MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f27a981e44cc3595009f7e78dde8ed1a13f1404b266d8277dab71237384d2a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f27a981e44cc3595009f7e78dde8ed1a13f1404b266d8277dab71237384d2a9
SHA3-384 hash: 24551beebb8c63958da5d54eca6ef07fc24f537ce8db407dcd76000be0a3af188d5cd8df88f5452f1f98f3f022a7948c
SHA1 hash: 6d3229bdc650789a7f1959a0a7dc5d0fa3be81f3
MD5 hash: 3eef52f6fbd66e5349726b0650276a38
humanhash: potato-finch-orange-arizona
File name:3eef52f6fbd66e5349726b0650276a38
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:199'680 bytes
First seen:2021-07-21 00:33:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b0fe27671bb60a5d31189716fdcf7690 (3 x Smoke Loader, 1 x RaccoonStealer, 1 x Stop)
ssdeep 3072:rQHXGjTYyTtzrSWvRLJDwXvgDylRsubL1u:SGtLyX4DylRo
Threatray 635 similar samples on MalwareBazaar
TLSH T1D7149D5075E1C832E7A60A31D8F6D2E5263EBC625D28444B72803BDF6E713D299BE353
dhash icon 48b9b2b0e8c38c90 (6 x Smoke Loader, 5 x RedLineStealer, 3 x CryptBot)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c0f6d353__turbo-cpp-new-v.zip
Verdict:
Malicious activity
Analysis date:
2021-07-18 15:47:10 UTC
Tags:
evasion autoit loader trojan rat redline stealer amadey vidar phishing unwanted netsupport
Link:
https://app.any.run/tasks/30850b7c-e38f-4cac-8c22-acfd18858b66

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector01
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172908/
Detection(s):
Win.Trojan.Generic-9879934-0
Create hunting rule

Win.Dropper.Genkryptik-9880017-0
Create hunting rule

Win.Malware.Generic-9880039-0
Create hunting rule

Win.Packed.Generic-9880040-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/af9fed21-cb94-4ac7-91ee-90b2392b4843
Result
Threat name:
Djvu Raccoon RedLine SmokeLoader Tofsee
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/819271
Signature
.NET source code contains very large strings
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Mail credentials (via file access)
Yara detected Djvu Ransomware
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 451682 Sample: BCuIfAa4vg Startdate: 21/07/2021 Architecture: WINDOWS Score: 100 71 shpak125.tumblr.com 2->71 73 ipinfo.io 2->73 75 3 other IPs or domains 2->75 101 Antivirus detection for URL or domain 2->101 103 Multi AV Scanner detection for submitted file 2->103 105 Yara detected SmokeLoader 2->105 107 10 other signatures 2->107 10 BCuIfAa4vg.exe 2->10         started        13 ejhvwfi 2->13         started        15 suhvwfi 2->15         started        signatures3 process4 file5 109 DLL reload attack detected 10->109 111 Detected unpacking (changes PE section rights) 10->111 113 Contains functionality to inject code into remote processes 10->113 18 BCuIfAa4vg.exe 1 10->18         started        115 Injects a PE file into a foreign processes 13->115 21 ejhvwfi 1 13->21         started        69 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 15->69 dropped 117 Maps a DLL or memory area into another process 15->117 119 Checks if the current machine is a virtual machine (disk enumeration) 15->119 121 Creates a thread in another existing process (thread injection) 15->121 signatures6 process7 file8 91 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 18->91 93 Renames NTDLL to bypass HIPS 18->93 95 Maps a DLL or memory area into another process 18->95 24 explorer.exe 15 18->24 injected 49 C:\Users\user\AppData\Local\Temp\AE30.tmp, PE32 21->49 dropped 97 Checks if the current machine is a virtual machine (disk enumeration) 21->97 99 Creates a thread in another existing process (thread injection) 21->99 signatures9 process10 dnsIp11 77 999080321yomtest251-service10020125999080321.ru 24->77 79 999080321yirtest231-service10020125999080321.ru 24->79 81 89 other IPs or domains 24->81 51 C:\Users\user\AppData\Roaming\ejhvwfi, PE32 24->51 dropped 53 C:\Users\user\AppData\Local\Temp\57E7.exe, PE32 24->53 dropped 55 C:\Users\user\AppData\Local\Temp\4911.exe, PE32 24->55 dropped 57 5 other files (4 malicious) 24->57 dropped 123 System process connects to network (likely due to code injection or exploit) 24->123 125 Benign windows process drops PE files 24->125 127 Performs DNS queries to domains with low reputation 24->127 131 2 other signatures 24->131 29 3A69.exe 80 24->29         started        34 3D58.exe 1 24->34         started        36 2ABE.exe 24->36         started        38 13 other processes 24->38 file12 129 Tries to resolve many domain names, but no domain seems valid 79->129 signatures13 process14 dnsIp15 85 telete.in 29->85 87 telete.in 195.201.225.248, 443, 49763 HETZNER-ASDE Germany 29->87 89 34.88.33.218, 49764, 80 GOOGLEUS United States 29->89 59 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 29->59 dropped 61 C:\Users\user\AppData\...\vcruntime140.dll, PE32 29->61 dropped 63 C:\Users\user\AppData\...\ucrtbase.dll, PE32 29->63 dropped 67 56 other files (none is malicious) 29->67 dropped 133 Detected unpacking (changes PE section rights) 29->133 135 Detected unpacking (overwrites its own PE header) 29->135 137 Tries to steal Mail credentials (via file access) 29->137 153 2 other signatures 29->153 139 DLL reload attack detected 34->139 141 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 34->141 143 Renames NTDLL to bypass HIPS 34->143 155 3 other signatures 34->155 145 Query firmware table information (likely to detect VMs) 36->145 147 Tries to detect sandboxes and other dynamic analysis tools (window names) 36->147 149 Hides threads from debuggers 36->149 65 C:\Users\user\AppData\Local\...\zeqwlwnm.exe, PE32 38->65 dropped 157 3 other signatures 38->157 40 1C46.exe 38->40         started        43 3323.exe 14 2 38->43         started        45 conhost.exe 38->45         started        47 3 other processes 38->47 file16 151 Tries to resolve many domain names, but no domain seems valid 85->151 signatures17 process18 dnsIp19 83 api.2ip.ua 77.123.139.190 VOLIA-ASUA Ukraine 40->83
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8f27a981e44cc3595009f7e78dde8ed1a13f1404b266d8277dab71237384d2a9/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-07-18 19:43:47 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r4t2tapejtbvsuaj67ty3xuo2gqt6faewjtnqj35vnysg44e2kuq._file
Verdict:
suspicious
Similar samples:
2b4e74f6d31e2ce71fa3de3caba5fbf6b070885d43c956aa57deced79e79826b
Smoke Loader
3ac1eb91b7c197ea1ef44b2c67b603c4a07937134cc6f60910562b13aa9f2b93
Smoke Loader
42409087896ad827ca16b713215988bed28560c5fe0c929f7c30294854b5bfc2
Smoke Loader
4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6
Smoke Loader
5506b7fcbd13ae3049f461b3527242502e4c3f9e1f684cfe5b03ebb3af64366a
Smoke Loader
8876443ca226bd35c82f3e50163007b03b39f61efdb751568f2cef7d71a7b954
Smoke Loader
b45b46943761b574b53d2938b6e6c331d778f77bf1690d3b09a07450867118b5
Smoke Loader
ce1a457a5bd8763fde41a27081d5a885b66aca31b123ee42885e29bc8cfdbda5
Smoke Loader
e5748b9c18c3e264c771b8abe50805fe070719b459493d37eec86f972fd1d5ac
Smoke Loader
+ 625 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:tofsee family:vidar botnet:111 botnet:696361302 botnet:824 botnet:aggressor botnet:testsind botnet:thistime botnet:yagandon backdoor discovery evasion infostealer persistence spyware stealer themida trojan vmprotect
Link:
https://tria.ge/reports/210721-7qgw3mfpwa/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Modifies file permissions
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Blocklisted process makes network request
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Raccoon
RedLine
RedLine Payload
SmokeLoader
Tofsee
Vidar
Windows security bypass
Malware Config
C2 Extraction:
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
45.32.235.238:45555
woltelorda.xyz:80
195.149.87.250:14486
xetadycami.xyz:80
135.148.139.222:33569
65.21.144.202:24887
188.40.193.166:43180
https://shpak125.tumblr.com/
Unpacked files
SH256 hash:
3639600a6ddb9abd9646e644c99435b152e2b874bd24f7e3c35ed147a76fe86d
MD5 hash:
9017528c8960c1dc290cfbe61a455eb8
SHA1 hash:
9f773c892052218f8c5f8efba140a3cd35c22a21
Link:
https://www.unpac.me/results/9688ae3c-4f2f-447c-a7d3-eb54058a774f/
SH256 hash:
8f27a981e44cc3595009f7e78dde8ed1a13f1404b266d8277dab71237384d2a9
MD5 hash:
3eef52f6fbd66e5349726b0650276a38
SHA1 hash:
6d3229bdc650789a7f1959a0a7dc5d0fa3be81f3
Link:
https://www.unpac.me/results/9688ae3c-4f2f-447c-a7d3-eb54058a774f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8f27a981e44cc3595009f7e78dde8ed1a13f1404b266d8277dab71237384d2a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_DLInjector01
Create hunting rule
Author:ditekSHen
Description:Detects specific downloader injector shellcode

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 8f27a981e44cc3595009f7e78dde8ed1a13f1404b266d8277dab71237384d2a9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1453980/
Cape
Cape
https://www.capesandbox.com/analysis/172908/

Comments