MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142
SHA3-384 hash: 8d393ca578e26048e5a6625ecd9a3f254cb6236d01ed20b22385754e9e5237e1e417136a3252ada187687db5b4646900
SHA1 hash: a055f68ab7b2d53e81aa77e3a3820319c6b25376
MD5 hash: f556e6b16e85811de359115fa95f9fce
humanhash: washington-nuts-oven-magazine
File name:81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:299'008 bytes
First seen:2022-02-23 22:03:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 28f93ef4de3d596c8c8216f36a80794c (2 x RaccoonStealer, 2 x RedLineStealer, 1 x Loki)
ssdeep 3072:c3xQIPSmRPSn0jLX3fvlupZJdsCcBz3AEX0jCVggjcGkNIVqI:EtamRPSnujPMvyhXj7ITsq
Threatray 4'119 similar samples on MalwareBazaar
TLSH T17954ADE132D2E872C5D2B5718825CFF09A7AF831D9E1955733793B2F5E602C0B6A6306
File icon (PE):PE icon
dhash icon fcfcd4d4d4dcd8c0 (52 x RaccoonStealer, 28 x RedLineStealer, 6 x Smoke Loader)
Reporter Anonymous
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ZIP_Password_IS_987987_____Windows-10-Acti.zip
Verdict:
Malicious activity
Analysis date:
2022-01-18 04:18:02 UTC
Tags:
evasion trojan rat redline loader stealer opendir vidar
Link:
https://app.any.run/tasks/149cf9c2-aeac-44f8-8f12-0838a0fd02ce

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/243944/
Detection(s):
Win.Trojan.Generic-9935605-0
Create hunting rule

Win.Dropper.Tofsee-9936736-0
Create hunting rule

Win.Dropper.Tofsee-9936853-0
Create hunting rule

Win.Malware.Tofsee-9936858-0
Create hunting rule

Win.Malware.Generic-9936886-0
Create hunting rule

Win.Malware.Generic-9936948-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Reading critical registry keys
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/7203/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
exploit greyware qbot raccoon
Link:
https://www.filescan.io/uploads/6216af55875593a3cc0d64c0/reports/7782fb72-791a-4603-abec-5cdad7bc4bdb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8ebf0509-f54a-4895-94e8-3a72487643b2
Result
Threat name:
IcedID SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/945258
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected IcedID
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 577737 Sample: lohyAeFfds Startdate: 23/02/2022 Architecture: WINDOWS Score: 100 45 oakland-studio.video 2->45 59 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->59 61 Multi AV Scanner detection for domain / URL 2->61 63 Found malware configuration 2->63 65 7 other signatures 2->65 9 lohyAeFfds.exe 2->9         started        12 dfhfvsc 2->12         started        14 dfhfvsc 2->14         started        16 rdhfvsc 2->16         started        signatures3 process4 signatures5 75 Detected unpacking (changes PE section rights) 9->75 77 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->77 79 Maps a DLL or memory area into another process 9->79 18 explorer.exe 4 9->18 injected 81 Multi AV Scanner detection for dropped file 12->81 83 Machine Learning detection for dropped file 12->83 85 Checks if the current machine is a virtual machine (disk enumeration) 12->85 87 Creates a thread in another existing process (thread injection) 14->87 23 WerFault.exe 7 16->23         started        process6 dnsIp7 47 recmaster.ru 178.31.123.113, 49749, 49750, 49769 TELENOR-NEXTELTelenorNorgeASNO Sweden 18->47 49 oakland-studio.video 143.198.125.86, 443, 49850, 49851 LDCOMNETFR United States 18->49 51 11 other IPs or domains 18->51 37 C:\Users\user\AppData\Roaming\rdhfvsc, PE32 18->37 dropped 39 C:\Users\user\AppData\Roaming\dfhfvsc, PE32 18->39 dropped 41 C:\Users\user\AppData\Local\Temp\761C.exe, PE32+ 18->41 dropped 43 2 other malicious files 18->43 dropped 67 System process connects to network (likely due to code injection or exploit) 18->67 69 Benign windows process drops PE files 18->69 71 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->71 73 4 other signatures 18->73 25 3895.exe 18->25         started        28 761C.exe 18->28         started        31 cmd.exe 1 18->31         started        file8 signatures9 process10 dnsIp11 89 Detected unpacking (changes PE section rights) 25->89 91 Machine Learning detection for dropped file 25->91 93 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 25->93 99 3 other signatures 25->99 53 badgoodreason.com 103.208.86.108, 49858, 80 ZAPPIE-HOST-ASZappieHostGB New Zealand 28->53 55 dr49lng3n1n2s.cloudfront.net 143.204.64.66, 443, 49854 AMAZON-02US United States 28->55 57 2 other IPs or domains 28->57 95 Contains functionality to detect hardware virtualization (CPUID execution measurement) 28->95 97 Tries to detect virtualization through RDTSC time measurements 28->97 33 WMIC.exe 1 31->33         started        35 conhost.exe 31->35         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-01-18 14:19:08 UTC
File Type:
PE (Exe)
Extracted files:
35
AV detection:
39 of 43 (90.70%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qekyc2njq2csp7vo2fu55ohezljdfyzxeguwa5lzpwdpygtyefba._file
Verdict:
malicious
Similar samples:
3fdf21f7ad2430c552a8dc34c6fbaf82d95a0f44b9a7bd514d89ad3d074d345f
Smoke Loader
48267b826fa7ec0cea8be878f979a967d0a091cccea9f226ad8d87b29dc94800
Smoke Loader
538d3533398c3f0adbd59483ced973cf35803de5e9356e8dafb5f6bea4049a30
Smoke Loader
55560b608e7a7515329d395c72dc9cebc5cdd7b4c0f153d6e02eb74c2a609feb
Smoke Loader
7163d47439cbab3397556ebda45e83fdea5dd01ce0fcfaae7ad18637a4433455
Smoke Loader
7b24f14ce1d2cb622d41c4f8b6fe23edb1471ede00b0b0e8c6c37d8379f5f58a
Smoke Loader
9b031ce5a98e281a6c59d198e443653c2c873b416f597e85433754dd962ac816
Smoke Loader
+ 4'109 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:icedid family:smokeloader campaign:2715004312 backdoor banker evasion loader suricata trojan
Link:
https://tria.ge/reports/220223-1yx95acgbn/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates processes with tasklist
Enumerates system info in registry
Gathers network information
Gathers system information
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Deletes itself
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
IcedID First Stage Loader
IcedID, BokBot
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
Malware Config
C2 Extraction:
http://nahbleiben.at/upload/
http://noblecreativeaz.com/upload/
http://tvqaq.cn/upload/
http://recmaster.ru/upload/
http://sovels.ru/upload/
https://oakland-studio.video/search.php
https://seattle-university.video/search.php
badgoodreason.com
Unpacked files
SH256 hash:
77dae8bfb2f71eb22292e284468dae35f8a7f0d6bccbb655979839447d13634c
MD5 hash:
89e7d1d102e675ef49f3dbf4040617e7
SHA1 hash:
38e83ba9c7201ea942fd5f6f464d4537007c1cd9
Link:
https://www.unpac.me/results/b2c7b232-04e7-4bfe-81f5-bdb555800fd8/
SH256 hash:
81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142
MD5 hash:
f556e6b16e85811de359115fa95f9fce
SHA1 hash:
a055f68ab7b2d53e81aa77e3a3820319c6b25376
Link:
https://www.unpac.me/results/b2c7b232-04e7-4bfe-81f5-bdb555800fd8/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/81158169a986/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/243944/

Comments