MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a946e19fbc5a87add31fae8c5d1b43e111066e66ac609688e2ec6f8b18858365. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a946e19fbc5a87add31fae8c5d1b43e111066e66ac609688e2ec6f8b18858365
SHA3-384 hash: 49a1227dc0a61e1917ebaefa55bf1e8f9f7145ec395c76d406d9f65fb312b5d3d06eb8500df724489afdeffa1daa89c8
SHA1 hash: a4db7a989da62f1bcf7e2c0e5e75f4b274cd4d3f
MD5 hash: a928d669f3951dc297cf34cf0028d69a
humanhash: high-artist-sodium-monkey
File name:a928d669f3951dc297cf34cf0028d69a.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:337'408 bytes
First seen:2021-07-28 18:10:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e72f2402159f3418273773a579521e9 (1 x Smoke Loader, 1 x DanaBot)
ssdeep 6144:oM1kuP5AfKFKblPnK32v9D4cMPaq4yHSrar8Q9oXE:Mg5AyOlP5vecaFVHWe9oX
Threatray 2'514 similar samples on MalwareBazaar
TLSH T1E174AE20B790C039F6B612F845BA93BCA5393AB19B3450CB53D52AEE16346EDEC31747
dhash icon 5052b2e068696c46 (1 x RedLineStealer, 1 x CryptBot, 1 x Smoke Loader)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a928d669f3951dc297cf34cf0028d69a.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-28 18:17:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e0bbec20-ae8f-404f-a27e-2a44131dc570

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Zeus
Create hunting rule
Link:
https://www.capesandbox.com/analysis/174783/
Detection(s):
Win.Packed.Generic-9881681-0
Create hunting rule

Win.Packed.Generic-9881693-0
Create hunting rule

Win.Packed.Mokes-9881739-0
Create hunting rule

Win.Packed.Mokes-9881749-0
Create hunting rule

Win.Packed.Mokes-9881758-0
Create hunting rule

Win.Packed.Generic-9881797-0
Create hunting rule

Win.Packed.Mokes-9881903-0
Create hunting rule

Win.Packed.Ransomx-9881905-0
Create hunting rule

Win.Packed.Mokes-9881941-0
Create hunting rule

Win.Malware.Generic-9881961-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d41a1736-4207-427e-9b85-a601cf3c99a3
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee Vidar
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/823377
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Send many emails (e-Mail Spam)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Sigma detected: Xmrig
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 455792 Sample: X54kf4zSf8.exe Startdate: 28/07/2021 Architecture: WINDOWS Score: 100 68 www.google.com 2->68 70 vfgd.com 2->70 72 55 other IPs or domains 2->72 86 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->86 88 Sigma detected: Xmrig 2->88 90 Multi AV Scanner detection for domain / URL 2->90 94 21 other signatures 2->94 11 X54kf4zSf8.exe 2->11         started        14 ebutiuj 2->14         started        16 svchost.exe 1 2->16         started        19 3 other processes 2->19 signatures3 92 System process connects to network (likely due to code injection or exploit) 70->92 process4 dnsIp5 114 Detected unpacking (changes PE section rights) 11->114 21 X54kf4zSf8.exe 11->21         started        116 Machine Learning detection for dropped file 14->116 118 Injects a PE file into a foreign processes 14->118 66 192.168.2.1 unknown unknown 16->66 signatures6 process7 signatures8 96 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->96 98 Maps a DLL or memory area into another process 21->98 100 Checks if the current machine is a virtual machine (disk enumeration) 21->100 102 Creates a thread in another existing process (thread injection) 21->102 24 explorer.exe 25 21->24 injected process9 dnsIp10 80 readinglistforjuly2.xyz 24->80 82 readinglistforjuly9.xyz 24->82 84 14 other IPs or domains 24->84 46 C:\Users\user\AppData\Roaming\ebutiuj, PE32 24->46 dropped 48 C:\Users\user\AppData\Local\Temp\FC5C.exe, PE32 24->48 dropped 50 C:\Users\user\AppData\Local\Temp866.exe, PE32 24->50 dropped 52 10 other files (8 malicious) 24->52 dropped 104 System process connects to network (likely due to code injection or exploit) 24->104 106 Benign windows process drops PE files 24->106 108 Performs DNS queries to domains with low reputation 24->108 112 4 other signatures 24->112 29 CE35.exe 24->29         started        33 A981.exe 2 24->33         started        35 C664.exe 24->35         started        37 4 other processes 24->37 file11 110 Tries to resolve many domain names, but no domain seems valid 82->110 signatures12 process13 dnsIp14 54 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 29->54 dropped 120 DLL reload attack detected 29->120 122 Detected unpacking (changes PE section rights) 29->122 124 Machine Learning detection for dropped file 29->124 140 4 other signatures 29->140 56 C:\Users\user\AppData\Local\...\sbrfgujp.exe, PE32 33->56 dropped 126 Detected unpacking (overwrites its own PE header) 33->126 128 Uses netsh to modify the Windows network and firewall settings 33->128 130 Modifies the windows firewall 33->130 40 cmd.exe 33->40         started        132 Query firmware table information (likely to detect VMs) 35->132 134 Tries to detect sandboxes and other dynamic analysis tools (window names) 35->134 142 2 other signatures 35->142 42 conhost.exe 35->42         started        74 xeronxikxxx.tumblr.com 37->74 76 116.202.183.50, 49751, 80 HETZNER-ASDE Germany 37->76 78 xeronxikxxx.tumblr.com 74.114.154.22, 443, 49750 AUTOMATTICUS Canada 37->78 58 C:\Users\user\AppData\...\softokn3[1].dll, PE32 37->58 dropped 60 C:\Users\user\AppData\...\freebl3[1].dll, PE32 37->60 dropped 62 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 37->62 dropped 64 9 other files (none is malicious) 37->64 dropped 136 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 37->136 144 4 other signatures 37->144 file15 138 Tries to resolve many domain names, but no domain seems valid 74->138 signatures16 process17 process18 44 conhost.exe 40->44         started       
Gathering data
Threat name:
Win32.Ransomware.Stop
Create hunting rule
Status:
Malicious
First seen:
2021-07-27 19:22:00 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vfdodh54lkd23uy7v2gf2g2d4eiqm3tgvrqjnchc5rxywgefqnsq._file
Verdict:
suspicious
Similar samples:
6942f06c0718cbc965d52519949816c8c77bc9bca7cc654802ea6841c35fe3b3
Smoke Loader
76526cd30725afafe90b7f19fbb607571ac7f827aece34bf1d1cc41c595f2a93
Smoke Loader
79894af8bd699d14ae712c0a8c8ce0e5e613c462ec7d2f29b5541ca87b9d397c
Smoke Loader
7b608f567cdbb7a9ccce2a9937b34bb3b73e178efc3d2b9bc29e5fe905462bee
Smoke Loader
c97f7b2a1d29e6ab8e802c3c814e1962452a9ab375a0f0c13ef6d4e4edefe9c2
Smoke Loader
d3849946eb2dd2aa6bebcddb30751a4a99bc05ee5011db3f5081df2f970a1854
Smoke Loader
fa04b562a9b95f20ba6ae99375dec999128843910969bc5ccf964df3b5ee7882
Smoke Loader
fa49ec9a6afac3db69d66e560157aee92bfffa30c24d2a7855a4d3bcf2d894e2
Smoke Loader
+ 2'504 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:tofsee family:vidar botnet:824 botnet:828 backdoor discovery evasion infostealer persistence spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210728-wzhjekbzkj/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Raccoon
RedLine
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Tofsee
Vidar
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Malware Config
C2 Extraction:
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
https://xeronxikxxx.tumblr.com/
Unpacked files
SH256 hash:
a072ff0f96f6d1860931b95dafd98722dfb43ff14bc54290451b5e81cb50bf85
MD5 hash:
2ab92457b4aaad3a2e3352a752561a92
SHA1 hash:
4b01947d263d386d8541b2d590a4d7b3f4dd8c87
Link:
https://www.unpac.me/results/459f922d-f422-415c-98e6-a63d32fbe1f1/
SH256 hash:
a946e19fbc5a87add31fae8c5d1b43e111066e66ac609688e2ec6f8b18858365
MD5 hash:
a928d669f3951dc297cf34cf0028d69a
SHA1 hash:
a4db7a989da62f1bcf7e2c0e5e75f4b274cd4d3f
Link:
https://www.unpac.me/results/459f922d-f422-415c-98e6-a63d32fbe1f1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a946e19fbc5a87add31fae8c5d1b43e111066e66ac609688e2ec6f8b18858365

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe a946e19fbc5a87add31fae8c5d1b43e111066e66ac609688e2ec6f8b18858365

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1476590/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/174783/

Comments