MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83c784cde0faa7e758b3e517c06577e7bb444d2f2f2008f124f925fa61cc22e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	83c784cde0faa7e758b3e517c06577e7bb444d2f2f2008f124f925fa61cc22e2
SHA3-384 hash:	4e645dc9c72a5890e42311795bc89a4a40da1fd092939b7bfc45c47d842eb08db6bf4def4bca2f56b7c73bfc6f7cc29b
SHA1 hash:	b4bddedd7badd7fdbe0272b9d17193f374ff7e66
MD5 hash:	6d259fcf433bf6f848f515014aae746e
humanhash:	grey-connecticut-johnny-kansas
File name:	6d259fcf433bf6f848f515014aae746e.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	149'504 bytes
First seen:	2021-08-19 08:25:53 UTC
Last seen:	2021-08-19 09:12:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3627f9b92d64ac467223f2af87166a04 (5 x RedLineStealer, 2 x Smoke Loader, 1 x CryptBot)
ssdeep	3072:/fngVboUyrLhbzJ2uRB0FKE1MNKT0yB3M:Q6UQFJL0Fr1M+
Threatray	4'929 similar samples on MalwareBazaar
TLSH	T180E3BF1135E3C476F015C4314890FAB1A67AF9E36FB5A5073768236F1E713D39A2A3A2
dhash icon	1072c093b0381902 (22 x RedLineStealer, 7 x RaccoonStealer, 4 x Smoke Loader)
Reporter	abuse_ch
Tags:	Dofoil exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

208

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

6d259fcf433bf6f848f515014aae746e.exe

Verdict:

No threats detected

Analysis date:

2021-08-19 08:27:02 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/eabac980-0945-4536-be9f-f084ef05f705

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

zeus

Link:

https://www.capesandbox.com/analysis/180589/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.21805.8132.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Connection attempt

Sending an HTTP POST request

Creating a process from a recently created file

Deleting of the original file

Enabling autorun by creating a file

Unauthorized injection to a system process

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DanaBot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1e73cfa7-8329-4cdd-a3bd-75666891cfca

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/835621

Signature

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/83c784cde0faa7e758b3e517c06577e7bb444d2f2f2008f124f925fa61cc22e2/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-08-19 01:57:08 UTC

AV detection:

16 of 27 (59.26%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qpdyjtpa7kt6owft4ul4azlx465uitjpf4qar4je7es7uyomelra._file

Verdict:

unknown

Smoke Loader

1fd53f7703dae50a4d8f2fc8d746551780d78f45b226ef6b94922a2bf8405010

Smoke Loader

2e57ab143734f373d78a1695d343f4b5d1116022b0309d6cbc55d99464d4442b

Smoke Loader

39326cdd0c863e1766ecc3d119ec18fdaa93ef886cfbc887f76784f745df73e4

Smoke Loader

5a08fbf3635e557182b59aba6d21a974aa712ea0e90b023cbf76519ea52959aa

Smoke Loader

5cce9b6a71a53d6d8f9cb245ee9153618ed3c41b6cf3a9319e6d484c9110fc64

Smoke Loader

a5f4eb3b915bcfdd72cb81b7d89c0c0fd6b190b637db6ffad25604d24985f9e8

Smoke Loader

c5fc8453bf6cdd3e96740b1616ba2f6b359710ce2eb32f02faf8c0e299a0a057

Smoke Loader

e9abbf811d367cf26f493d72ccd96749e534804ac27d36956dce0484b1440f25

Smoke Loader

fd58afa96d56df9d4bb20955601fc4b7e379b9964eccf31cb1904252f709dbc7

Smoke Loader

+ 4'919 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:smokeloader family:vidar botnet:517 backdoor discovery persistence stealer trojan

Link:

https://tria.ge/reports/210819-x4ptgwkvz6/

Behaviour

Checks SCSI registry key(s)

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Looks up external IP address via web service

Deletes itself

Loads dropped DLL

Modifies file permissions

Downloads MZ/PE file

Executes dropped EXE

Vidar Stealer

SmokeLoader

Vidar

Malware Config

C2 Extraction:

http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
https://lenak513.tumblr.com/

Unpacked files

SH256 hash:

18cd8e90fcd46329480f24d43baa489683b3ee2fcd274bf1714947ef307a6ab2

MD5 hash:

f2fecf6872ad4c61a3a506159fddd4fc

SHA1 hash:

28e039eb96dcf58841992280c66433a2bbab8e84

Link:

https://www.unpac.me/results/e23ddc50-e205-45ad-b55d-2af8c2c779e5/

SH256 hash:

83c784cde0faa7e758b3e517c06577e7bb444d2f2f2008f124f925fa61cc22e2

MD5 hash:

6d259fcf433bf6f848f515014aae746e

SHA1 hash:

b4bddedd7badd7fdbe0272b9d17193f374ff7e66

Link:

https://www.unpac.me/results/e23ddc50-e205-45ad-b55d-2af8c2c779e5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/83c784cde0faa7e758b3e517c06577e7bb444d2f2f2008f124f925fa61cc22e2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

exe 83c784cde0faa7e758b3e517c06577e7bb444d2f2f2008f124f925fa61cc22e2

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1533747/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/180589/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample