MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87fc3e042747ec6e69f1c32bb906de41b2a6e4b1fdd6bdfb041c3689002e97cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87fc3e042747ec6e69f1c32bb906de41b2a6e4b1fdd6bdfb041c3689002e97cf
SHA3-384 hash: 63a8a179905d7802cf106b26709a9b2d3090a48507683317679d156ed39c2ad027bb5cb307d711b4510ea7dcbff79fae
SHA1 hash: 2dea26934da1770a8720bb788a61f7b71385b1cb
MD5 hash: bf1336f26ed7df9c1d72126e43f558a8
humanhash: oklahoma-friend-connecticut-speaker
File name:bf1336f26ed7df9c1d72126e43f558a8.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:281'088 bytes
First seen:2021-08-25 12:01:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ddbb3eef631957f988f10b48742f9549 (14 x RaccoonStealer, 2 x Smoke Loader)
ssdeep 6144:EkDh4MkEirjH29xfUBTVqWBC1dgbRk8suE2w2xQr:vh3kEi3W99kVqWBCIbQuE2w2ur
Threatray 1'124 similar samples on MalwareBazaar
TLSH T113548D30AAA1C034E9F211F4497A83BDB9393AB19B3550CF53E52AE917346E5EC30797
dhash icon ead8a89cc6e68ea0 (25 x RaccoonStealer, 8 x DanaBot, 8 x RedLineStealer)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bf1336f26ed7df9c1d72126e43f558a8.exe
Verdict:
No threats detected
Analysis date:
2021-08-25 12:06:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fcd8b047-5a1e-48bd-a246-2d3268a916b3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182302/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.64457.5862.23124.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending a UDP request
Connection attempt
Sending an HTTP POST request
Deleting of the original file
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/743c777e-46e4-4cee-ad40-7cedc241872d
Result
Threat name:
KPot Raccoon RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/839024
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to infect the boot sector
Contains VNC / remote desktop functionality (version string found)
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected KPot
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 471456 Sample: pSoGvctFnD.exe Startdate: 25/08/2021 Architecture: WINDOWS Score: 100 48 spinogriz91076299.io 2->48 50 kpotuvorot10.bit 2->50 52 2 other IPs or domains 2->52 82 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->82 84 Multi AV Scanner detection for domain / URL 2->84 86 Antivirus detection for URL or domain 2->86 88 9 other signatures 2->88 9 pSoGvctFnD.exe 2->9         started        12 swffaab 2->12         started        signatures3 process4 signatures5 104 Detected unpacking (changes PE section rights) 9->104 106 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->106 108 Maps a DLL or memory area into another process 9->108 110 Creates a thread in another existing process (thread injection) 9->110 14 explorer.exe 6 9->14 injected 112 Multi AV Scanner detection for dropped file 12->112 114 Machine Learning detection for dropped file 12->114 116 Checks if the current machine is a virtual machine (disk enumeration) 12->116 process6 dnsIp7 62 193.142.59.123, 49753, 49776, 80 HOSTSLICK-GERMANYNL Netherlands 14->62 64 110.14.121.123, 49748, 49750, 49754 SKB-ASSKBroadbandCoLtdKR Korea Republic of 14->64 66 6 other IPs or domains 14->66 40 C:\Users\user\AppData\Roaming\swffaab, PE32 14->40 dropped 42 C:\Users\user\AppData\Local\Temp\A2E4.exe, PE32 14->42 dropped 44 C:\Users\user\AppData\Local\Temp\96F2.exe, PE32 14->44 dropped 46 C:\Users\user\...\swffaab:Zone.Identifier, ASCII 14->46 dropped 74 System process connects to network (likely due to code injection or exploit) 14->74 76 Benign windows process drops PE files 14->76 78 Deletes itself after installation 14->78 80 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->80 19 DBB8.exe 2 4 14->19         started        23 96F2.exe 15 26 14->23         started        26 A2E4.exe 14->26         started        28 3 other processes 14->28 file8 signatures9 process10 dnsIp11 36 C:\ProgramData\...\33A2E4F0.exe, PE32 19->36 dropped 90 Detected unpacking (changes PE section rights) 19->90 92 Creates autostart registry keys with suspicious names 19->92 30 33A2E4F0.exe 19->30         started        54 185.215.113.29, 49777, 8678 WHOLESALECONNECTIONSNL Portugal 23->54 56 api.ip.sb 23->56 94 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->94 96 Machine Learning detection for dropped file 23->96 98 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 23->98 102 2 other signatures 23->102 34 conhost.exe 23->34         started        100 Contains functionality to infect the boot sector 26->100 58 185.234.247.35, 49825, 49830, 80 INTERKONEKT-ASPL Russian Federation 28->58 60 telete.in 195.201.225.248, 443, 49816 HETZNER-ASDE Germany 28->60 38 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 28->38 dropped file12 signatures13 process14 dnsIp15 68 ebanat6977769.com 30->68 70 45.56.79.23, 49785, 49787, 49789 LINODE-APLinodeLLCUS United States 30->70 72 4 other IPs or domains 30->72 118 Detected unpacking (changes PE section rights) 30->118 120 Machine Learning detection for dropped file 30->120 122 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 30->122 signatures16 124 System process connects to network (likely due to code injection or exploit) 68->124
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87fc3e042747ec6e69f1c32bb906de41b2a6e4b1fdd6bdfb041c3689002e97cf/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-08-25 05:46:54 UTC
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
1d56c98200907afafa8a54f802c21ed824e1827162fb19d8f73cf8a8bb61b7f2
Smoke Loader
1d76266267ca27570b9cfb6f2a84b80ef607e9450d475eabad2e630cfbd77b7e
Smoke Loader
328e682510e9c0e0c37a7c8d347ecb4e7791a03b44962675a3f5f23d85250e08
Smoke Loader
39326cdd0c863e1766ecc3d119ec18fdaa93ef886cfbc887f76784f745df73e4
Smoke Loader
41ce43aa875bf977ec9eb039e5853ade1af522dd0dff4f19282f6c8038ae2dff
Smoke Loader
af416b9b0b8c91937ee895050038b9de17f25735faa984c1d6dcf8d130c9d29b
Smoke Loader
c7839db336f11c965ab8e6fbad1a6c757711a24362cc20d63d4ce37aef9b83b1
Smoke Loader
eccd8757ac5a6c34abc69c2251a582a6697d9cbb5af2d8c5f8f8787b3156c3ff
Smoke Loader
+ 1'114 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader backdoor bootkit infostealer persistence trojan
Link:
https://tria.ge/reports/210825-5yjafnycvn/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Writes to the Master Boot Record (MBR)
Deletes itself
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
SmokeLoader
Malware Config
C2 Extraction:
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
185.215.113.29:8678
Unpacked files
SH256 hash:
18cd8e90fcd46329480f24d43baa489683b3ee2fcd274bf1714947ef307a6ab2
MD5 hash:
f2fecf6872ad4c61a3a506159fddd4fc
SHA1 hash:
28e039eb96dcf58841992280c66433a2bbab8e84
Link:
https://www.unpac.me/results/98ddb86c-a743-4dc7-b8c8-6990c22fb4d1/
SH256 hash:
87fc3e042747ec6e69f1c32bb906de41b2a6e4b1fdd6bdfb041c3689002e97cf
MD5 hash:
bf1336f26ed7df9c1d72126e43f558a8
SHA1 hash:
2dea26934da1770a8720bb788a61f7b71385b1cb
Link:
https://www.unpac.me/results/98ddb86c-a743-4dc7-b8c8-6990c22fb4d1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/87fc3e042747/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/87fc3e042747ec6e69f1c32bb906de41b2a6e4b1fdd6bdfb041c3689002e97cf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 87fc3e042747ec6e69f1c32bb906de41b2a6e4b1fdd6bdfb041c3689002e97cf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1559349/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/182302/

Comments