MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4b9e911a5f2f42c747161b858485001a041d5250b78bd80e80a78356797571f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4b9e911a5f2f42c747161b858485001a041d5250b78bd80e80a78356797571f
SHA3-384 hash: 2e9e4d44261adae5d1ddd634ea04610ae71ddc890a45a60f5a92fc6e8084f151ca91fd83fed889d80d84a22fe4b29e93
SHA1 hash: 9b3f1eba66f88896daa592d98a27169c4c119ac9
MD5 hash: 7ac8977b67f26ffb0f6c4b902cc5cc87
humanhash: jig-nitrogen-hotel-blossom
File name:7ac8977b67f26ffb0f6c4b902cc5cc87.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:179'200 bytes
First seen:2021-10-12 12:05:09 UTC
Last seen:2021-10-12 13:03:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a3d3c102ccd598a84c1f646602841228 (1 x Smoke Loader, 1 x ArkeiStealer, 1 x RaccoonStealer)
ssdeep 3072:rNlOrDKxXYpi687592GYwwPRgoS9D98aShyuyOGrJWCc3E:rWrDKRHh7WRdZgVx98aC27oE
Threatray 2'232 similar samples on MalwareBazaar
TLSH T1B804BF10B7E1C432C8A715705968CBB21A7BB821767081FB776F3A7EEE502C05B7536A
File icon (PE):PE icon
dhash icon 83bcdcac9cccb484 (2 x RedLineStealer, 2 x RaccoonStealer, 1 x ArkeiStealer)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7ac8977b67f26ffb0f6c4b902cc5cc87.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-12 12:10:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/96aeefdb-28bf-4096-ade6-ce7dfba4d7b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
zeus
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196924/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.13763.12275.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6bd1a0e5-cc29-498b-b455-6b5a3c4fa9b7
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/868622
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the windows firewall
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 501047 Sample: jtht8EV6uw.exe Startdate: 12/10/2021 Architecture: WINDOWS Score: 100 89 190.2.136.29, 3279, 49851 WORLDSTREAMNL Curacao 2->89 91 microsoft-com.mail.protection.outlook.com 40.93.207.1, 25, 49831, 49884 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->91 93 2 other IPs or domains 2->93 123 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->123 125 Antivirus detection for URL or domain 2->125 127 System process connects to network (likely due to code injection or exploit) 2->127 129 15 other signatures 2->129 11 jtht8EV6uw.exe 2->11         started        14 vuvthuv 2->14         started        16 svchost.exe 1 2->16         started        signatures3 process4 signatures5 147 Detected unpacking (changes PE section rights) 11->147 18 jtht8EV6uw.exe 11->18         started        21 vuvthuv 14->21         started        process6 signatures7 115 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 18->115 117 Maps a DLL or memory area into another process 18->117 119 Checks if the current machine is a virtual machine (disk enumeration) 18->119 23 explorer.exe 14 18->23 injected 121 Creates a thread in another existing process (thread injection) 21->121 process8 dnsIp9 95 192.162.246.70, 49794, 80 DATACHEAP-LLC-ASRU Russian Federation 23->95 97 iselaharty12.club 91.224.22.228, 49781, 49782, 49783 AS-REGRU Russian Federation 23->97 99 2 other IPs or domains 23->99 61 C:\Users\user\AppData\Roaming\vuvthuv, PE32 23->61 dropped 63 C:\Users\user\AppData\Local\TempBF.exe, PE32 23->63 dropped 65 C:\Users\user\AppData\Local\Temp\D4D3.exe, PE32 23->65 dropped 67 5 other malicious files 23->67 dropped 139 System process connects to network (likely due to code injection or exploit) 23->139 141 Benign windows process drops PE files 23->141 143 Deletes itself after installation 23->143 145 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->145 28 1DD.exe 80 23->28         started        33 2A23.exe 23->33         started        35 EBF.exe 23->35         started        37 2 other processes 23->37 file10 signatures11 process12 dnsIp13 101 5.181.156.229, 49826, 80 MIVOCLOUDMD Moldova Republic of 28->101 103 tgmirror.top 172.67.215.104, 49824, 80 CLOUDFLARENETUS United States 28->103 113 2 other IPs or domains 28->113 71 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 28->71 dropped 73 C:\Users\user\AppData\...\vcruntime140.dll, PE32 28->73 dropped 75 C:\Users\user\AppData\...\ucrtbase.dll, PE32 28->75 dropped 85 56 other files (none is malicious) 28->85 dropped 149 Detected unpacking (changes PE section rights) 28->149 151 Detected unpacking (overwrites its own PE header) 28->151 153 Tries to steal Mail credentials (via file access) 28->153 155 Contains functionality to steal Internet Explorer form passwords 28->155 157 Contains functionality to inject code into remote processes 33->157 159 Injects a PE file into a foreign processes 33->159 39 2A23.exe 33->39         started        105 mas.to 88.99.75.82, 443, 49829 HETZNER-ASDE Germany 35->105 107 65.108.80.190, 49832, 80 ALABANZA-BALTUS United States 35->107 77 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 35->77 dropped 79 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 35->79 dropped 81 C:\Users\user\AppData\...\mozglue[1].dll, PE32 35->81 dropped 87 9 other files (none is malicious) 35->87 dropped 161 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->161 163 Tries to harvest and steal browser information (history, passwords, etc) 35->163 165 Tries to steal Crypto Currency Wallets 35->165 109 zbv.ckauni.ru 81.177.141.85, 443, 49856, 49885 RTCOMM-ASRU Russian Federation 37->109 111 45.9.20.149, 10844, 49842 DEDIPATH-LLCUS Russian Federation 37->111 83 C:\Users\user\AppData\Local\...\seqyyjyg.exe, PE32 37->83 dropped 167 Query firmware table information (likely to detect VMs) 37->167 169 Tries to detect sandboxes and other dynamic analysis tools (window names) 37->169 171 Uses netsh to modify the Windows network and firewall settings 37->171 173 3 other signatures 37->173 42 cmd.exe 37->42         started        45 cmd.exe 2 37->45         started        47 sc.exe 37->47         started        49 4 other processes 37->49 file14 signatures15 process16 file17 131 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 39->131 133 Maps a DLL or memory area into another process 39->133 135 Checks if the current machine is a virtual machine (disk enumeration) 39->135 137 Creates a thread in another existing process (thread injection) 39->137 69 C:\Windows\SysWOW64\...\seqyyjyg.exe (copy), PE32 42->69 dropped 51 conhost.exe 42->51         started        53 conhost.exe 45->53         started        55 conhost.exe 47->55         started        57 conhost.exe 49->57         started        59 conhost.exe 49->59         started        signatures18 process19
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a4b9e911a5f2f42c747161b858485001a041d5250b78bd80e80a78356797571f/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-10-12 12:05:15 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=us46senf6l2cy5drmg4fqscqagqedvjfbn4l3ahibj4dkz4xk4pq._file
Verdict:
malicious
Similar samples:
1561d6849d0b3394ab23968ba921e3c9af313ecf90cf2911b64889536c080dd4
Smoke Loader
323a27a7f2a664921d46c965f0c8d5977fb6c8fce20ba04e208c2945b7abdbba
Smoke Loader
49ad4fd1bd40286214edaee6edfa7ce8915b6bbd39758a4a93175f48626a478b
Smoke Loader
4eb02a90be27af84c49a2f62da8e179e5117d82db4e25c7a2c80e2954583bdb3
Smoke Loader
63f6a92084e81e72720f6160287e6766e2214f489d11142a9668925c6c4616f2
Smoke Loader
8aeed198ba750585012a7dd45e68609523aebbb395c54e793ae69aa673b91774
Smoke Loader
8b59d8f1ea4fb412eb2064b4243c6f2dcc4efd26b78e3eae92c9daf6f6a70b7b
Smoke Loader
9535b07e3af3a051c0de3169f11aed4e5f7dd52d651e739f16db250bc631def5
Smoke Loader
9bec2f9c52d746d49dffd22fc0cf217c87970b85d7fb4e19e908edc0eb48c16a
Smoke Loader
d6d09e51d2e7eb9f29b4ee44530696f893ba14a7c1d119cb8f1e41cd7861eaa6
Smoke Loader
+ 2'222 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:tofsee family:vidar family:xmrig botnet:1033 botnet:159 botnet:8d179b9e611eee525425544ee8c6d77360ab7cd9 botnet:fbe5e97e7d069407605ee9138022aa82166657e6 backdoor collection discovery evasion infostealer miner persistence spyware stealer suricata themida trojan upx vmprotect
Link:
https://tria.ge/reports/211012-n89ppaccap/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry key
Runs net.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Blocklisted process makes network request
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies RDP port number used by Windows
Modifies Windows Firewall
Sets DLL path for service in the registry
Sets service image path in registry
UPX packed file
VMProtect packed file
Grants admin privileges
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
XMRig Miner Payload
Raccoon
RedLine
RedLine Payload
SmokeLoader
Tofsee
Vidar
Windows security bypass
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
xmrig
Malware Config
C2 Extraction:
http://linavanandr11.club/
http://iselaharty12.club/
http://giovaninardo13.club/
http://zayneliann14.club/
http://zorinosali15.club/
defeatwax.ru
refabyd.info
https://mas.to/@oleg98
190.2.136.29:3279
Dropper Extraction:
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Unpacked files
SH256 hash:
44d561fa45b325317126cacc8ebdb223235f76b34e0ed76dd50e7b0710d62a8d
MD5 hash:
f41ebae062405a696d868198d645f6d6
SHA1 hash:
17dac108dc94c7493289ff6a53fb96b3682af20a
Link:
https://www.unpac.me/results/46f36401-8a00-4a83-bb76-6c6365831547/
SH256 hash:
a4b9e911a5f2f42c747161b858485001a041d5250b78bd80e80a78356797571f
MD5 hash:
7ac8977b67f26ffb0f6c4b902cc5cc87
SHA1 hash:
9b3f1eba66f88896daa592d98a27169c4c119ac9
Link:
https://www.unpac.me/results/46f36401-8a00-4a83-bb76-6c6365831547/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a4b9e911a5f2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a4b9e911a5f2f42c747161b858485001a041d5250b78bd80e80a78356797571f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe a4b9e911a5f2f42c747161b858485001a041d5250b78bd80e80a78356797571f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1669848/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1660824/
Cape
Cape
https://www.capesandbox.com/analysis/196924/

Comments