MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79dc17855e41c95a144280cff99422932721209dd97cd28dcd985746e339397c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79dc17855e41c95a144280cff99422932721209dd97cd28dcd985746e339397c
SHA3-384 hash: f50725a42837643c5a9cd25440623765735fb3d61883d69c8c652aea2910066d60fa8c532dc52cfe2853d35b215f0171
SHA1 hash: 4deee6a671c6d769c43a1a2230165e9ae754622d
MD5 hash: d039016102cca238b8c2afcf7cb1f250
humanhash: robin-sierra-failed-tennessee
File name:d039016102cca238b8c2afcf7cb1f250.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:183'808 bytes
First seen:2021-09-29 09:52:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5dbcbed365563713c1a9bb2780528a54 (5 x ArkeiStealer, 3 x RedLineStealer, 2 x RaccoonStealer)
ssdeep 3072:V6KmRLZojmARNwK5ircPI1Zeifub78EuSzsz:VRUgROdcPI1TW9uSz+
Threatray 4'822 similar samples on MalwareBazaar
TLSH T11D04BE00B590D2F1C715013FA825CAECE53EB96DEFE056372AE866DFAE382A37511351
File icon (PE):PE icon
dhash icon 4839b234e8c38890 (121 x RaccoonStealer, 54 x RedLineStealer, 51 x ArkeiStealer)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d039016102cca238b8c2afcf7cb1f250.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-29 09:55:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/29b2e50f-f413-42f6-8a92-c68b2c7d4de7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/193088/
Detection(s):
Win.Packed.Generic-9897548-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0df743e0-6236-4e8f-bbad-f4e826de0631
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/860777
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 493207 Sample: zvIdxpP7yU.exe Startdate: 29/09/2021 Architecture: WINDOWS Score: 100 51 Multi AV Scanner detection for domain / URL 2->51 53 Found malware configuration 2->53 55 Antivirus detection for URL or domain 2->55 57 6 other signatures 2->57 9 zvIdxpP7yU.exe 2->9         started        12 cfvjshd 2->12         started        process3 signatures4 75 Detected unpacking (changes PE section rights) 9->75 77 Contains functionality to inject code into remote processes 9->77 79 Injects a PE file into a foreign processes 9->79 14 zvIdxpP7yU.exe 9->14         started        81 Multi AV Scanner detection for dropped file 12->81 17 cfvjshd 12->17         started        process5 signatures6 87 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 14->87 89 Maps a DLL or memory area into another process 14->89 91 Checks if the current machine is a virtual machine (disk enumeration) 14->91 19 explorer.exe 4 14->19 injected 93 Creates a thread in another existing process (thread injection) 17->93 process7 dnsIp8 41 umayaniela6.top 194.87.210.36, 49707, 49710, 49712 AS-REGRU Russian Federation 19->41 43 216.128.137.31, 80 AS-CHOOPAUS United States 19->43 45 7 other IPs or domains 19->45 35 C:\Users\user\AppData\Roaming\cfvjshd, PE32 19->35 dropped 37 C:\Users\user\AppData\Local\Temp\D9B2.exe, PE32 19->37 dropped 39 C:\Users\user\...\cfvjshd:Zone.Identifier, ASCII 19->39 dropped 59 System process connects to network (likely due to code injection or exploit) 19->59 61 Benign windows process drops PE files 19->61 63 Deletes itself after installation 19->63 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->65 24 D9B2.exe 2 19->24         started        file9 signatures10 process11 signatures12 67 Antivirus detection for dropped file 24->67 69 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->69 71 Machine Learning detection for dropped file 24->71 73 2 other signatures 24->73 27 D9B2.exe 15 24 24->27         started        31 conhost.exe 24->31         started        33 D9B2.exe 24->33         started        process13 dnsIp14 47 92.246.89.6, 38437, 49791 LIVECOMM-ASRespublikanskayastr3k6RU Russian Federation 27->47 49 api.ip.sb 27->49 83 Tries to harvest and steal browser information (history, passwords, etc) 27->83 85 Tries to steal Crypto Currency Wallets 27->85 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/79dc17855e41c95a144280cff99422932721209dd97cd28dcd985746e339397c/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-09-29 07:37:00 UTC
AV detection:
20 of 45 (44.44%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=phobpbk6ihevufccqdh7tfbcsmtscie53f6nfdontblunyzzhf6a._file
Verdict:
malicious
Similar samples:
467425771038209d08868a51e6bbb8834fa53a33762f15818bd9905f5663828a
Smoke Loader
5758800ba2a45f64a6cf7f011159fb521eeacbd18c441adf2748690eee7faa00
Smoke Loader
5ed39b2c2b58db059b65bd11c6783a1c65b9836143f2c4dfbde502ff685598db
Smoke Loader
674006b8cf885bb27c186c2ef23ee6b9b5b9894985b909021eebcaccb74d6845
Smoke Loader
8350538160b089becbb7142d16ecf8089b16fbf11ead40dc1169a9e6104c0304
Smoke Loader
843140b0a3f095d74fe2682d3ae029d4da70a5bae79850cf047a72c9d4a882c0
Smoke Loader
897bb67dac34904d72e20fb6b62feb31c86575107563db56535c38d81eec56aa
Smoke Loader
89bad428ef1f3d8d2217fa8fbf5421824383232f60c1d72fb4ad80ee0c56663f
Smoke Loader
e312af68203fd80a2dd86a69460941ce29709424310abffd66fd7323a2b8ef6e
Smoke Loader
f5f9d1912e786c71c2d174f198266ad2566cdb7d3a3ac99923f7baec5ffba26e
Smoke Loader
+ 4'812 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/210929-lwm9taedf6/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
SmokeLoader
Malware Config
C2 Extraction:
http://naghenrietti1.top/
http://kimballiett2.top/
http://xadriettany3.top/
http://jebeccallis4.top/
http://nityanneron5.top/
http://umayaniela6.top/
http://lynettaram7.top/
http://sadineyalas8.top/
http://geenaldencia9.top/
http://aradysiusep10.top/
Unpacked files
SH256 hash:
2fead9437f15e057951fd6a02ab05076e38db13483df0191787c21c79343b9e7
MD5 hash:
1c90f3a3fcd93ee08b2154cbcff49085
SHA1 hash:
73ac881633a13c3c31c1153d8105b8ecbb60961e
Link:
https://www.unpac.me/results/77364599-6154-4919-9eb6-2914d50ebaba/
SH256 hash:
79dc17855e41c95a144280cff99422932721209dd97cd28dcd985746e339397c
MD5 hash:
d039016102cca238b8c2afcf7cb1f250
SHA1 hash:
4deee6a671c6d769c43a1a2230165e9ae754622d
Link:
https://www.unpac.me/results/77364599-6154-4919-9eb6-2914d50ebaba/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/79dc17855e41/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/79dc17855e41c95a144280cff99422932721209dd97cd28dcd985746e339397c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 79dc17855e41c95a144280cff99422932721209dd97cd28dcd985746e339397c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1639930/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/193088/

Comments