MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 940856f93e56ecd69b6833c94a78247b3f8d60348ac9b73928fd338113fbbc9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 940856f93e56ecd69b6833c94a78247b3f8d60348ac9b73928fd338113fbbc9e
SHA3-384 hash: 476f89113cf7a5b109d63cf55b694a5f30cdd8576d9ad022539332eaa8bbb5ab256bea34b69b9c8e4a96bdf28efad508
SHA1 hash: b76262d0b04a555f9ddbef1e3f8a99fe8bf50f5f
MD5 hash: bfa14859432cc51e9f8a9b632dc38713
humanhash: idaho-indigo-comet-pasta
File name:bfa14859432cc51e9f8a9b632dc38713.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:309'760 bytes
First seen:2021-08-11 06:45:37 UTC
Last seen:2021-08-11 07:57:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e3cf60b4d5be6f57956398dd6440990e (3 x Glupteba, 2 x DanaBot, 2 x Smoke Loader)
ssdeep 6144:aZnWXhSZxnTlV+W0OcEkTiUDeDN3ym5+l+IF/KBmWHNF3D:TXh+JiW0OcBiOeD8nZMBmW/
Threatray 15 similar samples on MalwareBazaar
TLSH T1FB649D30AB90C034F5B712F885B693B9A92D3EB15B3450CF52E527EE46346E4AD31787
dhash icon 60e8e8e8aa66a499 (24 x RaccoonStealer, 14 x RedLineStealer, 7 x Smoke Loader)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bfa14859432cc51e9f8a9b632dc38713.exe
Verdict:
No threats detected
Analysis date:
2021-08-11 06:47:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d9d34a87-a1b9-4b07-866f-2b3d390d22fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/178111/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.59627.27823.27930.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Creating a process from a recently created file
Connection attempt
Sending an HTTP POST request
Deleting of the original file
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a9fb34c9-98f5-423f-b746-53b0b474f4d3
Result
Threat name:
Clipboard Hijacker Raccoon RedLine Smoke
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/830656
Signature
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 463083 Sample: xXU1x0xizP.exe Startdate: 11/08/2021 Architecture: WINDOWS Score: 100 97 Multi AV Scanner detection for domain / URL 2->97 99 Multi AV Scanner detection for submitted file 2->99 101 Yara detected RedLine Stealer 2->101 103 12 other signatures 2->103 9 xXU1x0xizP.exe 2->9         started        12 jabrhsb 2->12         started        14 jabrhsb 2->14         started        process3 signatures4 129 Detected unpacking (changes PE section rights) 9->129 131 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->131 133 Maps a DLL or memory area into another process 9->133 16 explorer.exe 4 9->16 injected 135 Checks if the current machine is a virtual machine (disk enumeration) 12->135 137 Creates a thread in another existing process (thread injection) 12->137 process5 dnsIp6 69 185.212.47.193, 49746, 49794, 80 SERVINGADE Sweden 16->69 71 37.120.239.108, 80 SECURE-DATA-ASRO Romania 16->71 73 5 other IPs or domains 16->73 49 C:\Users\user\AppData\Roaming\jabrhsb, PE32 16->49 dropped 51 C:\Users\user\AppData\Local\Temp\D8F6.exe, PE32 16->51 dropped 53 C:\Users\user\...\jabrhsb:Zone.Identifier, ASCII 16->53 dropped 105 System process connects to network (likely due to code injection or exploit) 16->105 107 Benign windows process drops PE files 16->107 109 Deletes itself after installation 16->109 111 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->111 21 EE63.exe 2 4 16->21         started        25 DEF0.exe 82 16->25         started        28 CB67.exe 2 16->28         started        30 2 other processes 16->30 file7 signatures8 process9 dnsIp10 57 C:\ProgramData\...\33A2E4F0.exe, PE32 21->57 dropped 113 Detected unpacking (changes PE section rights) 21->113 115 Detected unpacking (overwrites its own PE header) 21->115 117 Creates autostart registry keys with suspicious names 21->117 32 33A2E4F0.exe 21->32         started        77 gmailservice7911.com 91.243.45.85, 49801, 80 SHOCK-1US Russian Federation 25->77 79 74.119.195.134, 49797, 80 MOVECLICKLLCUS United States 25->79 81 telete.in 195.201.225.248, 443, 49796 HETZNER-ASDE Germany 25->81 59 C:\Users\user\AppData\...\2DSRdz8tDk.exe, PE32 25->59 dropped 61 C:\Users\user\AppData\...\vcruntime140.dll, PE32 25->61 dropped 63 C:\Users\user\AppData\...\ucrtbase.dll, PE32 25->63 dropped 67 57 other files (none is malicious) 25->67 dropped 119 Tries to steal Mail credentials (via file access) 25->119 121 Tries to harvest and steal browser information (history, passwords, etc) 25->121 36 2DSRdz8tDk.exe 25->36         started        39 cmd.exe 25->39         started        65 C:\ProgramData\Runtimebroker.exe, PE32 28->65 dropped 41 Runtimebroker.exe 28->41         started        83 185.215.113.114, 49778, 49785, 49786 WHOLESALECONNECTIONSNL Portugal 30->83 85 api.ip.sb 30->85 123 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 30->123 125 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 30->125 127 Tries to steal Crypto Currency Wallets 30->127 file11 signatures12 process13 dnsIp14 75 ebanat6977769.com 8.209.79.46, 49800, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 32->75 87 Detected unpacking (changes PE section rights) 32->87 89 Detected unpacking (overwrites its own PE header) 32->89 91 Machine Learning detection for dropped file 32->91 95 3 other signatures 32->95 43 lsass.exe 32->43 injected 55 C:\Users\user\AppData\Roaming\...\sqlcmd.exe, PE32 36->55 dropped 93 Uses schtasks.exe or at.exe to add and modify task schedules 36->93 45 schtasks.exe 36->45         started        47 conhost.exe 39->47         started        file15 signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/940856f93e56ecd69b6833c94a78247b3f8d60348ac9b73928fd338113fbbc9e/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-08-10 16:19:28 UTC
AV detection:
17 of 46 (36.96%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0ffddce470010278a1e5545d5c616def34d6c4b21ac1152a11de5aa48792fb77
Smoke Loader
26e94627a3abe752072319b8eca4f68029a27090f89de5b92d4f700fc0f4f0b2
Smoke Loader
2b88445b22f246b0fa92c00163a8d35f2dfb416bbbd80cbdf99a28be7d775ae0
Smoke Loader
3221c7c857b80fab3818cf1ea9435cef9626d84bd308d7a365e4e5089e5ef413
Smoke Loader
4df83e858a2d52987f6e9b8afcde20643ee1cd106089e412e25b1df186a57b29
Smoke Loader
640df13e7605d0fd539eaac1474643d4e6ab2f3519cab2450f9b755778dfac6e
Smoke Loader
a8647cfb02a8b8c077fb4285357c29f58afb1a8ffff6da199e6a3887030869fd
Smoke Loader
ddde937fc1cac25ab3c8e7b91b4f074f8eadf1d39ca93c88be816441ee58ff41
Smoke Loader
+ 5 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader botnet:83fbe81dd43f775dd8af3cd619f88f428fbd9a96 botnet:sewpalpadin backdoor discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/210811-e18r98zd86/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
Raccoon
Raccoon Stealer Payload
RedLine
RedLine Payload
SmokeLoader
Malware Config
C2 Extraction:
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
185.215.113.114:8887
Dropper Extraction:
http://91.241.19.52/Api/GetFile2
Unpacked files
SH256 hash:
18cd8e90fcd46329480f24d43baa489683b3ee2fcd274bf1714947ef307a6ab2
MD5 hash:
f2fecf6872ad4c61a3a506159fddd4fc
SHA1 hash:
28e039eb96dcf58841992280c66433a2bbab8e84
Link:
https://www.unpac.me/results/5f875630-5a2b-4649-be10-f50ddc963a22/
SH256 hash:
940856f93e56ecd69b6833c94a78247b3f8d60348ac9b73928fd338113fbbc9e
MD5 hash:
bfa14859432cc51e9f8a9b632dc38713
SHA1 hash:
b76262d0b04a555f9ddbef1e3f8a99fe8bf50f5f
Link:
https://www.unpac.me/results/5f875630-5a2b-4649-be10-f50ddc963a22/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/940856f93e56ecd69b6833c94a78247b3f8d60348ac9b73928fd338113fbbc9e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 940856f93e56ecd69b6833c94a78247b3f8d60348ac9b73928fd338113fbbc9e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1517716/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/178111/

Comments