MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86ce330a6849fe8df5f261de69d27946ec3897aa70e08cd852bc622dd8011e69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 86ce330a6849fe8df5f261de69d27946ec3897aa70e08cd852bc622dd8011e69
SHA3-384 hash: 6242dd4939463235c45e7972937d95ea7eb9f889081d74f9bd29c154ae41b36dcf4864e8acdff3e748b5420ba82cc095
SHA1 hash: f871068d2b1bdd0897d87f74aec8139bd6416803
MD5 hash: cebb9e153e87b4350cb4cf451ca26ab6
humanhash: cat-eighteen-crazy-avocado
File name:SecuriteInfo.com.Variant.Fragtor.132154.9710.2223
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:110'080 bytes
First seen:2022-08-22 05:28:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e30af043142429ccc5d7bc35b017d9f (13 x RedLineStealer, 10 x RecordBreaker, 1 x Smoke Loader)
ssdeep 3072:Ne/SWdhLa0jduO2bYZcpnCdsv3p2HvxzawB6rbH:NmLyO25t2HZx6rbH
TLSH T12DB3AF23BBC294F1EC73193148B089B18A6FFC540FA1DE6B2759127E4F345C19D26E6A
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
336
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Variant.Fragtor.132154.9710.2223
Verdict:
No threats detected
Analysis date:
2022-08-22 05:31:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4268c38d-01f2-4045-bf83-df7876ca0aa2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/300131/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.132154.9710.2223.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/29629/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckNumberOfProcessor
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm greyware keylogger packed
Link:
https://www.filescan.io/uploads/630314341d34cfa37d91d87b/reports/b7bf50f2-e8f5-44fc-a686-19b1f42c8913/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9ec60cd5-a5ee-4656-b7e0-fe63c36f49c7
Result
Threat name:
RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1055293
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 687810 Sample: SecuriteInfo.com.Variant.Fr... Startdate: 22/08/2022 Architecture: WINDOWS Score: 100 78 jOuFDIswyTKUHhhn.jOuFDIswyTKUHhhn 2->78 80 coinsurf.com 2->80 82 3 other IPs or domains 2->82 98 Snort IDS alert for network traffic 2->98 100 Malicious sample detected (through community Yara rule) 2->100 102 Antivirus detection for URL or domain 2->102 104 9 other signatures 2->104 12 SecuriteInfo.com.Variant.Fragtor.132154.9710.exe 1 2->12         started        15 dtjefhd 2 2->15         started        signatures3 process4 signatures5 106 Contains functionality to inject code into remote processes 12->106 108 Writes to foreign memory regions 12->108 110 Allocates memory in foreign processes 12->110 112 2 other signatures 12->112 17 MSBuild.exe 12->17         started        20 conhost.exe 12->20         started        22 MSBuild.exe 12->22         started        24 conhost.exe 15->24         started        process6 signatures7 90 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 17->90 92 Maps a DLL or memory area into another process 17->92 94 Checks if the current machine is a virtual machine (disk enumeration) 17->94 96 Creates a thread in another existing process (thread injection) 17->96 26 explorer.exe 8 17->26 injected process8 dnsIp9 84 185.215.113.58, 49736, 49741, 49743 WHOLESALECONNECTIONSNL Portugal 26->84 86 exppressvpn.org 185.137.235.119, 443, 49744 SELECTELRU Russian Federation 26->86 88 2 other IPs or domains 26->88 70 C:\Users\user\AppData\Roaming\dtjefhd, PE32 26->70 dropped 72 C:\Users\user\AppData\Local\Temp\C71B.exe, PE32 26->72 dropped 74 C:\Users\user\AppData\Local\Temp\B77A.exe, PE32 26->74 dropped 76 C:\Users\user\AppData\Local\Temp\8722.exe, PE32 26->76 dropped 114 System process connects to network (likely due to code injection or exploit) 26->114 116 Benign windows process drops PE files 26->116 118 Injects code into the Windows Explorer (explorer.exe) 26->118 120 2 other signatures 26->120 31 B77A.exe 1 26->31         started        34 C71B.exe 5 26->34         started        36 8722.exe 4 26->36         started        39 9 other processes 26->39 file10 signatures11 process12 file13 122 Multi AV Scanner detection for dropped file 31->122 124 Writes to foreign memory regions 31->124 126 Allocates memory in foreign processes 31->126 128 Injects a PE file into a foreign processes 31->128 41 MSBuild.exe 2 31->41         started        43 WerFault.exe 3 10 31->43         started        45 conhost.exe 31->45         started        130 Machine Learning detection for dropped file 34->130 47 cmd.exe 34->47         started        50 WerFault.exe 34->50         started        64 C:\Users\user\AppData\Local\...\Update.exe, PE32 36->64 dropped 52 Update.exe 7 36->52         started        signatures14 process15 file16 132 Drops PE files with a suspicious file extension 47->132 55 cmd.exe 47->55         started        58 conhost.exe 47->58         started        66 C:\Users\user\AppData\Local\...\Update.exe, PE32 52->66 dropped signatures17 process18 file19 68 C:\Users\user\AppData\...bbene.exe.pif, PE32 55->68 dropped 60 tasklist.exe 55->60         started        62 find.exe 55->62         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/86ce330a6849fe8df5f261de69d27946ec3897aa70e08cd852bc622dd8011e69/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2022-08-22 05:29:16 UTC
File Type:
PE (Exe)
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q3hdgctijh7i35psmhpgtutzi3wdrf5kodqizwcsxrrc3wabdzuq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220822-f6kc1secd3/
Unpacked files
SH256 hash:
f8b5bc27dc372841379af062d0229e072582ff3271ae70ca6bcae0f6784d92a3
MD5 hash:
e21d0d5170e11fabcf805f3cb27a6975
SHA1 hash:
baab2b87e0fd4caec871999566bc41e216457c79
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/cefe8a30-bce0-4818-ae59-d2aa31100021/
SH256 hash:
86ce330a6849fe8df5f261de69d27946ec3897aa70e08cd852bc622dd8011e69
MD5 hash:
cebb9e153e87b4350cb4cf451ca26ab6
SHA1 hash:
f871068d2b1bdd0897d87f74aec8139bd6416803
Link:
https://www.unpac.me/results/cefe8a30-bce0-4818-ae59-d2aa31100021/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/86ce330a6849/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/86ce330a6849fe8df5f261de69d27946ec3897aa70e08cd852bc622dd8011e69

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 86ce330a6849fe8df5f261de69d27946ec3897aa70e08cd852bc622dd8011e69

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2275335/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/300131/

Comments