MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac8e358db8788a68b31260355ead5b4017652e015125f6f6cf98ca143d2521be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac8e358db8788a68b31260355ead5b4017652e015125f6f6cf98ca143d2521be
SHA3-384 hash: 588f0f9a324ce5c9727acbf9dc8e7cf083383ce1a7fb1843de00bc775a2493f75fd7fbd7eab6c0027c5dda74b100870b
SHA1 hash: 78c368b91137e7242df7e90803706cd993489c85
MD5 hash: 7b62a1c07bb4ef3cdf606c51b4c1ea22
humanhash: red-burger-cold-autumn
File name:7b62a1c07bb4ef3cdf606c51b4c1ea22.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:198'144 bytes
First seen:2021-08-05 18:33:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5db1361d34b46103924e72350663b6e3 (5 x RaccoonStealer, 2 x RedLineStealer, 2 x Socelars)
ssdeep 3072:bMkOSbiXPEZ42nryGMD5SdDkGD0QS5Kn:15iXg42ni0dP
Threatray 4'222 similar samples on MalwareBazaar
TLSH T15014AD123680FC73F6113570A851CAB53A2BFCE5D9215A877F8153AE6F352D29B36342
dhash icon 1036787c727e7636 (2 x Smoke Loader, 1 x RaccoonStealer, 1 x RedLineStealer)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
547
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7b62a1c07bb4ef3cdf606c51b4c1ea22.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-05 18:36:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e0b5df9a-06e5-48fa-918e-430d6adac8d3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176807/
Detection(s):
Win.Dropper.Ursnif-9884013-0
Create hunting rule

Win.Dropper.Ursnif-9884040-0
Create hunting rule

Win.Dropper.Ursnif-9884041-0
Create hunting rule

Win.Dropper.Titirez-9884070-0
Create hunting rule

Win.Dropper.Titirez-9884078-0
Create hunting rule

Win.Packed.Filerepmalware-9884083-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending an HTTP POST request
Creating a process from a recently created file
Deleting a recently created file
Replacing files
Deleting of the original file
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/68ee0839-41b9-41b0-be41-990a9e9e8dff
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/827636
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains VNC / remote desktop functionality (version string found)
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Renames NTDLL to bypass HIPS
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 460078 Sample: tiOOnmvteO.exe Startdate: 05/08/2021 Architecture: WINDOWS Score: 100 81 Antivirus detection for URL or domain 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 Yara detected RedLine Stealer 2->85 87 11 other signatures 2->87 9 tiOOnmvteO.exe 1 2->9         started        12 gsfvtrd 1 2->12         started        process3 file4 105 DLL reload attack detected 9->105 107 Detected unpacking (changes PE section rights) 9->107 109 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->109 117 3 other signatures 9->117 15 explorer.exe 6 9->15 injected 51 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 12->51 dropped 111 Multi AV Scanner detection for dropped file 12->111 113 Machine Learning detection for dropped file 12->113 115 Renames NTDLL to bypass HIPS 12->115 signatures5 process6 dnsIp7 57 152.89.247.174, 49744, 49750, 80 COMBAHTONcombahtonGmbHDE Germany 15->57 59 61.98.7.132, 49735, 49743, 49745 SKB-ASSKBroadbandCoLtdKR Korea Republic of 15->59 61 conceitosseg.com 115.88.24.202, 49731, 49738, 49740 LGDACOMLGDACOMCorporationKR Korea Republic of 15->61 41 C:\Users\user\AppData\Roaming\gsfvtrd, PE32 15->41 dropped 43 C:\Users\user\AppData\Local\Temp\AD6D.exe, PE32 15->43 dropped 45 C:\Users\user\AppData\Local\Temp\3BBA.exe, PE32 15->45 dropped 47 C:\Users\user\...\gsfvtrd:Zone.Identifier, ASCII 15->47 dropped 73 System process connects to network (likely due to code injection or exploit) 15->73 75 Benign windows process drops PE files 15->75 77 Deletes itself after installation 15->77 79 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->79 20 3BBA.exe 2 4 15->20         started        24 AD6D.exe 15 25 15->24         started        27 33A2E4F0.exe 15->27         started        29 33A2E4F0.exe 15->29         started        file8 signatures9 process10 dnsIp11 49 C:\ProgramData\...\33A2E4F0.exe, PE32 20->49 dropped 89 Multi AV Scanner detection for dropped file 20->89 91 Detected unpacking (changes PE section rights) 20->91 93 Detected unpacking (overwrites its own PE header) 20->93 95 Creates autostart registry keys with suspicious names 20->95 31 33A2E4F0.exe 20->31         started        53 185.215.113.114, 49769, 49778, 49780 WHOLESALECONNECTIONSNL Portugal 24->53 55 api.ip.sb 24->55 97 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->97 99 Machine Learning detection for dropped file 24->99 101 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 24->101 103 2 other signatures 24->103 file12 signatures13 process14 dnsIp15 63 ebanat6977769.com 8.209.79.46, 49761, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 31->63 65 Multi AV Scanner detection for dropped file 31->65 67 Detected unpacking (changes PE section rights) 31->67 69 Detected unpacking (overwrites its own PE header) 31->69 71 4 other signatures 31->71 35 svchost.exe 31->35 injected 37 lsass.exe 31->37 injected 39 svchost.exe 31->39 injected signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac8e358db8788a68b31260355ead5b4017652e015125f6f6cf98ca143d2521be/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-08-05 16:51:30 UTC
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vshdldnypcfgrmysma2v5lk3ialwklqbkes7n5wptdfbipjfeg7a._file
Verdict:
suspicious
Similar samples:
3221c7c857b80fab3818cf1ea9435cef9626d84bd308d7a365e4e5089e5ef413
Smoke Loader
364bcd3b0a74ff15848f1e2c286922fb84ac88a85785e7821544b0539f4e1ff9
Smoke Loader
3da2f2d51fb93515503a3f617cdc72159ddd1d44115edfd129ab4c8ebb38c1ed
Smoke Loader
4df50c6d6d188c3413bdba53851cbeea7b281b92b0d5341c021a65912395fa5b
Smoke Loader
76b87f4f61c849a8af46ebdcb899a0bea036b18f6b473bed34562212eab16b93
Smoke Loader
91949edb9145bda3b1336a5513c44707a86300ca5a378411c9bf8800b8127db9
Smoke Loader
c49db28c90989f14866faa6781fc5e6531c8a63d3c3f3d245b4c4d752ce5ebf0
Smoke Loader
d72dd5663947fc7e1bd8903030b3e2fd551d8d938fdc6417d8513a1c4cc49702
Smoke Loader
e816613a7090688c566359653d7f55fdd6a9b05e147083ab0b1bda1c567f591c
Smoke Loader
+ 4'212 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader botnet:sewpalpadin backdoor infostealer trojan
Link:
https://tria.ge/reports/210805-44ym2925ba/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
Deletes itself
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
185.215.113.114:8887
Unpacked files
SH256 hash:
c457a6d6435bd5042baa663f1acf85e8efb2bec86e8dea52aac877755a1b334a
MD5 hash:
4bc270bc5cdc2e7f3a23f54b86579d79
SHA1 hash:
b72403fd55dae9cf4f634beeef6d86e64488d649
Link:
https://www.unpac.me/results/ac1cec59-3937-492d-ac06-0d8f073069cf/
SH256 hash:
ac8e358db8788a68b31260355ead5b4017652e015125f6f6cf98ca143d2521be
MD5 hash:
7b62a1c07bb4ef3cdf606c51b4c1ea22
SHA1 hash:
78c368b91137e7242df7e90803706cd993489c85
Link:
https://www.unpac.me/results/ac1cec59-3937-492d-ac06-0d8f073069cf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac8e358db8788a68b31260355ead5b4017652e015125f6f6cf98ca143d2521be

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe ac8e358db8788a68b31260355ead5b4017652e015125f6f6cf98ca143d2521be

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1504929/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/176807/

Comments