MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9dc862dc3db0d49c8a439c8db97d6087c3cc82e23098ae5073eed8a994e97c76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9dc862dc3db0d49c8a439c8db97d6087c3cc82e23098ae5073eed8a994e97c76
SHA3-384 hash: 11d209fde479a936d01ddc4db8a8972d848c8824a3b52fe6265122b128f13f0627d2d5210880151b06a1b46ff4a9d18b
SHA1 hash: 3d10950186f62a513aa557fffa142aa3b8989503
MD5 hash: e116101de557dc77d9fd95dc657496f8
humanhash: cup-xray-echo-nine
File name:e116101de557dc77d9fd95dc657496f8
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:329'728 bytes
First seen:2021-06-10 16:14:42 UTC
Last seen:2021-06-10 16:40:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 591c8122078772ece230ee7eeb0ddc3c (3 x RaccoonStealer, 3 x Smoke Loader, 2 x CryptBot)
ssdeep 6144:hQcXn2XNl3oAch+2Ntv2AMng20Q48QUjF55DS:ecXnwNPch+2NtO1gXQyUpS
Threatray 1'372 similar samples on MalwareBazaar
TLSH AD645C00A7A1C039F7F316F49AB55279A93E7AE16B2450CF42E51AEE57349E0EC31707
Reporter zbetcheckin
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e116101de557dc77d9fd95dc657496f8
Verdict:
Suspicious activity
Analysis date:
2021-06-10 16:18:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3c0b8d39-cde5-4493-ae90-ab60b3bf1ffc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165924/
Detection(s):
SecuriteInfo.com.Troj.Kryptik-TR.17746.10562.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% directory
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt to an infection source
Deleting of the original file
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
SmokeLoader Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/800366
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
DLL reload attack detected
Found malware configuration
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 432762 Sample: MrjC4jkPL8 Startdate: 10/06/2021 Architecture: WINDOWS Score: 100 75 Found malware configuration 2->75 77 Antivirus detection for URL or domain 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 12 other signatures 2->81 10 MrjC4jkPL8.exe 2->10         started        13 fvdeusf 2->13         started        process3 signatures4 93 DLL reload attack detected 10->93 95 Contains functionality to inject code into remote processes 10->95 97 Injects a PE file into a foreign processes 10->97 15 MrjC4jkPL8.exe 1 10->15         started        99 Machine Learning detection for dropped file 13->99 18 fvdeusf 1 13->18         started        process5 file6 115 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->115 117 Renames NTDLL to bypass HIPS 15->117 119 Maps a DLL or memory area into another process 15->119 21 explorer.exe 4 6 15->21 injected 45 C:\Users\user\AppData\Local\Temp\AE30.tmp, PE32 18->45 dropped 121 Checks if the current machine is a virtual machine (disk enumeration) 18->121 123 Creates a thread in another existing process (thread injection) 18->123 signatures7 process8 dnsIp9 61 999080321yes1t3481-service10020125999080321.ru 21->61 63 999080321utest1341-service10020125999080321.ru 21->63 65 24 other IPs or domains 21->65 47 C:\Users\user\AppData\Roaming\fvdeusf, PE32 21->47 dropped 49 C:\Users\user\AppData\Local\Temp\33CF.exe, PE32 21->49 dropped 51 C:\Users\user\...\fvdeusf:Zone.Identifier, ASCII 21->51 dropped 83 System process connects to network (likely due to code injection or exploit) 21->83 85 Benign windows process drops PE files 21->85 87 Performs DNS queries to domains with low reputation 21->87 91 4 other signatures 21->91 26 explorer.exe 12 21->26         started        30 33CF.exe 51 21->30         started        33 System.exe 35 21->33         started        35 8 other processes 21->35 file10 89 Tries to resolve many domain names, but no domain seems valid 63->89 signatures11 process12 dnsIp13 67 999080321test51-service10020125999080321.xyz 26->67 101 System process connects to network (likely due to code injection or exploit) 26->101 103 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->103 105 Tries to steal Mail credentials (via file access) 26->105 113 2 other signatures 26->113 69 gonch11.ug 30->69 71 gonch11.ug 45.140.146.209, 21, 49751, 49752 SYNLINQsynlinqdeDE United Kingdom 30->71 73 iplogger.org 88.99.66.31, 443, 49749, 49750 HETZNER-ASDE Germany 30->73 53 C:\ProgramData\Systemd\xmrig-cuda.dll, PE32+ 30->53 dropped 55 C:\ProgramData\Microsoft Network\System.exe, PE32 30->55 dropped 57 C:\Users\user\AppData\Local\...\7zxa[1].dll, PE32 30->57 dropped 59 5 other files (none is malicious) 30->59 dropped 107 May check the online IP address of the machine 30->107 109 Machine Learning detection for dropped file 30->109 37 cmd.exe 33->37         started        39 Datahub.exe 33->39         started        file14 111 Tries to resolve many domain names, but no domain seems valid 69->111 signatures15 process16 process17 41 conhost.exe 37->41         started        43 taskkill.exe 37->43         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9dc862dc3db0d49c8a439c8db97d6087c3cc82e23098ae5073eed8a994e97c76/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-06-10 16:15:13 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=txegfxb5wdkjzcsdtsg3s7laq7b4zaxcgcmk4udt53mktfhjpr3a._file
Verdict:
suspicious
Similar samples:
3e4676b65c821a9509ba52b43e12248a75cc8f68b212d9852786cc6424003d60
Smoke Loader
47c4e0194d29ba8f5cee17462aa7fac391d906a405f5fc0885d802722ac878fc
Smoke Loader
4ae486d9eb1e4fb7a95b018179dd4e363cc824899ed2f8190ae0484874ffa41b
Smoke Loader
4fc37a3bc71ca1d695614e44a9867b13ae3ec30c0f0434dc2cf797772705b34e
Smoke Loader
612e83248527b731211cc4161bf7c9bf3c15c59312725ef1285902558c3ceb70
Smoke Loader
98f8b284a3271b823e12cf3f95e59b69d07f976cc0f5320c881bcdc4a36b81b1
Smoke Loader
9a980946ffc1330c3ef36e44443f43ae8d608003d349e8d7580c982eb2fa3a96
Smoke Loader
a688c4973e78911bc4d1c7dccd1e9a85c07928d9e3b56c66a89c92b3c8110eb8
Smoke Loader
b46bcadf27236d47a847bf4d96e24db984c7f61485b0eec1f97ca1e3c3ac4079
Smoke Loader
b95d90b6d5c0ec0f7230176f904512a0474580ddced1c1492043946ac5d741d4
Smoke Loader
+ 1'362 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/210610-xl6v3ep1ex/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
SmokeLoader
Malware Config
C2 Extraction:
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
Unpacked files
SH256 hash:
6a14853b1504e0de00f21eb6bd2e87fb68bad887dd08661fd9f1b2937c2124a3
MD5 hash:
40505757183167a6bcec52ab7b110cc0
SHA1 hash:
0cab20ceb13f85f4ba356d446d50501dbb6f5492
Link:
https://www.unpac.me/results/883790ea-2820-41ad-a367-2eb539080ca7/
SH256 hash:
9dc862dc3db0d49c8a439c8db97d6087c3cc82e23098ae5073eed8a994e97c76
MD5 hash:
e116101de557dc77d9fd95dc657496f8
SHA1 hash:
3d10950186f62a513aa557fffa142aa3b8989503
Link:
https://www.unpac.me/results/883790ea-2820-41ad-a367-2eb539080ca7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9dc862dc3db0d49c8a439c8db97d6087c3cc82e23098ae5073eed8a994e97c76

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 9dc862dc3db0d49c8a439c8db97d6087c3cc82e23098ae5073eed8a994e97c76

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1314900/
Cape
Cape
https://www.capesandbox.com/analysis/165924/

Comments