MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6ea6406da66ddd3123cd438e60cf953d5476fc9201834717d21d9faa92c2f90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6ea6406da66ddd3123cd438e60cf953d5476fc9201834717d21d9faa92c2f90
SHA3-384 hash: 3baf3e229d2acca9e6adfd17c3c6b3ee05cafdb86d0d6ec051bef5d2da846c7dc6f6afbabccba05db71d75fc66d0290e
SHA1 hash: bb1c65213310d73e7fe6b780c0f4f4459fb71d26
MD5 hash: c5401e1bb35d1b357e92c7d811d21796
humanhash: nineteen-mango-floor-finch
File name:c5401e1bb35d1b357e92c7d811d21796
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:1'123'328 bytes
First seen:2021-12-03 15:29:12 UTC
Last seen:2021-12-03 18:33:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 67fd2baa77376c82dfb0c8f4177239b1 (2 x RedLineStealer, 2 x Smoke Loader, 1 x Loki)
ssdeep 24576:ZEd+RULwCzVwRI3mqB1mt/dVEHd8lev27y7pVmrT9e:ZEgULwCzVwRgmquEdAC+ov
Threatray 6'949 similar samples on MalwareBazaar
TLSH T1B8350200B7A0D034F4BB27F8457AA365A13F3AA16B7491CB61E166FA5B385D0EC7074B
File icon (PE):PE icon
dhash icon 80f0b8c4cee6eece (1 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c5401e1bb35d1b357e92c7d811d21796
Verdict:
Suspicious activity
Analysis date:
2021-12-03 15:31:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c6749a72-a21d-4c23-a655-e047e9551ad0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/211067/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.60679.27797.18577.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Unauthorized injection to a recently created process
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Launching a process
Reading critical registry keys
Creating a file in the %temp% directory
Unauthorized injection to a system process
Stealing user critical data
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/670/overview
Behaviour
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer glupteba greyware packed
Link:
https://www.filescan.io/uploads/61aa37ff4d8e6f3a5e0d7451/reports/accc3645-cc69-4ab4-be3d-512509f90e4a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2e752522-799a-4187-9e33-eda922e21ca5
Result
Threat name:
Raccoon SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/900950
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Raccoon Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 533428 Sample: 6I49igNu9M Startdate: 03/12/2021 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->58 60 Found malware configuration 2->60 62 Antivirus detection for URL or domain 2->62 64 5 other signatures 2->64 8 6I49igNu9M.exe 2->8         started        11 udgjsic 2->11         started        process3 signatures4 74 Detected unpacking (changes PE section rights) 8->74 76 Detected unpacking (overwrites its own PE header) 8->76 78 May check the online IP address of the machine 8->78 80 3 other signatures 8->80 13 6I49igNu9M.exe 8->13         started        16 6I49igNu9M.exe 83 8->16         started        process5 dnsIp6 90 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 13->90 92 Maps a DLL or memory area into another process 13->92 94 Checks if the current machine is a virtual machine (disk enumeration) 13->94 96 Creates a thread in another existing process (thread injection) 13->96 20 explorer.exe 3 13->20 injected 50 91.219.236.207, 49714, 80 SERVERASTRA-ASHU Hungary 16->50 52 91.219.236.27, 80 SERVERASTRA-ASHU Hungary 16->52 54 5 other IPs or domains 16->54 38 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 16->38 dropped 40 C:\Users\user\AppData\...\vcruntime140.dll, PE32 16->40 dropped 42 C:\Users\user\AppData\...\ucrtbase.dll, PE32 16->42 dropped 44 56 other files (none is malicious) 16->44 dropped 98 Tries to steal Mail credentials (via file / registry access) 16->98 100 Self deletion via cmd delete 16->100 102 Tries to harvest and steal browser information (history, passwords, etc) 16->102 25 cmd.exe 1 16->25         started        file7 signatures8 process9 dnsIp10 56 185.215.113.40, 49721, 49728, 80 WHOLESALECONNECTIONSNL Portugal 20->56 46 C:\Users\user\AppData\Roaming\udgjsic, PE32 20->46 dropped 48 C:\Users\user\...\udgjsic:Zone.Identifier, ASCII 20->48 dropped 66 Benign windows process drops PE files 20->66 68 Injects code into the Windows Explorer (explorer.exe) 20->68 70 Writes to foreign memory regions 20->70 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->72 27 explorer.exe 12 20->27         started        30 explorer.exe 20->30         started        32 explorer.exe 20->32         started        34 conhost.exe 25->34         started        36 timeout.exe 1 25->36         started        file11 signatures12 process13 signatures14 82 System process connects to network (likely due to code injection or exploit) 27->82 84 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->84 86 Tries to steal Mail credentials (via file / registry access) 27->86 88 Tries to harvest and steal browser information (history, passwords, etc) 27->88
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a6ea6406da66ddd3123cd438e60cf953d5476fc9201834717d21d9faa92c2f90/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2021-12-03 12:18:49 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
30fd5af8455df4fd2846b4460b13dfc13ca93b5b156196fc16f00dd739f8f418
Smoke Loader
80cc4b9b573e536f8894ddbd23c69e2950629d0a29b0b19a12a4412f00ab6ae4
Smoke Loader
8dee7c9f5e45b520324d40a399ce69972385c7d2423068c4496ad7df03fdb977
Smoke Loader
bd6bb975db60f223e5169901b94cb4a087e76422f799890fba9049b3b9b80fc3
Smoke Loader
cfe0285c92fd3ba73b574809c128333d493a354b509aafbf9d05402f8f82fc93
Smoke Loader
d09f1f4d1e5cf1ea2c2ffcf037bb2af20315e592f5c7f6d8692c1b60c2713927
Smoke Loader
+ 6'939 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:smokeloader botnet:fe1f102f3334068962b64125bcb00816dba46087 backdoor collection stealer trojan
Link:
https://tria.ge/reports/211203-sxg8hsbhe4/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Raccoon
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://185.215.113.40/
http://1fdsdfsdfdsf.space/
http://2fds33rdsrsdrs.space/
http://3fds4544gfgf.space/
http://4jgfdjgdh5fds.space/
http://5gfdtktkkt44.space/
Unpacked files
SH256 hash:
23588c2745954fc71ed926218708b0960ebc9402a2fcac683c0823f090be4d76
MD5 hash:
630fbe8e8f6993e179c8ac1aa66f5075
SHA1 hash:
02f4b7b87e85eee29ba1fc153846bd87c3b1ef11
Link:
https://www.unpac.me/results/8314bf7e-84d7-4c61-a4be-14e0f9e1a62b/
SH256 hash:
f13e9c74a9490244ac299ce8acf4242fb0da05060ee8c40381ff1d20932c6b60
MD5 hash:
b6f3131f52405e2b4315f010f8f7c4d4
SHA1 hash:
e8aa9e0faa32f5d91c752953eeaeaa30b0d028d3
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/8314bf7e-84d7-4c61-a4be-14e0f9e1a62b/
SH256 hash:
a6ea6406da66ddd3123cd438e60cf953d5476fc9201834717d21d9faa92c2f90
MD5 hash:
c5401e1bb35d1b357e92c7d811d21796
SHA1 hash:
bb1c65213310d73e7fe6b780c0f4f4459fb71d26
Link:
https://www.unpac.me/results/8314bf7e-84d7-4c61-a4be-14e0f9e1a62b/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a6ea6406da66/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a6ea6406da66ddd3123cd438e60cf953d5476fc9201834717d21d9faa92c2f90

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe a6ea6406da66ddd3123cd438e60cf953d5476fc9201834717d21d9faa92c2f90

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/211067/
  
URLhaus
https://urlhaus.abuse.ch/url/1848570/

Comments


Avatar
zbet commented on 2021-12-03 15:29:14 UTC

url : hxxp://host-file-host-3.com/files/8210_1638516513_8883.exe