MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7dedf613bef159a338fa71ae8e77e11899f9f5314ac3ebbb63c70d24537c3c73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 15


Intelligence 15 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7dedf613bef159a338fa71ae8e77e11899f9f5314ac3ebbb63c70d24537c3c73
SHA3-384 hash: 19a60ae472592228eaad590dd5537a7c3b70132cc07a6d748f6a7e87ba30c8ee4a56b68ce15c98c8f3aab2f276507f00
SHA1 hash: 066a179765249fa78765aa7c2ab063f7501d76be
MD5 hash: a749c50e50bea83a415298bf40d03217
humanhash: saturn-butter-louisiana-victor
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:1'433'088 bytes
First seen:2023-09-20 16:18:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:JywNd7sZxBoGLHldxRjAQ7Vz1lhfqIFNRyaQW2RxyK0uX0IMVJ2Ay:8wX8xBfRHGmV7NMaQWw4sMyA
Threatray 1'227 similar samples on MalwareBazaar
TLSH T1E3652345BBD54062CDF61B342DF207B35E367E329A38C6692B10985F49717A86A333B3
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter andretavare5
Tags:exe Smoke Loader


Avatar
andretavare5
Sample downloaded from http://77.91.68.238/love/no230.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
US US
Vendor Threat Intelligence
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/450085/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Modifying a system executable file
Delayed writing of the file
Launching a process
Сreating synchronization primitives
Creating a file
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Forced shutdown of a system process
Infecting executable files
Unauthorized injection to a system process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer installer lolbin packed rundll32 setupapi shell32
Link:
https://www.filescan.io/uploads/650b1b7832ffdb7a7a0d66d7/reports/86bea4a7-233a-4ffb-aabf-184c6a948944/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/7dedf613bef159a338fa71ae8e77e11899f9f5314ac3ebbb63c70d24537c3c73
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c04f8398-07b7-4729-88b7-ce3a73c3d838
Result
Threat name:
Fabookie, Mystic Stealer, RedLine, Smoke
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1311710
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Fabookie
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1311710 Sample: file.exe Startdate: 20/09/2023 Architecture: WINDOWS Score: 100 139 z.nnnaajjjgc.com 2->139 141 www.google.com 2->141 143 9 other IPs or domains 2->143 155 Snort IDS alert for network traffic 2->155 157 Found malware configuration 2->157 159 Malicious sample detected (through community Yara rule) 2->159 161 12 other signatures 2->161 15 file.exe 1 4 2->15         started        18 svchost.exe 21 32 2->18         started        20 rundll32.exe 2->20         started        22 2 other processes 2->22 signatures3 process4 file5 135 C:\Users\user\AppData\Local\...\v5664030.exe, PE32 15->135 dropped 137 C:\Users\user\AppData\Local\...\e5256596.exe, PE32 15->137 dropped 24 v5664030.exe 1 4 15->24         started        27 WerFault.exe 18->27         started        29 WerFault.exe 18->29         started        31 WerFault.exe 18->31         started        33 WerFault.exe 18->33         started        process6 file7 115 C:\Users\user\AppData\Local\...\v1542590.exe, PE32 24->115 dropped 117 C:\Users\user\AppData\Local\...\d7598264.exe, PE32 24->117 dropped 35 v1542590.exe 1 4 24->35         started        38 d7598264.exe 24->38         started        process8 file9 107 C:\Users\user\AppData\Local\...\v7845412.exe, PE32 35->107 dropped 109 C:\Users\user\AppData\Local\...\c1639459.exe, PE32 35->109 dropped 41 v7845412.exe 1 4 35->41         started        44 c1639459.exe 1 35->44         started        47 Conhost.exe 35->47         started        175 Writes to foreign memory regions 38->175 177 Allocates memory in foreign processes 38->177 179 Injects a PE file into a foreign processes 38->179 49 AppLaunch.exe 38->49         started        51 conhost.exe 38->51         started        53 AppLaunch.exe 38->53         started        55 WerFault.exe 38->55         started        signatures10 process11 file12 127 C:\Users\user\AppData\Local\...\b9892692.exe, PE32 41->127 dropped 129 C:\Users\user\AppData\Local\...\a7185366.exe, PE32 41->129 dropped 57 b9892692.exe 1 41->57         started        60 a7185366.exe 1 41->60         started        195 Writes to foreign memory regions 44->195 197 Allocates memory in foreign processes 44->197 199 Injects a PE file into a foreign processes 44->199 62 AppLaunch.exe 44->62         started        65 conhost.exe 44->65         started        67 WerFault.exe 44->67         started        201 Disable Windows Defender notifications (registry) 49->201 203 Disable Windows Defender real time protection (registry) 49->203 signatures13 process14 dnsIp15 181 Writes to foreign memory regions 57->181 183 Allocates memory in foreign processes 57->183 185 Injects a PE file into a foreign processes 57->185 69 AppLaunch.exe 57->69         started        72 WerFault.exe 19 9 57->72         started        74 conhost.exe 57->74         started        83 3 other processes 57->83 76 AppLaunch.exe 60->76         started        78 AppLaunch.exe 13 60->78         started        81 WerFault.exe 21 9 60->81         started        85 2 other processes 60->85 151 77.91.124.82, 19071, 49704, 49713 ECOTEL-ASRU Russian Federation 62->151 187 Tries to harvest and steal browser information (history, passwords, etc) 62->187 signatures16 process17 dnsIp18 163 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 69->163 165 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 69->165 167 Maps a DLL or memory area into another process 69->167 173 2 other signatures 69->173 87 explorer.exe 69->87 injected 169 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 76->169 171 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 76->171 153 5.42.92.211, 49699, 49716, 49747 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 78->153 signatures19 process20 dnsIp21 145 5.42.65.80, 49718, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 87->145 147 77.91.68.29, 49708, 49710, 49714 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 87->147 149 4 other IPs or domains 87->149 119 C:\Users\user\AppData\Roaming\wujswfs, PE32 87->119 dropped 121 C:\Users\user\AppData\Local\Temp\C4B0.exe, PE32 87->121 dropped 123 C:\Users\user\AppData\Local\Temp\C31F.exe, PE32 87->123 dropped 125 4 other malicious files 87->125 dropped 189 System process connects to network (likely due to code injection or exploit) 87->189 191 Benign windows process drops PE files 87->191 193 Hides that the sample has been downloaded from the Internet (zone.identifier) 87->193 92 C4B0.exe 87->92         started        95 rundll32.exe 87->95         started        file22 signatures23 process24 file25 131 C:\Users\user\AppData\Local\...\x8052877.exe, PE32 92->131 dropped 133 C:\Users\user\AppData\Local\...\k4906341.exe, PE32 92->133 dropped 97 x8052877.exe 92->97         started        process26 file27 103 C:\Users\user\AppData\Local\...\x6034110.exe, PE32 97->103 dropped 105 C:\Users\user\AppData\Local\...\j4311962.exe, PE32 97->105 dropped 100 x6034110.exe 97->100         started        process28 file29 111 C:\Users\user\AppData\Local\...\x8489816.exe, PE32 100->111 dropped 113 C:\Users\user\AppData\Local\...\i4556731.exe, PE32 100->113 dropped
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7dedf613bef159a338fa71ae8e77e11899f9f5314ac3ebbb63c70d24537c3c73/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-09-20 16:19:06 UTC
File Type:
PE (Exe)
Extracted files:
149
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pxw7me566fm2goh2ogxi457bdcm7t5jrjlb6xo3dy4gsiu34hrzq._file
Verdict:
malicious
Similar samples:
003fb028b1957462e30e031f2fae39d689a244b0b611bc295c97ca4763049428
Smoke Loader
2577bd2a22a0df03082a3d61b193668ccfa94a1aef60cb7bb0a7a5123c552c1d
Smoke Loader
324674f0da8d1f18d94372a9d0ab0953cbfa3dfe7e05601d9dcb47efa80f8f5f
Smoke Loader
4409a49dcc9e50f5183fba01b2a6193042f889e24146ee31fe9b14bac060c4ab
Smoke Loader
6954873d28ea95a9c8a54a5ed0b7e08ebcd026d3f7c562369ca4c8ab5c517b12
Smoke Loader
6b7cb068d3f3d4e2b7e50f06cb3a58dccde129c91852914b62ee7a2720ed113b
Smoke Loader
845321e0072b6a37c502b6f5992d8e750ac254c3b09c9e55874722fae5ba87d4
Smoke Loader
9f1a717948c323c01d4b2ef9ed4e5b369faf64bd5582f1fb3719ff5a8c32c601
Smoke Loader
e111ee546fa43ec78c9aba327edfe3a042398ac6b54bdc650ebfe05d42a003b3
Smoke Loader
f05c8cf7049760c851264415b703d88202fd83fe3dc3905c004378175d07499f
Smoke Loader
+ 1'217 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:fabookie family:glupteba family:healer family:redline family:smokeloader family:xmrig botnet:trush botnet:up3 backdoor discovery dropper evasion infostealer loader miner persistence spyware stealer trojan
Link:
https://tria.ge/reports/230920-tshh6abd39/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Downloads MZ/PE file
XMRig Miner payload
Detect Fabookie payload
Detects Healer an antivirus disabler dropper
Fabookie
Glupteba
Glupteba payload
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
SmokeLoader
xmrig
Malware Config
C2 Extraction:
77.91.124.82:19071
http://77.91.68.29/fks/
http://host-file-host6.com/
http://host-host-file8.com/
http://app.nnnaajjjgc.com/check/safe
Unpacked files
SH256 hash:
6a53ce3cc85b1b0eefe1499532756fdeb938954714725287941f3761592d4015
MD5 hash:
1948f5f154ac8749054f701bebf5a304
SHA1 hash:
a5e35ff085be48d9470c14874a6ce1774bebc9ee
Link:
https://www.unpac.me/results/af3d04ef-b114-41b7-a4cd-dfd8b592d1c3/
SH256 hash:
c2550a9598de8b85bda21edb562e023e8b70d7ac2006fa31e31fefad848bf42c
MD5 hash:
eca437fa0b4b1dc09ef309245bb2694b
SHA1 hash:
708db313712a27de468dc3c8e71c50d1694531e4
Link:
https://www.unpac.me/results/af3d04ef-b114-41b7-a4cd-dfd8b592d1c3/
SH256 hash:
9e08329e8d7acdc744c70bb35b7cc995946253687032852d70d937234801c1bf
MD5 hash:
9aa39883d376f60d7db6bbe86cdd1577
SHA1 hash:
49f3b29d5da4e219509d87285bf5819184c79e78
Link:
https://www.unpac.me/results/af3d04ef-b114-41b7-a4cd-dfd8b592d1c3/
SH256 hash:
7dedf613bef159a338fa71ae8e77e11899f9f5314ac3ebbb63c70d24537c3c73
MD5 hash:
a749c50e50bea83a415298bf40d03217
SHA1 hash:
066a179765249fa78765aa7c2ab063f7501d76be
Link:
https://www.unpac.me/results/af3d04ef-b114-41b7-a4cd-dfd8b592d1c3/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7dedf613bef1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7dedf613bef159a338fa71ae8e77e11899f9f5314ac3ebbb63c70d24537c3c73

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:mal_healer
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:Payload disabling Windows AV
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2710216/
Cape
Cape
https://www.capesandbox.com/analysis/450085/

Comments