MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d213a0d0a6afd219629b917c20e53c97443b21b2ce41574d5316720ee2793a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d213a0d0a6afd219629b917c20e53c97443b21b2ce41574d5316720ee2793a2
SHA3-384 hash: 162ca942762f1a4226c40d0c90fc1806d4b3b29e8df9ead6a64ff4a3ee736b3d83605cdce100cb0211f1eac52b8bbf80
SHA1 hash: 450fe690909703389354fda87dc06775dd7c0b0c
MD5 hash: d4e8cb2c2757668aa95e281a22c52cef
humanhash: earth-five-earth-hawaii
File name:dx13.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:2'953'632 bytes
First seen:2022-03-24 18:07:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:UbA30Z/Scrx0pUg3VyYEcz/Fm4Az+sgKJrznpojKYCITo3I98LyWsVwkvpD+:UbNx7glG94Az+sJrDpojKYCH49Cw2kvk
Threatray 11'274 similar samples on MalwareBazaar
TLSH T1CAD52312B6C198B1D2A209319E789B08263DBC241F198EEFB3F4166EDD750D0DA35B37
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter adm1n_usa32
Tags:exe Smoke Loader Socelars

Intelligence

File Origin
# of uploads :
1
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
socelars
Create hunting rule
ID:
1
File name:
dx13.exe
Verdict:
Malicious activity
Analysis date:
2022-03-24 18:10:15 UTC
Tags:
evasion socelars stealer trojan
Link:
https://app.any.run/tasks/7a44c33b-3cc4-400a-a313-7d1a15ea4aea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Fabookie
Create hunting rule
Link:
https://www.capesandbox.com/analysis/257272/
Detection(s):
Win.Packed.Bulz-9840169-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Launching a process
Creating a file in the Program Files directory
Creating a file in the %temp% directory
DNS request
Sending an HTTP GET request
Creating a process with a hidden window
Reading critical registry keys
Searching for the browser window
Sending a custom TCP request
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Unauthorized injection to a recently created process
Query of malicious DNS domain
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/11179/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
facebook glupteba greyware makop overlay packed setupapi.dll shdocvw.dll shell32.dll smokeloader socelars update.exe
Link:
https://www.filescan.io/uploads/623cb387dfdfa8501cda1fd7/reports/eb0010df-b3c8-4061-b0f1-e6e5af540156/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/562700a5-e1ce-4652-802d-945abcdd83a2
Result
Threat name:
Nitol SmokeLoader Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/964175
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
DLL reload attack detected
Drops PE files to the document folder of the user
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sets debug register (to hijack the execution of another thread)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Nitol
Yara detected SmokeLoader
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 596658 Sample: dx13.exe Startdate: 24/03/2022 Architecture: WINDOWS Score: 100 75 45.15.143.191 DEDIPATH-LLCUS Latvia 2->75 77 iplogger.org 2->77 101 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->101 103 Malicious sample detected (through community Yara rule) 2->103 105 Antivirus detection for URL or domain 2->105 107 11 other signatures 2->107 10 dx13.exe 1 27 2->10         started        signatures3 process4 file5 49 C:\Users\user\Desktop\pub2.exe, PE32 10->49 dropped 51 C:\Users\user\Desktop\jg4_4jaa.exe, PE32 10->51 dropped 53 C:\Users\user\Desktop\clpdi.exe, PE32 10->53 dropped 55 4 other files (1 malicious) 10->55 dropped 13 clpdi.exe 10->13         started        18 wf-game.exe 5 10->18         started        20 pub2.exe 10->20         started        22 5 other processes 10->22 process6 dnsIp7 87 jaishomo.info 13->87 89 iplogger.org 13->89 95 7 other IPs or domains 13->95 57 C:\Users\...\uokNE6MXNTFnIQ0n9eohD2ob.exe, PE32 13->57 dropped 59 C:\Users\...\qaXl3ZC8BjD7SyzElFAvRh0z.exe, PE32 13->59 dropped 61 C:\Users\...\pEe9a9eeyR09CMppefEDeqC4.exe, PE32 13->61 dropped 71 15 other files (12 malicious) 13->71 dropped 129 Drops PE files to the document folder of the user 13->129 131 Performs DNS queries to domains with low reputation 13->131 133 Creates multiple autostart registry keys 13->133 145 3 other signatures 13->145 24 RegAsm.exe 13->24         started        26 RegAsm.exe 13->26         started        28 RegAsm.exe 13->28         started        40 3 other processes 13->40 73 3 other files (1 malicious) 18->73 dropped 30 rundll32.exe 18->30         started        63 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 20->63 dropped 135 DLL reload attack detected 20->135 137 Renames NTDLL to bypass HIPS 20->137 139 Maps a DLL or memory area into another process 20->139 141 Checks if the current machine is a virtual machine (disk enumeration) 20->141 91 101.36.107.74, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 22->91 93 ip-api.com 208.95.112.1, 49794, 80 TUT-ASUS United States 22->93 97 8 other IPs or domains 22->97 65 C:\Users\user\Documents\...\jg4_4jaa.exe, PE32 22->65 dropped 67 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 22->67 dropped 69 C:\Users\user\AppData\Local\Temp\haleng.exe, PE32 22->69 dropped 33 jfiag3g_gg.exe 22->33         started        35 chrome.exe 22->35         started        38 WerFault.exe 22->38         started        file8 143 Connects to a pastebin service (likely for C&C) 89->143 signatures9 process10 dnsIp11 115 Contains functionality to infect the boot sector 30->115 117 Contains functionality to inject threads in other processes 30->117 119 Contains functionality to inject code into remote processes 30->119 125 5 other signatures 30->125 42 svchost.exe 30->42 injected 121 Multi AV Scanner detection for dropped file 33->121 123 Tries to harvest and steal browser information (history, passwords, etc) 33->123 79 iplogger.org 148.251.234.83, 443, 49765, 49770 HETZNER-ASDE Germany 35->79 81 clients.l.google.com 142.250.185.110, 443, 49763, 49768 GOOGLEUS United States 35->81 85 6 other IPs or domains 35->85 83 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 38->83 signatures12 process13 signatures14 109 System process connects to network (likely due to code injection or exploit) 42->109 111 Sets debug register (to hijack the execution of another thread) 42->111 113 Modifies the context of a thread in another process (thread injection) 42->113 45 svchost.exe 42->45         started        process15 dnsIp16 99 facebook.websmails.com 204.11.56.48 CONFLUENCE-NETWORK-INCVG Virgin Islands (BRITISH) 45->99 127 Query firmware table information (likely to detect VMs) 45->127 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d213a0d0a6afd219629b917c20e53c97443b21b2ce41574d5316720ee2793a2/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2021-04-11 00:46:48 UTC
File Type:
PE (Exe)
Extracted files:
175
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2d1d2cd3f3cbce923d3db88aa44212210da57e9e032e2ff4a1766fe51ff1255e
Smoke Loader
962793c4decea8dd718bd96ccc4209ce744414a62e4afb93c79db64df4b792e2
Smoke Loader
b01b61c911a3b80d4f265e4915f9d62275efa34f84989f77be142f3f9e062f9b
Smoke Loader
b11bd18587058601cde1be46ec722f2ddc96fddd976f3a263e4d0358e8e08865
Smoke Loader
b8338eda2c7390860da3bd4a37104b409235131406d9b4d30a78b5d4189cf317
Smoke Loader
ecf100d294f5b6b63ebc4e1430f6a07b07e3899b0c447a536d7c53c51d711549
Smoke Loader
fb55add55db0e0f7b9e63dd1d70bdc318b2a0e725e069a00ae8685d60a044e0b
Smoke Loader
+ 11'264 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader family:socelars backdoor evasion persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/220324-wqxamscde5/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://www.fddnice.pw/
http://www.sokoinfo.pw/
http://www.zzhlike.pw/
http://www.wygexde.xyz/
http://perseus007.xyz/upload/
http://lambos1.xyz/upload/
http://cipluks.com/upload/
http://ragnar77.com/upload/
http://aslauk.com/upload/
http://qunersoo.xyz/upload /
http://hostunes.info/upload/
http://leonisdas.xyz/upload/
Unpacked files
SH256 hash:
f2192db8bd4c494a5188480e90ccb75252ede37020256d706b7a779954fde918
MD5 hash:
a02078be244403d79c262a3880d55529
SHA1 hash:
cc5f5cff00e7ac0dd8a69043aa9acc0beaefc367
Link:
https://www.unpac.me/results/bd5e3757-f29d-425d-a5ba-30d0b80983db/
SH256 hash:
0c2ade2993927f6de828e30c07156c19751b55650a05c965631ca0ea1c983498
MD5 hash:
cc0d6b6813f92dbf5be3ecacf44d662a
SHA1 hash:
b968c57a14ddada4128356f6e39fb66c6d864d3f
Link:
https://www.unpac.me/results/bd5e3757-f29d-425d-a5ba-30d0b80983db/
SH256 hash:
55361941ab12c7edd987c706d25423d868f756fab1028d99eeffacdabf3da4ca
MD5 hash:
4de4b7bc0a92902422c4204fcfa58150
SHA1 hash:
587e0299ea32cc836281998941daa60f471e3480
Link:
https://www.unpac.me/results/bd5e3757-f29d-425d-a5ba-30d0b80983db/
SH256 hash:
40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67
MD5 hash:
7165e9d7456520d1f1644aa26da7c423
SHA1 hash:
177f9116229a021e24f80c4059999c4c52f9e830
Link:
https://www.unpac.me/results/bd5e3757-f29d-425d-a5ba-30d0b80983db/
SH256 hash:
bf5b31063ae254fad48cb5d152cbd103f3b5039db0452bd734fa125955778ceb
MD5 hash:
7b42af79b6a0b1cea631b65d06f5b0f9
SHA1 hash:
5d56e95b6977e7adf9c68038eeb46e61469c43db
Link:
https://www.unpac.me/results/bd5e3757-f29d-425d-a5ba-30d0b80983db/
SH256 hash:
fbf00683cc2e16d0206aa30c805d60dff3156082d4613a77e195a96efd086710
MD5 hash:
6c40c4289bbb0aec17c2b1924188fa10
SHA1 hash:
ac171ad414b296933ec7d58a06495354d24b2557
Link:
https://www.unpac.me/results/bd5e3757-f29d-425d-a5ba-30d0b80983db/
SH256 hash:
2cfd1896c2729c539ebc4b9c98407f2b4023be2ec6a1c926ee736fd6ff4fd302
MD5 hash:
a9634568e90ce162f55442f1282c8fca
SHA1 hash:
4ce55c3b80d1d3955fc589b3486cad9d0bbf815d
Link:
https://www.unpac.me/results/bd5e3757-f29d-425d-a5ba-30d0b80983db/
SH256 hash:
39ed68982fd0243c6e50b57162182e415b85871e4a83f764f607a1b64e587d04
MD5 hash:
eca4350cdab1176e63fea22f9597e821
SHA1 hash:
c0110a45cdbc0012122eb970a4680e0b303444cd
Link:
https://www.unpac.me/results/bd5e3757-f29d-425d-a5ba-30d0b80983db/
SH256 hash:
4b4f8c66c33cb40092685ed618b87f0eec557d6beb86b4907cfb2311d0a95a1f
MD5 hash:
566585a275aab4b39ecd5a559adc0261
SHA1 hash:
8f63401f6fd12666c6d40545eab325ed981ed565
Link:
https://www.unpac.me/results/bd5e3757-f29d-425d-a5ba-30d0b80983db/
SH256 hash:
b1396125353ad6357bf1eb7f606c930deb1dc99c3ca1c94ec374474640486b4e
MD5 hash:
5b18d9d1fecdd00f8afa1fe1a6a5892e
SHA1 hash:
26d45ab126633d94e6fde25cab6f8f4f180207ef
Link:
https://www.unpac.me/results/bd5e3757-f29d-425d-a5ba-30d0b80983db/
SH256 hash:
b6972585b8ab83a7b0dd651e191c169c06a67205059636a7787da1cd2df0a23e
MD5 hash:
d5ee13a118711a18444d4e8931c21bee
SHA1 hash:
54d9940c84cc13c3cb4813ed4b98cfa2f6c3da0e
Link:
https://www.unpac.me/results/bd5e3757-f29d-425d-a5ba-30d0b80983db/
SH256 hash:
07173f360bfc859985d0737e7f7288bd0774d705626396e77aaf862e7114187e
MD5 hash:
8e419990a6fbfdf725856156c8e8d495
SHA1 hash:
c2e7bec6ef5f078e72bae672bf9e984d7a91192e
Link:
https://www.unpac.me/results/bd5e3757-f29d-425d-a5ba-30d0b80983db/
SH256 hash:
816b3cb72c986209b69ff867c282b2d5a87d179704daa0e53cb8a9879ef1a62d
MD5 hash:
ecb50727932e9dc0094302fe7481775e
SHA1 hash:
adf0d75fcb7fa9d32818b657dd49154f24632c4d
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/bd5e3757-f29d-425d-a5ba-30d0b80983db/
Parent samples :
9d213a0d0a6afd219629b917c20e53c97443b21b2ce41574d5316720ee2793a2
9631d8bd74d4a0384cae4396e9b0fa5f5898496028e24a274f3d571ce5c22b3a
SH256 hash:
bb4ebdf4f04b804d730117bf33cec6aeaa9c09a76de71f860d5299e0bf1f458a
MD5 hash:
d768aeb5135b3244da5a39834893a197
SHA1 hash:
fe3acd5476a3150dd474cd975093d645220f7912
Link:
https://www.unpac.me/results/bd5e3757-f29d-425d-a5ba-30d0b80983db/
SH256 hash:
9d213a0d0a6afd219629b917c20e53c97443b21b2ce41574d5316720ee2793a2
MD5 hash:
d4e8cb2c2757668aa95e281a22c52cef
SHA1 hash:
450fe690909703389354fda87dc06775dd7c0b0c
Link:
https://www.unpac.me/results/bd5e3757-f29d-425d-a5ba-30d0b80983db/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9d213a0d0a6afd219629b917c20e53c97443b21b2ce41574d5316720ee2793a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Chebka
Create hunting rule
Author:ditekSHen
Description:Detects Chebka
Rule name:MALWARE_Win_Fabookie
Create hunting rule
Author:ditekSHen
Description:Detects Fabookie / ElysiumStealer
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/257272/

Comments


Avatar
Adm1n 32 USA commented on 2022-03-24 18:13:26 UTC

https://app.any.run/tasks/7a44c33b-3cc4-400a-a313-7d1a15ea4aea