MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9fc2a95067df754bbafd860e8a3d5b5881ae097fe107aeff86d4945830fcbba7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9fc2a95067df754bbafd860e8a3d5b5881ae097fe107aeff86d4945830fcbba7
SHA3-384 hash: 601bdeeafb14fc81767e9296ec33bee0e1265712b749c8f480427832de0d65d9455a35fd190338313f85d09cbb8e8f1d
SHA1 hash: 3925c38ed07b358cd0cc33c975980044f6ea1f46
MD5 hash: bdb7c1353b38806b655e190e0749d943
humanhash: carpet-lithium-video-foxtrot
File name:bdb7c1353b38806b655e190e0749d943.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:215'552 bytes
First seen:2021-09-04 09:56:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 06fbc87344400a3722a88a2791d1fe43 (2 x Glupteba, 1 x RedLineStealer, 1 x Smoke Loader)
ssdeep 3072:gdrZRiqLBc04FCVibH3Q/5D9ENPGtwDYTByWcLsF2Bmq:gdr/rL6lFCsX6MGt7TBy7mq
Threatray 3'712 similar samples on MalwareBazaar
TLSH T1B6249CE07BA0D533C4A5C53044268EA46A3EBEB198604587B6743E1F1EB27D0A623F5F
dhash icon b27e7c7d767e6e76 (3 x RaccoonStealer, 3 x RedLineStealer, 2 x Smoke Loader)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
884
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bdb7c1353b38806b655e190e0749d943.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-04 09:58:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/33f94c4c-e3ed-4e54-b812-799b78e5514a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185286/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.6872.26462.31555.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Connection attempt to an infection source
Searching for analyzing tools
Searching for the window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Deleting a recently created file
Reading critical registry keys
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Deleting of the original file
Enabling autorun by creating a file
Unauthorized injection to a system process
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/76353e31-b562-414b-b89c-89c8a370b0b3
Result
Threat name:
Raccoon RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845209
Signature
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 477636 Sample: 8zr0vnWxRZ.exe Startdate: 04/09/2021 Architecture: WINDOWS Score: 100 71 Multi AV Scanner detection for submitted file 2->71 73 Yara detected SmokeLoader 2->73 75 Yara detected RedLine Stealer 2->75 77 7 other signatures 2->77 9 8zr0vnWxRZ.exe 2->9         started        12 cihrdew 2->12         started        process3 signatures4 87 Detected unpacking (changes PE section rights) 9->87 14 8zr0vnWxRZ.exe 9->14         started        89 Contains functionality to inject code into remote processes 12->89 91 Injects a PE file into a foreign processes 12->91 17 cihrdew 12->17         started        process5 signatures6 111 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 14->111 113 Maps a DLL or memory area into another process 14->113 115 Checks if the current machine is a virtual machine (disk enumeration) 14->115 19 explorer.exe 11 14->19 injected 117 Creates a thread in another existing process (thread injection) 17->117 process7 dnsIp8 53 192.162.246.70, 49727, 80 DATACHEAP-LLC-ASRU Russian Federation 19->53 55 fioajfoiarjfoi1.xyz 94.140.112.59, 49714, 80 TELEMACHBroadbandAccessCarrierServicesSI Latvia 19->55 57 5 other IPs or domains 19->57 37 C:\Users\user\AppData\Roaming\cihrdew, PE32 19->37 dropped 39 C:\Users\user\AppData\Local\Temp\3ACD.exe, PE32 19->39 dropped 41 C:\Users\user\AppData\Local\Temp\2A03.exe, PE32 19->41 dropped 43 3 other files (2 malicious) 19->43 dropped 79 System process connects to network (likely due to code injection or exploit) 19->79 81 Benign windows process drops PE files 19->81 83 Performs DNS queries to domains with low reputation 19->83 85 2 other signatures 19->85 24 2A03.exe 14 3 19->24         started        28 2643.exe 80 19->28         started        31 3ACD.exe 15 32 19->31         started        33 1EA0.exe 19->33         started        file9 signatures10 process11 dnsIp12 59 45.67.231.145, 10991, 49755 SERVERIUS-ASNL Moldova Republic of 24->59 61 api.ip.sb 24->61 93 Detected unpacking (changes PE section rights) 24->93 95 Query firmware table information (likely to detect VMs) 24->95 97 Tries to detect sandboxes and other dynamic analysis tools (window names) 24->97 109 3 other signatures 24->109 35 conhost.exe 24->35         started        63 94.158.245.24, 49753, 80 MIVOCLOUDMD Moldova Republic of 28->63 65 telete.in 195.201.225.248, 443, 49728 HETZNER-ASDE Germany 28->65 45 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 28->45 dropped 47 C:\Users\user\AppData\...\vcruntime140.dll, PE32 28->47 dropped 49 C:\Users\user\AppData\...\ucrtbase.dll, PE32 28->49 dropped 51 56 other files (none is malicious) 28->51 dropped 99 Tries to steal Mail credentials (via file access) 28->99 101 Contains functionality to steal Internet Explorer form passwords 28->101 67 77.232.38.196, 49754, 59743 EUT-ASEUTIPNetworkRU Russian Federation 31->67 69 api.ip.sb 31->69 103 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 31->103 105 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 31->105 107 Tries to harvest and steal browser information (history, passwords, etc) 31->107 file13 signatures14 process15
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9fc2a95067df754bbafd860e8a3d5b5881ae097fe107aeff86d4945830fcbba7/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-09-03 21:40:17 UTC
AV detection:
15 of 43 (34.88%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t7bksudh352uxox5qyhiupk3lca24cl74ed2574g2skfqmh4xotq._file
Verdict:
malicious
Similar samples:
418c5fa990720936d23f83e5bd72b11d4bbf045b33e60efe09e28aa074eac424
Smoke Loader
4d62b51a9ec8a8f5a1dfc47a82789d8e5d6bb7f02573cee7b0d38f52672b8f79
Smoke Loader
9c8057521a53904ce86837434f6ca9075fea66d1c31914db6a6b49f68649191f
Smoke Loader
a30aa51bc0554b2dedf5f0a7f29219ad301a97b5e6e4215f42973bb010345d3c
Smoke Loader
b2dadf77d0f5917ce225ee0b177e4d5deb626a81ce33815f176d915ea21ba159
Smoke Loader
c8777532804b7439c5c45f731d2af0c4ec4a4978125a632334298cad647b681f
Smoke Loader
f7acfb1b9fdc202e087cb430997d14564ecb55cb516305bc5aa6056688c6de3f
Smoke Loader
fe5c6f5e168f59382dd4fa29158156c0d917f2e15035dfe3b38043c6327f0c24
Smoke Loader
febd6a80d04be7900fb4611d98839d6a1fc4deb43cfa0378b4c79de96320275e
Smoke Loader
+ 3'702 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader botnet:fe582536ec580228180f270f7cb80a867860e010 botnet:ytoobe backdoor discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/210904-lyc7mahccr/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
RedLine
RedLine Payload
SmokeLoader
Malware Config
C2 Extraction:
http://fioajfoiarjfoi1.xyz/
http://rdukhnihioh2.xyz/
http://sdfghjklemm3.xyz/
http://eruiopijhgnn4.xyz/
http://igbyugfwbwb5.xyz/
http://shfuhfuwhhc6.xyz/
http://ersyglhjkuij7.xyz/
http://ygyguguuju8.store/
http://resbkjpokfct9.store/
http://sdfygfygu10.store/
http://hbibhibihnj11.store/
http://vfwlkjhbghg12.store/
http://poiuytrcvb13.store/
http://xsedfgtbh14.store/
http://iknhyghggh15.store/
http://wnlonevkiju16.site/
http://gfyufuhhihioh17.site/
http://nsgiuwrevi18.site/
http://oiureveiuv19.site/
http://ovrnevnriuen20.site/
http://apowkfeeifin21.site/
http://mewmofinoine22.site/
http://iefhuiehruiu23.site/
http://vjrnnvinerovn24.club/
http://roimvnnvwniov25.club/
http://fwenmfioewnjo26.club/
http://ewoijioewoif27.club/
http://fwjenfuihew28.club/
http://fwkejnfuiewn29.club/
http://fwkjenfuewnh30.club/
77.232.38.196:59743
Unpacked files
SH256 hash:
560d1e1c846bb66402c793a3e44991b637d82d1ce3ef6c89e443b9b2602b6e3b
MD5 hash:
e369a4ae59ce3b82b5ed8054f0597341
SHA1 hash:
cd3518495e662b758e3b72b6bfc409a4fdfcc0df
Link:
https://www.unpac.me/results/0c550db7-1e4a-481f-b372-9eb51eaefe9f/
SH256 hash:
9fc2a95067df754bbafd860e8a3d5b5881ae097fe107aeff86d4945830fcbba7
MD5 hash:
bdb7c1353b38806b655e190e0749d943
SHA1 hash:
3925c38ed07b358cd0cc33c975980044f6ea1f46
Link:
https://www.unpac.me/results/0c550db7-1e4a-481f-b372-9eb51eaefe9f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9fc2a95067df/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9fc2a95067df754bbafd860e8a3d5b5881ae097fe107aeff86d4945830fcbba7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185286/

Comments