MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91634042570417ff1a70824cfb5559869a1e542d7e41d8d65aea2d51eb241411. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91634042570417ff1a70824cfb5559869a1e542d7e41d8d65aea2d51eb241411
SHA3-384 hash: 84a359007ebeb58b919350ae54e374e2ebfffe24d7dce895734e1573d76d9d85434d1e17c62f9211ac7334619d444688
SHA1 hash: cd6a63dfdf65faa809d327bde99bfbcf93843f0d
MD5 hash: 6ffab37cb5acbe554336ddc05b9e7d38
humanhash: football-stream-social-apart
File name:6ffab37cb5acbe554336ddc05b9e7d38.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:347'648 bytes
First seen:2021-07-29 17:44:23 UTC
Last seen:2021-07-29 19:06:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c27a98a29b21693846ec47ce91a249f1 (2 x RaccoonStealer, 2 x Smoke Loader, 2 x GCleaner)
ssdeep 6144:MyoZDwYPIs3bGaWl4sk0WmaFAarFLqYFF:oZMYPIs3qaWG0W/vrFDn
Threatray 752 similar samples on MalwareBazaar
TLSH T106749D30B690C039E4B715F844BAD3BCB8297EA1AB3450CF62E52BEA56356E4DC30757
dhash icon ead8a89cc6e68ea0 (25 x RaccoonStealer, 8 x DanaBot, 8 x RedLineStealer)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6ffab37cb5acbe554336ddc05b9e7d38.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-29 17:52:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5c763358-9527-47f8-8934-c3d103407efc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175127/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.4595.9378.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/83f74504-ac45-4605-9e34-81003d0580ab
Result
Threat name:
Raccoon RedLine SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/824061
Signature
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 456473 Sample: nJmAgu7z7p.exe Startdate: 29/07/2021 Architecture: WINDOWS Score: 100 81 192.168.2.7 unknown unknown 2->81 133 Multi AV Scanner detection for submitted file 2->133 135 DLL reload attack detected 2->135 137 Yara detected SmokeLoader 2->137 139 9 other signatures 2->139 11 nJmAgu7z7p.exe 2->11         started        14 tbgrvii 2->14         started        16 svchost.exe 2->16         started        18 9 other processes 2->18 signatures3 process4 dnsIp5 149 Detected unpacking (changes PE section rights) 11->149 151 Contains functionality to inject code into remote processes 11->151 153 Injects a PE file into a foreign processes 11->153 21 nJmAgu7z7p.exe 11->21         started        24 tbgrvii 14->24         started        155 Changes security center settings (notifications, updates, antivirus, firewall) 16->155 83 8.8.8.8 GOOGLEUS United States 18->83 85 23.54.113.104 AKAMAI-ASUS United States 18->85 87 127.0.0.1 unknown unknown 18->87 157 DLL side loading technique detected 18->157 signatures6 process7 signatures8 141 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->141 143 Maps a DLL or memory area into another process 21->143 145 Checks if the current machine is a virtual machine (disk enumeration) 21->145 26 explorer.exe 24 21->26 injected 147 Creates a thread in another existing process (thread injection) 24->147 process9 dnsIp10 89 95.213.144.186 SELECTELRU Russian Federation 26->89 91 141.136.0.181 NANO-ASLV Latvia 26->91 93 3 other IPs or domains 26->93 73 C:\Users\user\AppData\Roaming\tbgrvii, PE32 26->73 dropped 75 C:\Users\user\AppData\Local\Temp\6D46.exe, PE32 26->75 dropped 77 C:\Users\user\AppData\Local\Temp\55C6.exe, PE32 26->77 dropped 79 9 other files (6 malicious) 26->79 dropped 159 Benign windows process drops PE files 26->159 161 Deletes itself after installation 26->161 163 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->163 31 55C6.exe 26->31         started        36 39B0.exe 26->36         started        38 2C9F.exe 26->38         started        40 5 other processes 26->40 file11 signatures12 process13 dnsIp14 95 195.201.225.248 HETZNER-ASDE Germany 31->95 97 34.141.84.7 ATGS-MMD-ASUS United States 31->97 55 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 31->55 dropped 57 C:\Users\user\AppData\...\vcruntime140.dll, PE32 31->57 dropped 69 57 other files (none is malicious) 31->69 dropped 109 Detected unpacking (changes PE section rights) 31->109 111 Detected unpacking (overwrites its own PE header) 31->111 113 Tries to steal Mail credentials (via file access) 31->113 115 Contains functionality to steal Internet Explorer form passwords 31->115 117 Query firmware table information (likely to detect VMs) 36->117 119 Tries to detect sandboxes and other dynamic analysis tools (window names) 36->119 121 Hides threads from debuggers 36->121 123 Tries to detect sandboxes / dynamic malware analysis system (registry check) 36->123 42 conhost.exe 36->42         started        59 C:\Users\user\AppData\Local\Temp\...\l.exe, PE32 38->59 dropped 61 C:\Users\user\AppData\Local\Temp\...\c.exe, PE32 38->61 dropped 44 cmd.exe 38->44         started        99 116.202.183.50 HETZNER-ASDE Germany 40->99 101 74.114.154.22 AUTOMATTICUS Canada 40->101 63 C:\Users\user\AppData\Local\...\3BD3.exe.log, ASCII 40->63 dropped 65 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 40->65 dropped 67 C:\Users\user\AppData\...\mozglue[1].dll, PE32 40->67 dropped 71 10 other files (none is malicious) 40->71 dropped 125 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 40->125 127 Tries to harvest and steal browser information (history, passwords, etc) 40->127 129 Sample uses process hollowing technique 40->129 131 Tries to steal Crypto Currency Wallets 40->131 46 conhost.exe 40->46         started        file15 signatures16 process17 process18 48 l.exe 44->48         started        51 conhost.exe 44->51         started        53 c.exe 44->53         started        signatures19 103 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 48->103 105 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 48->105 107 Queries memory information (via WMI often done to detect virtual machines) 48->107
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/91634042570417ff1a70824cfb5559869a1e542d7e41d8d65aea2d51eb241411/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-07-29 17:45:13 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sfruaqsxaql76gtqqjgpwvkzq2nb4vbnpza5rvs25iwvd2zecqiq._file
Verdict:
suspicious
Similar samples:
1bf74cb8e8298fe42ed4956def3e9fce1d095a138516487b378935455223d112
Smoke Loader
49791cea301086d06bded20b092ad7154ac774997c43e85de48d36da80a8ebaa
Smoke Loader
4a1f935a5f94e5b3d7d0c79dcd01a96d69650bfeadc4a49d6548b118e82e1e16
Smoke Loader
5d2140c3ab1944f381206aa8d5c3ae0e5c2dad60751d3a2f631b1b08a810baa2
Smoke Loader
76526cd30725afafe90b7f19fbb607571ac7f827aece34bf1d1cc41c595f2a93
Smoke Loader
a3eaf45cf366908149a9143b9426bfa6c3dacca3ffb910031c2d7d65fa51fd0d
Smoke Loader
d1697994428238aced8ff24acff0b131d9737a0659a81e4a7395a746c5ce353e
Smoke Loader
d3849946eb2dd2aa6bebcddb30751a4a99bc05ee5011db3f5081df2f970a1854
Smoke Loader
fe74f3ee571f291acdaa6d0546bc16e7d5feb3ca1bd6ad1fb3c74b73483b871b
Smoke Loader
fff093b2593add9b7f59377b88e4e9586a8b728d82df197aad087d7e95615fd9
Smoke Loader
+ 742 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:loaderbot family:raccoon family:redline family:smokeloader family:vidar botnet:408 botnet:824 botnet:cd8dc1031358b1aec55cc6bc447df1018b068607 botnet:eu_bot_1 backdoor discovery evasion infostealer loader miner persistence spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210729-1ef2er5y52/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
LoaderBot executable
Vidar Stealer
LoaderBot
Raccoon
Raccoon Stealer Payload
RedLine
RedLine Payload
SmokeLoader
Vidar
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Malware Config
C2 Extraction:
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
https://xeronxikxxx.tumblr.com/
185.234.247.136:47666
Unpacked files
SH256 hash:
8ac5259909dbe5f2072c1806f3438f9740dbb4ba8f8f786925a643e73f58e73a
MD5 hash:
5fd3463632f363a8adcf7105209eb6ec
SHA1 hash:
0a2aa8aea269d9580ba623add2af44fea45c2714
Link:
https://www.unpac.me/results/fdf81398-b689-4c94-a4a4-2d4192a07363/
SH256 hash:
91634042570417ff1a70824cfb5559869a1e542d7e41d8d65aea2d51eb241411
MD5 hash:
6ffab37cb5acbe554336ddc05b9e7d38
SHA1 hash:
cd6a63dfdf65faa809d327bde99bfbcf93843f0d
Link:
https://www.unpac.me/results/fdf81398-b689-4c94-a4a4-2d4192a07363/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/91634042570417ff1a70824cfb5559869a1e542d7e41d8d65aea2d51eb241411

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 91634042570417ff1a70824cfb5559869a1e542d7e41d8d65aea2d51eb241411

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/175127/
  
URLhaus
https://urlhaus.abuse.ch/url/1476589/
  
Delivery method
Distributed via web download

Comments