MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89e3b00acfc8b0904398665280312cf9a2b426db3eb77b2e5303131de48a2dde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89e3b00acfc8b0904398665280312cf9a2b426db3eb77b2e5303131de48a2dde
SHA3-384 hash: 80a6d1263f5d8c6f580420b2ed1fbac6925a6dd0a7a56ab4202ababafe23ca2e8c06823a92d30553a3085626f8614392
SHA1 hash: 48a6f884b3a5fd51a371f900cbdb1b8651af72b4
MD5 hash: 2c7373ab965995304bd8b007f66ebad2
humanhash: winter-minnesota-earth-seventeen
File name:2c7373ab965995304bd8b007f66ebad2
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:137'728 bytes
First seen:2021-09-26 17:05:19 UTC
Last seen:2021-09-26 18:18:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d219b4c81d3038e0b353f2c453352508 (12 x RaccoonStealer, 4 x Smoke Loader, 2 x ArkeiStealer)
ssdeep 1536:9+6RF4Gc7MP2riP2k+Y8vS+xinUh8XX82uJDF5uB64i8YrPt/CD6H:9Jyy2kORxsUhr2y55ug4yr0O
Threatray 1'011 similar samples on MalwareBazaar
TLSH T13BD3CE1D7A83C432EA96D9318821C6B0566A7C327E21CE87B758672F1F352D346373A7
File icon (PE):PE icon
dhash icon fcfcb4f4d4dcd8c0 (7 x RedLineStealer, 4 x RaccoonStealer, 3 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2c7373ab965995304bd8b007f66ebad2
Verdict:
No threats detected
Analysis date:
2021-09-26 17:07:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9b74d5eb-aa21-4b5a-923f-b9fd31e7dd0d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/191821/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.23493.28516.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7d903df6-ad11-49f9-9663-4d8ea4af408e
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/858492
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 490922 Sample: SdNKkoXklZ Startdate: 26/09/2021 Architecture: WINDOWS Score: 100 44 api.ip.sb 2->44 46 s3-w.us-east-1.amazonaws.com 2->46 48 6 other IPs or domains 2->48 70 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->70 72 Found malware configuration 2->72 74 Antivirus detection for URL or domain 2->74 76 12 other signatures 2->76 9 SdNKkoXklZ.exe 2->9         started        12 tdehfwa 2->12         started        signatures3 process4 signatures5 100 Detected unpacking (changes PE section rights) 9->100 102 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->102 104 Maps a DLL or memory area into another process 9->104 14 explorer.exe 6 9->14 injected 106 Multi AV Scanner detection for dropped file 12->106 108 Checks if the current machine is a virtual machine (disk enumeration) 12->108 110 Creates a thread in another existing process (thread injection) 12->110 process6 dnsIp7 54 govsurplusstore.com 211.59.14.90, 49750, 49775, 49776 SKB-ASSKBroadbandCoLtdKR Korea Republic of 14->54 56 kamikirim.id 103.247.9.207, 49832, 80 RUMAHWEB-AS-IDRumahwebIndonesiaCVID Indonesia 14->56 58 6 other IPs or domains 14->58 36 C:\Users\user\AppData\Roaming\tdehfwa, PE32 14->36 dropped 38 C:\Users\user\AppData\Local\Temp\6D46.exe, PE32 14->38 dropped 40 C:\Users\user\AppData\Local\Temp\60B2.exe, PE32 14->40 dropped 42 C:\Users\user\...\tdehfwa:Zone.Identifier, ASCII 14->42 dropped 62 System process connects to network (likely due to code injection or exploit) 14->62 64 Benign windows process drops PE files 14->64 66 Deletes itself after installation 14->66 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->68 19 60B2.exe 15 33 14->19         started        23 B3C6.exe 3 14->23         started        25 6D46.exe 2 14->25         started        file8 signatures9 process10 dnsIp11 50 94.26.228.204, 32917, 49833 PTC-YEMENNETYE Russian Federation 19->50 52 api.ip.sb 19->52 78 Multi AV Scanner detection for dropped file 19->78 80 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->80 82 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->82 96 2 other signatures 19->96 27 conhost.exe 19->27         started        84 Detected unpacking (changes PE section rights) 23->84 86 Query firmware table information (likely to detect VMs) 23->86 88 Tries to detect sandboxes and other dynamic analysis tools (window names) 23->88 98 2 other signatures 23->98 29 conhost.exe 23->29         started        90 Antivirus detection for dropped file 25->90 92 Machine Learning detection for dropped file 25->92 94 Injects a PE file into a foreign processes 25->94 31 6D46.exe 2 25->31         started        34 conhost.exe 25->34         started        signatures12 process13 dnsIp14 60 92.246.89.6, 38437, 49865 LIVECOMM-ASRespublikanskayastr3k6RU Russian Federation 31->60
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/89e3b00acfc8b0904398665280312cf9a2b426db3eb77b2e5303131de48a2dde/
Threat name:
Win32.Ransomware.LockbitCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-09-26 16:54:37 UTC
AV detection:
18 of 45 (40.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0c73474ceb5c96ff4c0231b9d542d65c1d78b82de926bbfd4413d81684d78e58
Smoke Loader
198032ed08a5197c0b5ceefa0be69749d46a724b7d88915fe0762242692cb942
Smoke Loader
50575798954fd5dff1f376d1597a3d0ff52f51789c5ae98b48957590b540bcce
Smoke Loader
6a0d05477e23fc1152067fc51d50a044bccf0e0a0654dbae1864df792400e935
Smoke Loader
8c373102d98ba3188c4361deee0bd43f89e4e8785b613a7af99bddd45329303d
Smoke Loader
b2dadf77d0f5917ce225ee0b177e4d5deb626a81ce33815f176d915ea21ba159
Smoke Loader
c8b1c11bf16a1052dffb6942d955c31cdad7f0b154e1f855882d4d95359efa54
Smoke Loader
d620056c5defae218de13235fc4a509d968bd55469092aa00095ff94a0246b7f
Smoke Loader
f83b0cd39202e7040eae66dac5444eff5f9d878e3bb778613f1525aba2e3c5de
Smoke Loader
+ 1'001 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:redline family:smokeloader family:vidar family:xmrig botnet:paladin backdoor discovery evasion infostealer miner persistence ransomware spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210926-vmeezsfagl/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Deletes itself
Drops startup file
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
XMRig Miner Payload
Detected Djvu ransomware
Djvu Ransomware
RedLine
RedLine Payload
SmokeLoader
Vidar
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
xmrig
Malware Config
C2 Extraction:
http://govsurplusstore.com/upload/
http://best-forsale.com/upload/
http://chmxnautoparts.com/upload/
http://kwazone.com/upload/
92.246.89.6:38437
94.26.228.204:32917
Unpacked files
SH256 hash:
5e52071fd7832c439965575105f0a8d309fc5c923523689f94c6aaaa4230ec8a
MD5 hash:
0723090cb25a2ec591eb170730b0e737
SHA1 hash:
d6e2422a17cfe0de3cc43053cf595b7a28897386
Link:
https://www.unpac.me/results/0f1164d9-0a20-4c8a-96a1-d17d0a286bbc/
SH256 hash:
89e3b00acfc8b0904398665280312cf9a2b426db3eb77b2e5303131de48a2dde
MD5 hash:
2c7373ab965995304bd8b007f66ebad2
SHA1 hash:
48a6f884b3a5fd51a371f900cbdb1b8651af72b4
Link:
https://www.unpac.me/results/0f1164d9-0a20-4c8a-96a1-d17d0a286bbc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/89e3b00acfc8b0904398665280312cf9a2b426db3eb77b2e5303131de48a2dde

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 89e3b00acfc8b0904398665280312cf9a2b426db3eb77b2e5303131de48a2dde

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1644574/
Cape
Cape
https://www.capesandbox.com/analysis/191821/

Comments


Avatar
zbet commented on 2021-09-26 17:05:21 UTC

url : hxxp://yangsenguanfang.com/pub3.exe