MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b29622208b0c1278250c46855e38fde0b9d67c1263bd64fcfa283424af027e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b29622208b0c1278250c46855e38fde0b9d67c1263bd64fcfa283424af027e4
SHA3-384 hash: b74b482899b8150b88d887f823f686592bd15f1f31dcda74f1550571e881ffa4ebde2dd16968cb89bd523addbee2bd07
SHA1 hash: 5b52bd80fe6ae0ced0f784bc211cb47b239c4d84
MD5 hash: 3b7ba44b1c5bdb34ab82e6ada3ffd3ff
humanhash: four-network-purple-stream
File name:3b7ba44b1c5bdb34ab82e6ada3ffd3ff.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:222'720 bytes
First seen:2021-08-05 18:43:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c36bba2f7ed1360c17671decb7b1e9d1 (5 x RaccoonStealer, 2 x DanaBot, 1 x Smoke Loader)
ssdeep 3072:1uSgdizPBtRL0nTvuX4wWkd3P44lw5qWDkGD0egDzxJWtk02syVUI:oJEtRL0nTWX4wWwDl7WPuPxJgLBI
Threatray 1'026 similar samples on MalwareBazaar
TLSH T1E724CE113680DC77F12239B18866C7A27A27FC69C9249B4B7B85739E2F312E29F35345
dhash icon 4839b230e8c38890 (25 x RaccoonStealer, 4 x RedLineStealer, 3 x Smoke Loader)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
566
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3b7ba44b1c5bdb34ab82e6ada3ffd3ff.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-05 18:46:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3bc98d1c-1f71-48ff-a1cf-8216b0d7c12d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176816/
Detection(s):
Win.Dropper.Ursnif-9884016-0
Create hunting rule

Win.Dropper.Ursnif-9884041-0
Create hunting rule

Win.Dropper.Titirez-9884070-0
Create hunting rule

Win.Dropper.Titirez-9884078-0
Create hunting rule

Win.Packed.Filerepmalware-9884083-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Searching for analyzing tools
Searching for the window
Connection attempt
Sending an HTTP POST request
Launching a process
DNS request
Sending a custom TCP request
Reading critical registry keys
Using the Windows Management Instrumentation requests
Setting browser functions hooks
Unauthorized injection to a recently created process
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Unauthorized injection to a system process
Deleting of the original file
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Unauthorized injection to a browser process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cfce120b-df37-4af1-a11f-a76bee488f4d
Result
Threat name:
Raccoon RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/827643
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Deletes itself after installation
Detected unpacking (changes PE section rights)
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 460071 Sample: rVpeqchp0W.exe Startdate: 05/08/2021 Architecture: WINDOWS Score: 100 81 telete.in 2->81 83 readinglistforjuly10.xyz 2->83 114 Antivirus detection for URL or domain 2->114 116 Yara detected SmokeLoader 2->116 118 Yara detected RedLine Stealer 2->118 122 8 other signatures 2->122 13 rVpeqchp0W.exe 2->13         started        16 jibhari 2->16         started        18 YbaOmNXcbb.exe.com 2->18         started        signatures3 120 Tries to resolve many domain names, but no domain seems valid 81->120 process4 dnsIp5 156 Detected unpacking (changes PE section rights) 13->156 158 Contains functionality to inject code into remote processes 13->158 160 Injects a PE file into a foreign processes 13->160 21 rVpeqchp0W.exe 13->21         started        162 Multi AV Scanner detection for dropped file 16->162 24 jibhari 16->24         started        85 GtNmHgYRUJvNBAMdDUxmwxiv.GtNmHgYRUJvNBAMdDUxmwxiv 18->85 signatures6 process7 signatures8 124 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->124 126 Maps a DLL or memory area into another process 21->126 128 Checks if the current machine is a virtual machine (disk enumeration) 21->128 26 explorer.exe 9 21->26 injected 130 Creates a thread in another existing process (thread injection) 24->130 process9 dnsIp10 87 readinglistforjuly9.xyz 26->87 89 readinglistforjuly8.xyz 26->89 91 12 other IPs or domains 26->91 67 C:\Users\user\AppData\Roaming\jibhari, PE32 26->67 dropped 69 C:\Users\user\AppData\Local\Temp\9436.exe, PE32 26->69 dropped 71 C:\Users\user\AppData\Local\Temp\5901.exe, PE32 26->71 dropped 73 3 other files (1 malicious) 26->73 dropped 146 System process connects to network (likely due to code injection or exploit) 26->146 148 Benign windows process drops PE files 26->148 150 Performs DNS queries to domains with low reputation 26->150 154 2 other signatures 26->154 31 8E2A.exe 7 26->31         started        33 5901.exe 3 26->33         started        36 9436.exe 1 26->36         started        38 wscript.exe 26->38         started        file11 152 Tries to resolve many domain names, but no domain seems valid 89->152 signatures12 process13 signatures14 40 cmd.exe 1 31->40         started        43 dllhost.exe 31->43         started        104 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 33->104 106 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 33->106 45 5901.exe 15 30 33->45         started        108 Multi AV Scanner detection for dropped file 36->108 110 Creates processes via WMI 38->110 process15 dnsIp16 134 Submitted sample is a known malware sample 40->134 136 Obfuscated command line found 40->136 138 Uses ping.exe to sleep 40->138 140 Uses ping.exe to check the status of other devices and networks 40->140 48 cmd.exe 3 40->48         started        51 conhost.exe 40->51         started        93 194.233.74.11, 39744, 49747, 49753 NEXINTO-DE Germany 45->93 95 api.ip.sb 45->95 142 Tries to harvest and steal browser information (history, passwords, etc) 45->142 144 Tries to steal Crypto Currency Wallets 45->144 signatures17 process18 signatures19 100 Obfuscated command line found 48->100 102 Uses ping.exe to sleep 48->102 53 Preme.exe.com 48->53         started        56 findstr.exe 1 48->56         started        59 PING.EXE 48->59         started        process20 file21 132 Drops PE files with a suspicious file extension 53->132 61 Preme.exe.com 53->61         started        65 C:\Users\user\AppData\Local\...\Preme.exe.com, Targa 56->65 dropped signatures22 process23 dnsIp24 97 GtNmHgYRUJvNBAMdDUxmwxiv.GtNmHgYRUJvNBAMdDUxmwxiv 61->97 75 C:\Users\user\AppData\...\YbaOmNXcbb.exe.com, PE32 61->75 dropped 77 C:\Users\user\AppData\...\qlBAJBigfnwU.js, ASCII 61->77 dropped 79 C:\Users\user\AppData\...\YbaOmNXcbb.url, MS 61->79 dropped file25 112 Tries to resolve many domain names, but no domain seems valid 97->112 signatures26
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7b29622208b0c1278250c46855e38fde0b9d67c1263bd64fcfa283424af027e4/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-05 18:43:07 UTC
File Type:
PE (Exe)
Extracted files:
42
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pmuweiqiwdaspasqyrufly4p3yfz2z6bey55mt6pukbuesxqe7sa._file
Verdict:
suspicious
Similar samples:
0fe70947f77741fac09da7aa80e82896d92bc08450b4fc029c04c5e803bf3259
Smoke Loader
3221c7c857b80fab3818cf1ea9435cef9626d84bd308d7a365e4e5089e5ef413
Smoke Loader
8d7953ccff3dbc3b9aad9e25f9437b71070d7e63613e193ab4be05cffd9a1f8d
Smoke Loader
a7b172d3fb0092b616e486d62a628e6fa09608d9e9a54773bc34fd37f2227a3e
Smoke Loader
ac8e358db8788a68b31260355ead5b4017652e015125f6f6cf98ca143d2521be
Smoke Loader
b8338eda2c7390860da3bd4a37104b409235131406d9b4d30a78b5d4189cf317
Smoke Loader
c49db28c90989f14866faa6781fc5e6531c8a63d3c3f3d245b4c4d752ce5ebf0
Smoke Loader
d72dd5663947fc7e1bd8903030b3e2fd551d8d938fdc6417d8513a1c4cc49702
Smoke Loader
e6b35d9156c1b830d000926b8dd12fe13185fa2e910692969215bf707686b595
Smoke Loader
+ 1'016 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader botnet:8c5d389b2e12b3d17063b64682ea8cbd75ef5ca8 botnet:cd8dc1031358b1aec55cc6bc447df1018b068607 backdoor discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/210805-v5bnr9fmbe/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Raccoon
Raccoon Stealer Payload
RedLine
RedLine Payload
SmokeLoader
Malware Config
C2 Extraction:
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
95.217.140.34:18653
Unpacked files
SH256 hash:
567660462bf0b6efcb3355ec6a5806a8e68990f423cda4afb601dfd270d5ff54
MD5 hash:
9740d3ad5f3001f0ace007137fb42cfe
SHA1 hash:
94b48d76bfccc7cfe79ba8f3ed16409ee538b811
Link:
https://www.unpac.me/results/a5e32720-e2c6-4ce8-9c8e-5249fe00688f/
SH256 hash:
7b29622208b0c1278250c46855e38fde0b9d67c1263bd64fcfa283424af027e4
MD5 hash:
3b7ba44b1c5bdb34ab82e6ada3ffd3ff
SHA1 hash:
5b52bd80fe6ae0ced0f784bc211cb47b239c4d84
Link:
https://www.unpac.me/results/a5e32720-e2c6-4ce8-9c8e-5249fe00688f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7b29622208b0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b29622208b0c1278250c46855e38fde0b9d67c1263bd64fcfa283424af027e4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 7b29622208b0c1278250c46855e38fde0b9d67c1263bd64fcfa283424af027e4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1502766/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/176816/

Comments