MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79d1a0d0bd8b5672374ab7c97365a6b0276efc6755900cdbdcdb77019e69457a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79d1a0d0bd8b5672374ab7c97365a6b0276efc6755900cdbdcdb77019e69457a
SHA3-384 hash: eac98e5cb74324ed39ff8b4452d25cd1870cd0289df38f252181a7d2e7054b50df1e22ccaa3eabdc7a6e895a125a43b8
SHA1 hash: f515d22105594e0b0b1c26b6ce4558b486b328cb
MD5 hash: a1a084cad3819fe34ba882633e6b45ac
humanhash: skylark-alaska-saturn-river
File name:a1a084cad3819fe34ba882633e6b45ac.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:6'746'510 bytes
First seen:2021-09-20 03:15:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 196608:xlLUCgRf/loAOQeekvyQecxzHDCWjrtlFQ7/d:xddgReAnkTxzjC4Fs
Threatray 724 similar samples on MalwareBazaar
TLSH T10E663320F9C687F5CE827334992C0F7241E5838422265DFB33B8953BED68B5D86A6375
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe Smoke Loader


Avatar
abuse_ch
Smoke Loader C2:
http://74.119.192.122/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://74.119.192.122/ https://threatfox.abuse.ch/ioc/223651/

Intelligence

File Origin
# of uploads :
1
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-09-16 23:52:08 UTC
Tags:
trojan rat redline loader evasion stealer opendir banker dridex raccoon vidar
Link:
https://app.any.run/tasks/14bfbbf6-b5f1-44f3-b8c2-59797b5fb12d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189176/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/65a47323-5c4f-4f34-ac3d-5891967909ac
Result
Threat name:
BitCoin Miner RedLine Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853707
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BitCoin Miner
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 486138 Sample: 2RPumB2hAm.exe Startdate: 20/09/2021 Architecture: WINDOWS Score: 100 85 194.87.138.125 MYLOC-ASIPBackboneofmyLocmanagedITAGDE Russian Federation 2->85 87 88.99.66.31 HETZNER-ASDE Germany 2->87 89 4 other IPs or domains 2->89 115 Multi AV Scanner detection for domain / URL 2->115 117 Antivirus detection for URL or domain 2->117 119 Antivirus detection for dropped file 2->119 121 18 other signatures 2->121 10 2RPumB2hAm.exe 20 2->10         started        13 svchost.exe 1 2->13         started        signatures3 process4 file5 51 C:\Users\user\AppData\...\setup_install.exe, PE32 10->51 dropped 53 C:\Users\user\...\Thu20f30e7fb29defd29.exe, PE32 10->53 dropped 55 C:\Users\user\AppData\...\Thu20e5739dee7.exe, PE32 10->55 dropped 57 15 other files (7 malicious) 10->57 dropped 15 setup_install.exe 1 10->15         started        process6 dnsIp7 107 104.21.87.76 CLOUDFLARENETUS United States 15->107 109 127.0.0.1 unknown unknown 15->109 111 192.168.2.1 unknown unknown 15->111 113 Adds a directory exclusion to Windows Defender 15->113 19 cmd.exe 15->19         started        21 cmd.exe 1 15->21         started        23 cmd.exe 1 15->23         started        25 9 other processes 15->25 signatures8 process9 signatures10 28 Thu202be3333d3166e.exe 19->28         started        33 Thu20409c97993763bb.exe 7 21->33         started        35 Thu20816f5ec54106.exe 23->35         started        123 Adds a directory exclusion to Windows Defender 25->123 37 Thu2095814b24c38c4ac.exe 25->37         started        39 Thu20d982ad6a632f80.exe 2 25->39         started        41 Thu20526ed25daf1a6.exe 25->41         started        43 4 other processes 25->43 process11 dnsIp12 91 37.0.10.214 WKD-ASIE Netherlands 28->91 93 37.0.10.244 WKD-ASIE Netherlands 28->93 101 8 other IPs or domains 28->101 59 C:\Users\...\ef4YaVSrzHg3B4yZ81brUOCQ.exe, PE32 28->59 dropped 61 C:\Users\user\AppData\...\qweqwe19_01[1].bmp, PE32 28->61 dropped 73 42 other files (19 malicious) 28->73 dropped 125 Tries to harvest and steal browser information (history, passwords, etc) 28->125 127 Disable Windows Defender real time protection (registry) 28->127 63 C:\Users\user\AppData\Local\Temp\2.exe, PE32 33->63 dropped 75 4 other files (none is malicious) 33->75 dropped 129 Machine Learning detection for dropped file 33->129 45 PublicDwlBrowser1100.exe 33->45         started        49 Chrome 5.exe 33->49         started        95 172.67.160.135 CLOUDFLARENETUS United States 35->95 65 C:\Users\user\AppData\Roaming\7866273.scr, PE32 35->65 dropped 67 C:\Users\user\AppData\Roaming\4463760.scr, PE32 35->67 dropped 69 C:\Users\user\AppData\Roaming\1409220.scr, PE32 35->69 dropped 131 Drops PE files with a suspicious file extension 35->131 97 208.95.112.1 TUT-ASUS United States 37->97 99 45.136.151.102 ENZUINC-US Latvia 37->99 133 Tries to detect virtualization through RDTSC time measurements 37->133 135 Sample uses process hollowing technique 39->135 137 Injects a PE file into a foreign processes 39->137 139 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 41->139 141 Checks if the current machine is a virtual machine (disk enumeration) 41->141 103 3 other IPs or domains 43->103 71 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 43->71 dropped 143 Creates processes via WMI 43->143 file13 signatures14 process15 dnsIp16 105 104.21.35.128 CLOUDFLARENETUS United States 45->105 77 C:\ProgramData\7828080.exe, PE32 45->77 dropped 79 C:\ProgramData\4545364.exe, PE32 45->79 dropped 81 C:\ProgramData\2731411.exe, PE32 45->81 dropped 83 C:\Users\user\AppData\...\services64.exe, PE32+ 49->83 dropped file17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/79d1a0d0bd8b5672374ab7c97365a6b0276efc6755900cdbdcdb77019e69457a/
Threat name:
Win32.Trojan.ArkeiStealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-17 00:21:13 UTC
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=phi2buf5rnlhen2kw7exgzngwatw57dhkwiazw643n3qdhtjiv5a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
455c9a38ec39915d187e3d1093eb3456798f01ffd9f925b2e15e10beced936f0
Smoke Loader
5cb7dc8f48821f9e1f48c9d2d52f0f8e435c1286e5e0df3551f614deccdc47dc
Smoke Loader
908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
Smoke Loader
a526e9dae9298bbd03ca2a8fc8a45809eac1543bbec4680182493c551d65f731
Smoke Loader
cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1
Smoke Loader
d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6
Smoke Loader
+ 714 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:redline family:smokeloader family:socelars family:vidar botnet:ani botnet:medianew aspackv2 backdoor dropper evasion infostealer loader spyware stealer themida trojan vmprotect
Link:
https://tria.ge/reports/210920-dsj4zscga9/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Glupteba
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
Malware Config
C2 Extraction:
45.142.215.47:27643
91.121.67.60:62102
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Unpacked files
SH256 hash:
d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db
MD5 hash:
70220a3ce6ffd34101b3770342505f2c
SHA1 hash:
b55c421634d8eeaec5c6193f34c04625d21a9ae9
Link:
https://www.unpac.me/results/b1ca86c7-b8c6-42d1-b6a0-09c65cfbf4ac/
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
Link:
https://www.unpac.me/results/b1ca86c7-b8c6-42d1-b6a0-09c65cfbf4ac/
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/b1ca86c7-b8c6-42d1-b6a0-09c65cfbf4ac/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
dc21b59ec72eedbd50f5b8da753c747bea605be1a0c4936ce74ba41c534c66b4
MD5 hash:
94bc80690ff74a80e21fb5ab32dacb7f
SHA1 hash:
cc911a9cd3fd9e6d24ee35286fa564a0d1818acf
Link:
https://www.unpac.me/results/b1ca86c7-b8c6-42d1-b6a0-09c65cfbf4ac/
SH256 hash:
5f463952815ce4f763e9f4b3b72ed70ad82f74a69a271fc2b1588055c3fec4cc
MD5 hash:
21775ff041e7277d87aa8fdf1e09da6c
SHA1 hash:
6dd1d6716cb93adef6c9b39490a79e77fd5396c9
Link:
https://www.unpac.me/results/b1ca86c7-b8c6-42d1-b6a0-09c65cfbf4ac/
SH256 hash:
1c25cf63ef5ab14f293ea29c88f1aa4be0423de32c588d18e8bc1d2e3b940144
MD5 hash:
0e0a60c252f2ca0b5621d61fe9ffdf43
SHA1 hash:
b191d77d9af5213360960496516a8355c52dcfe5
Link:
https://www.unpac.me/results/b1ca86c7-b8c6-42d1-b6a0-09c65cfbf4ac/
SH256 hash:
d5eca5aa8f1ced227c32ff65182c976b0ebd1d0cd73cfb0569a0413b9365ee33
MD5 hash:
d32f0a67948c6c61bc721a0d002f0af0
SHA1 hash:
c4cc1fd4cfbbaddfe365f240ce79bb60c3215547
Link:
https://www.unpac.me/results/b1ca86c7-b8c6-42d1-b6a0-09c65cfbf4ac/
SH256 hash:
da6e2470414935131c3a094758be78605ec1c1ba8ddc755d175ac73763cc307a
MD5 hash:
03cd7541a32149209ecec14115466bc3
SHA1 hash:
bff67b407cffb1d3f3afbbcee15046e968204af3
Link:
https://www.unpac.me/results/b1ca86c7-b8c6-42d1-b6a0-09c65cfbf4ac/
SH256 hash:
6421351d6d55cb2d1ee2d6b009020e4d0f0a5817d152088beb096c462efa904a
MD5 hash:
7e4cc370db6ce2bfa3ffc39e9b939cf8
SHA1 hash:
aa02fbef07c9c12bee1602725e1b8b785d6c7faa
Link:
https://www.unpac.me/results/b1ca86c7-b8c6-42d1-b6a0-09c65cfbf4ac/
SH256 hash:
00913198daa0e8f39ad3a1b8b63b8de94d0e203b63cd73d93e8a973076ca79f0
MD5 hash:
162ffeb71cfd6984a30e9d9831c7b21a
SHA1 hash:
a53b39a548a941950b40806163d7593f43933d93
Link:
https://www.unpac.me/results/b1ca86c7-b8c6-42d1-b6a0-09c65cfbf4ac/
SH256 hash:
664de41bcae96fd26c460b9d5b08a23bb1da0daa8a91aac1d34d6cb0cc110934
MD5 hash:
d81ef383621321b9a9738ad70a30eef7
SHA1 hash:
9d939541cda19df17401cb083f49037d56ef7519
Link:
https://www.unpac.me/results/b1ca86c7-b8c6-42d1-b6a0-09c65cfbf4ac/
SH256 hash:
25a5e7fbdc0f4a24ae30b4e51ef04e57eb83d82a7f0fb291bc344305b4e4b6db
MD5 hash:
a8633bfa3ba48866cdf3f49d85203d20
SHA1 hash:
97c5af55a9fb0df1aa58cf2542e2e919ff446523
Link:
https://www.unpac.me/results/b1ca86c7-b8c6-42d1-b6a0-09c65cfbf4ac/
SH256 hash:
e9fd86804d20e3a8ae0009e77785d223839b014721437c4ef5ab9625930f8a88
MD5 hash:
c9fff306161f9c0edb488b6e03b82631
SHA1 hash:
917148ebdb2a3fe88df516689ff0768336802007
Link:
https://www.unpac.me/results/b1ca86c7-b8c6-42d1-b6a0-09c65cfbf4ac/
SH256 hash:
52701e2808de643baf6789222e4c2422cca70733222cd2e6d0b9f36a4f6eeabc
MD5 hash:
71a718d5f6f6a69ce1e844fec2a06f53
SHA1 hash:
5e3d339c99bb37e485eeadb71c9aa72a8e06fdab
Link:
https://www.unpac.me/results/b1ca86c7-b8c6-42d1-b6a0-09c65cfbf4ac/
SH256 hash:
d413d848d434368812c918522ba835e7230d194eca526714984e076c373b84b1
MD5 hash:
7c8c5e7bdf6f1d145c88aa85c2d8985c
SHA1 hash:
45f83116605c6e5a755dc4dd2358f0ef7abb493f
Link:
https://www.unpac.me/results/b1ca86c7-b8c6-42d1-b6a0-09c65cfbf4ac/
SH256 hash:
becdfa94035a099280666b6f513e7effe15d41a8a299a37ce84d7e537ea5566a
MD5 hash:
b2f24e1431373e0c0b8114c252aa5e39
SHA1 hash:
1b5fa21230b2d751f229d31800689fac52e586d8
Link:
https://www.unpac.me/results/b1ca86c7-b8c6-42d1-b6a0-09c65cfbf4ac/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/b1ca86c7-b8c6-42d1-b6a0-09c65cfbf4ac/
SH256 hash:
4ab45246ca11502c43173bc097ccb3ccdfae1ce9d37ae52eb03b38de149d1108
MD5 hash:
fd307175f66af5f47ba55d1b5d9e5500
SHA1 hash:
65323bb2f751d924e1a36ad6fd3bc9ec3934bf51
Link:
https://www.unpac.me/results/b1ca86c7-b8c6-42d1-b6a0-09c65cfbf4ac/
SH256 hash:
d7e8086f29d4599135fb6b155b163424cf26e43d114719c4815ddb46464db1e1
MD5 hash:
b29fb07b9b9ec504caa1af5e8780fbd7
SHA1 hash:
f3b7b0d3b09ea09482431684d441a83f2143f290
Link:
https://www.unpac.me/results/b1ca86c7-b8c6-42d1-b6a0-09c65cfbf4ac/
SH256 hash:
e14dd84ba1f39283c5f246223f361e3ed76048d435c09432d1d6057a41aefeda
MD5 hash:
c785c540e4298feda2c6dfd637577491
SHA1 hash:
f9b0a524251511163921c6425fac7598deee6292
Link:
https://www.unpac.me/results/b1ca86c7-b8c6-42d1-b6a0-09c65cfbf4ac/
SH256 hash:
b8923b1f2d0e5c0fc6eeaf0d1073a2463596cfb57fb66d8bac61be62d8fb5b92
MD5 hash:
104171ab8da1de620a6d28d722b6960f
SHA1 hash:
c94aa77a6b881b38c8416552a487fa620c8a8983
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/b1ca86c7-b8c6-42d1-b6a0-09c65cfbf4ac/
SH256 hash:
c96786d86e2b222b1cb5acef6669946bbbbd1c517e34c811057696ed0757ac51
MD5 hash:
065c74cf63fc7c6cd98a4e399d7c31f9
SHA1 hash:
f048b6b86988e6493e78c122b3f3f707df0f1874
Link:
https://www.unpac.me/results/b1ca86c7-b8c6-42d1-b6a0-09c65cfbf4ac/
SH256 hash:
79d1a0d0bd8b5672374ab7c97365a6b0276efc6755900cdbdcdb77019e69457a
MD5 hash:
a1a084cad3819fe34ba882633e6b45ac
SHA1 hash:
f515d22105594e0b0b1c26b6ce4558b486b328cb
Link:
https://www.unpac.me/results/b1ca86c7-b8c6-42d1-b6a0-09c65cfbf4ac/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/79d1a0d0bd8b5672374ab7c97365a6b0276efc6755900cdbdcdb77019e69457a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/189176/

Comments