MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8e4f8648ff3dbfcf882b39d32033d3ca1f6fdaef9694107aba80f36a0480e36. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8e4f8648ff3dbfcf882b39d32033d3ca1f6fdaef9694107aba80f36a0480e36
SHA3-384 hash: 3844ca8e1331f3e9eb2ab3eb0f52a5bd7a67be50d75c5dc28895b06b6b387da94affd5e1da413052aa3b0d4da9e2c49c
SHA1 hash: 9019ddfe5e2bfea43005d59c34646ebde9d1f1fe
MD5 hash: 003e691923293c72dca0b670e9ff9390
humanhash: minnesota-indigo-spring-vegan
File name:SecuriteInfo.com.Variant.Razy.537868.26927.14165
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:30'720 bytes
First seen:2021-10-18 16:15:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:aOsIP7IRNWUlaMijihcIGfTAy95w5HUWCvgnvh5gG:axYfMmiokyI5HUWAS
Threatray 2'110 similar samples on MalwareBazaar
TLSH T1A6D2CFEABD6780BCCDAC80F398E706FE92CEA1B4B4460249D55D2A7679C137C807970D
Reporter SecuriteInfoCom
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
host
Verdict:
Suspicious activity
Analysis date:
2021-09-16 07:25:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5087cdb7-9645-4721-89af-57f4523dca82

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Zeus
Create hunting rule
Link:
https://www.capesandbox.com/analysis/198273/
Detection(s):
SecuriteInfo.com.Variant.Razy.537868.26927.14165.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed razy smokeloader
Link:
https://www.filescan.io/uploads/616d9dc6db358dd15ec00bbf/reports/b2136163-d986-4a96-9039-8f45314f5f2c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d42d478-dcb3-416b-8033-a1336ebc6d1f
Result
Threat name:
LimeRAT SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/872453
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Deletes itself after installation
DLL reload attack detected
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Renames NTDLL to bypass HIPS
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected LimeRAT
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 504877 Sample: SecuriteInfo.com.Variant.Ra... Startdate: 18/10/2021 Architecture: WINDOWS Score: 100 55 e6tfvc.federguda.ru 2->55 57 127.0.0.1 unknown unknown 2->57 59 2 other IPs or domains 2->59 69 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus detection for URL or domain 2->73 77 11 other signatures 2->77 9 SecuriteInfo.com.Variant.Razy.537868.26927.exe 1 2->9         started        12 vijvahi 1 2->12         started        15 svchost.exe 8 2->15         started        17 4 other processes 2->17 signatures3 75 Connects to a pastebin service (likely for C&C) 55->75 process4 dnsIp5 87 DLL reload attack detected 9->87 89 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->89 91 Renames NTDLL to bypass HIPS 9->91 99 3 other signatures 9->99 20 explorer.exe 11 9->20 injected 51 C:\Users\user\AppData\Local\Temp\BC84.tmp, PE32 12->51 dropped 93 Antivirus detection for dropped file 12->93 95 Multi AV Scanner detection for dropped file 12->95 97 Machine Learning detection for dropped file 12->97 25 WerFault.exe 15->25         started        27 WerFault.exe 15->27         started        53 192.168.2.1 unknown unknown 17->53 file6 signatures7 process8 dnsIp9 61 planilhasvba.com.br 216.172.172.202, 49750, 49810, 80 UNIFIEDLAYER-AS-1US United States 20->61 63 sinopars.ir 95.217.43.206, 49756, 49763, 80 HETZNER-ASDE Germany 20->63 43 C:\Users\user\AppData\Roaming\vijvahi, PE32 20->43 dropped 45 C:\Users\user\AppData\Local\Temp\C31C.exe, PE32 20->45 dropped 47 C:\Users\user\AppData\Local\Temp\B281.exe, PE32 20->47 dropped 49 3 other malicious files 20->49 dropped 79 System process connects to network (likely due to code injection or exploit) 20->79 81 Benign windows process drops PE files 20->81 83 Injects code into the Windows Explorer (explorer.exe) 20->83 85 3 other signatures 20->85 29 C31C.exe 20->29         started        33 explorer.exe 20->33         started        35 B281.exe 16 4 20->35         started        37 3 other processes 20->37 file10 signatures11 process12 dnsIp13 101 Multi AV Scanner detection for dropped file 29->101 103 Creates autostart registry keys with suspicious names 29->103 105 Creates an autostart registry key pointing to binary in C:\Windows 29->105 65 planilhasvba.com.br 33->65 107 System process connects to network (likely due to code injection or exploit) 33->107 109 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 33->109 111 Tries to steal Mail credentials (via file access) 33->111 113 Tries to harvest and steal browser information (history, passwords, etc) 33->113 67 cdn.discordapp.com 162.159.130.233, 443, 49776, 49781 CLOUDFLARENETUS United States 35->67 115 Adds a directory exclusion to Windows Defender 35->115 117 Injects a PE file into a foreign processes 35->117 119 Machine Learning detection for dropped file 37->119 39 WerFault.exe 3 7 37->39         started        41 WerFault.exe 7 37->41         started        signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a8e4f8648ff3dbfcf882b39d32033d3ca1f6fdaef9694107aba80f36a0480e36/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 17:46:53 UTC
AV detection:
33 of 45 (73.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vdspqzep6pn7z6ecwooteaz5hsq7n7no7fuucb5lvahtniciby3a._file
Verdict:
malicious
Similar samples:
2719fd90e145c3520563231bf1e70417e5dc84cf275046f01ce1fe81f52c5381
Smoke Loader
2ff77816fa6b9e2fdbc630e06a003b09228f39887f8dfea7f8020d9346bd2324
Smoke Loader
3fe70737f4c556e55f6ff23ebde2d84d9867059847105623d9414a57abfda632
Smoke Loader
42dbfa5efe80e105779d68ff235e542aea125899495f2c7feea11471531238fd
Smoke Loader
4dd3b8c14d77c4099c86f0fe88a0e58995f45da816eeb36845b1192b91c48e66
Smoke Loader
560d1e1c846bb66402c793a3e44991b637d82d1ce3ef6c89e443b9b2602b6e3b
Smoke Loader
5b742d7fc7f00ec13442daf22ff2bb2b856e5083eee18fffc267185bfbb7720b
Smoke Loader
6c7390a207bf7d3ce9df2c9df04609bbc6176eb958294f760e9167553fd05428
Smoke Loader
6f746dfc7c53944b60e4fdc29fdea740ae8ceaf98126262258fd38ecf166cba5
Smoke Loader
9fc2a95067df754bbafd860e8a3d5b5881ae097fe107aeff86d4945830fcbba7
Smoke Loader
+ 2'100 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:limerat family:redline family:smokeloader botnet:125 backdoor collection discovery evasion infostealer persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/211018-tqs7waehar/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
LimeRAT
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
SmokeLoader
Turns off Windows Defender SpyNet reporting
Windows security bypass
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
http://planilhasvba.com.br/wp-admin/js/k/index.php
http://rpk32ubon.ac.th/backup/k/index.php
http://4urhappiness.com/app/k/index.php
http://swedenkhabar.com/wp-admin/js/k/index.php
http://cio.lankapanel.net/wp-admin/js/k/index.php
http://fcmsites.com.br/canal/wp-admin/js/k/index.php
http://lacoibipitanga.com.br/maxart/k/index.php
http://lacoibipitanga.com.br/cgi-bin/k/index.php
http://video.nalahotel.com/k/index.php
http://diving-phocea.com/wp-admin/k/index.php
http://phocea-sudan.com/cgi-bin/k/index.php
http://rpk32ubon.ac.th/wp-admin/js/k/index.php
https://www.twinrealty.com/vworker/k/index.php
198.23.172.50:43819
Unpacked files
SH256 hash:
a8e4f8648ff3dbfcf882b39d32033d3ca1f6fdaef9694107aba80f36a0480e36
MD5 hash:
003e691923293c72dca0b670e9ff9390
SHA1 hash:
9019ddfe5e2bfea43005d59c34646ebde9d1f1fe
Link:
https://www.unpac.me/results/609f9518-1d99-408a-8f6f-bd6081d86940/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a8e4f8648ff3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.46
Link:
https://yomi.yoroi.company/submissions/a8e4f8648ff3dbfcf882b39d32033d3ca1f6fdaef9694107aba80f36a0480e36

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe a8e4f8648ff3dbfcf882b39d32033d3ca1f6fdaef9694107aba80f36a0480e36

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1691072/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/198273/

Comments