4f3569df5096b7a2b6bf03f070a9ef5fb6e46d3365e40e2f92a01/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-08-13 08:10:08 UTC
AV detection:
23 of 46 (50.00%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
138d79111af4f878d637e1a8dcf7dbdd46f70527eb68908ad2f977a3554031eb
Smoke Loader
33a4297298b2ca7b92d4462884eb53abda20d500998e1edb4bc8e7cb646bba1f
Smoke Loader
352d461ee47bb9c6618eb86b1e8b10721c0b0dfd4a4b3e85dfb939f6d101e942
Smoke Loader
654e5fbb0f6165cdad48fd843ec274d63507133e0f27dab5b535efa1b56b0125
Smoke Loader
76526cd30725afafe90b7f19fbb607571ac7f827aece34bf1d1cc41c595f2a93
Smoke Loader
7b322817ab2ab0c71807e4169e41bd49954328a4f9ff10fafb16e91b9a9d1272
Smoke Loader
cc700e4575649a012895b044f54ba9b8e87ea47efdeb755f32f135317451610d
Smoke Loader
d3849946eb2dd2aa6bebcddb30751a4a99bc05ee5011db3f5081df2f970a1854
Smoke Loader
efe21ec3a8118e21388c0dde6a40257e44ed807b020f1d6921d83a41cfede454
Smoke Loader
f24a559e79ba3121c7e0fed4ac995da056fe6a0dac71b2360f9e340b97117d05
Smoke Loader
+ 4'931 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader botnet:cd8dc1031358b1aec55cc6bc447df1018b068607 backdoor evasion infostealer stealer themida trojan
Link:
https://tria.ge/reports/210813-9rlt63p53s/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Drops startup file
Loads dropped DLL
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
Raccoon Stealer Payload
RedLine
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Unpacked files
SH256 hash:
8b085611ecc9d6df0bc54d8421e57eb82f70c2c085e488ccfb41b4d26560bc57
MD5 hash:
3dff4690ed57aba1cd05faf0e7d2ec18
SHA1 hash:
feda1fc6459b5391f3a56da56d9da8089944df5b
Link:
https://www.unpac.me/results/3981968e-79af-417c-be7d-109c040f2003/
SH256 hash:
7984865f4df4f3569df5096b7a2b6bf03f070a9ef5fb6e46d3365e40e2f92a01
MD5 hash:
e092c290ecbe05b96a01a8557d202191
SHA1 hash:
81ce24f7af893885025cb184de98da3bee563169
Link:
https://www.unpac.me/results/3981968e-79af-417c-be7d-109c040f2003/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7984865f4df4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7984865f4df4f3569df5096b7a2b6bf03f070a9ef5fb6e46d3365e40e2f92a01

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 7984865f4df4f3569df5096b7a2b6bf03f070a9ef5fb6e46d3365e40e2f92a01

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/178914/
  
URLhaus
https://urlhaus.abuse.ch/url/1476557/
  
Delivery method
Distributed via web download

Comments