MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aee59b3208def311e9fd082182c861f9b57d73f1535905675e73bc6ceadcee2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aee59b3208def311e9fd082182c861f9b57d73f1535905675e73bc6ceadcee2f
SHA3-384 hash: 1e21a9d6e7a7517ea636d22e35b2666fe5fb92b67867337f1fef07ebc01b2e655c33fbdad75b5911eb919a19fbb7ae4a
SHA1 hash: f938fdd56c3efc912c453e8923e8561691fd4008
MD5 hash: 0e496e74ee09b4467f25f8350e5b089b
humanhash: summer-violet-carpet-artist
File name:0e496e74ee09b4467f25f8350e5b089b.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:336'896 bytes
First seen:2021-07-27 15:37:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0724b6e67f50109c65fd8c6025d37cf0 (2 x RedLineStealer, 1 x Smoke Loader, 1 x Stop)
ssdeep 6144:9CEGu95b36FK6fYQKdrPT4TyaM0vmSH0rCSLhclaYUX8Bynf:OW5bqDfgrsTJMy3HotWlaYUX1n
Threatray 2'465 similar samples on MalwareBazaar
TLSH T1CF648C30B791C038E5F212F8497693BCA93A7EB19B3450CB62E53AEE56341E1AC31757
dhash icon ead8a89cc6e68ee0 (43 x RaccoonStealer, 31 x RedLineStealer, 20 x Smoke Loader)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0e496e74ee09b4467f25f8350e5b089b.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-27 16:42:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e10e1710-ee7d-445a-b44a-73b90bd3b928

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/174414/
Detection(s):
Win.Packed.Generic-9881681-0
Create hunting rule

Win.Packed.Generic-9881693-0
Create hunting rule

Win.Packed.Mokes-9881739-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Connection attempt to an infection source
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Launching a process
Query of malicious DNS domain
Deleting of the original file
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b45a7506-dedb-4e9b-9d15-ec9c60438584
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/822593
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar stealer
Yara detected Zeppelin Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 455008 Sample: JaBVFxKRLk.exe Startdate: 27/07/2021 Architecture: WINDOWS Score: 100 82 readinglistforjuly10.xyz 2->82 84 iplogger.org 2->84 86 3 other IPs or domains 2->86 128 Malicious sample detected (through community Yara rule) 2->128 130 Antivirus detection for URL or domain 2->130 132 Multi AV Scanner detection for submitted file 2->132 134 17 other signatures 2->134 11 JaBVFxKRLk.exe 2->11         started        14 hddbita 2->14         started        16 hddbita 2->16         started        18 6 other processes 2->18 signatures3 process4 dnsIp5 144 Detected unpacking (changes PE section rights) 11->144 21 JaBVFxKRLk.exe 11->21         started        146 Machine Learning detection for dropped file 14->146 148 Contains functionality to inject code into remote processes 14->148 150 Injects a PE file into a foreign processes 14->150 24 hddbita 14->24         started        26 hddbita 16->26         started        88 127.0.0.1 unknown unknown 18->88 signatures6 process7 signatures8 136 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->136 138 Maps a DLL or memory area into another process 21->138 140 Checks if the current machine is a virtual machine (disk enumeration) 21->140 28 explorer.exe 5 21->28 injected 142 Creates a thread in another existing process (thread injection) 24->142 process9 dnsIp10 96 readinglistforjuly10.xyz 212.224.105.84, 49734, 49746, 49755 DE-FIRSTCOLOwwwfirst-colonetDE Germany 28->96 98 readinglistforjuly9.xyz 28->98 100 13 other IPs or domains 28->100 76 C:\Users\user\AppData\Roaming\hddbita, PE32 28->76 dropped 78 C:\Users\user\AppData\Local\Temp\73BC.exe, PE32 28->78 dropped 80 C:\Users\user\...\hddbita:Zone.Identifier, ASCII 28->80 dropped 152 System process connects to network (likely due to code injection or exploit) 28->152 154 Benign windows process drops PE files 28->154 156 Performs DNS queries to domains with low reputation 28->156 160 2 other signatures 28->160 33 C854.exe 2 28->33         started        37 ECA9.exe 28->37         started        39 explorer.exe 28->39         started        41 8 other processes 28->41 file11 158 Tries to resolve many domain names, but no domain seems valid 98->158 signatures12 process13 dnsIp14 66 C:\Users\user\AppData\Local\...\swzvhqnj.exe, PE32 33->66 dropped 102 Detected unpacking (changes PE section rights) 33->102 104 Detected unpacking (overwrites its own PE header) 33->104 106 Uses netsh to modify the Windows network and firewall settings 33->106 108 Modifies the windows firewall 33->108 44 cmd.exe 2 33->44         started        46 cmd.exe 33->46         started        48 sc.exe 33->48         started        52 3 other processes 33->52 110 Query firmware table information (likely to detect VMs) 37->110 112 Tries to detect sandboxes and other dynamic analysis tools (window names) 37->112 124 2 other signatures 37->124 50 conhost.exe 37->50         started        114 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->114 116 Tries to steal Mail credentials (via file access) 39->116 118 Tries to harvest and steal browser information (history, passwords, etc) 39->118 90 www.geodatatool.com 158.69.65.151, 443, 49752, 49753 OVHFR Canada 41->90 92 116.202.183.50, 49751, 80 HETZNER-ASDE Germany 41->92 94 4 other IPs or domains 41->94 68 C:\Users\user\AppData\...\freebl3[1].dll, PE32 41->68 dropped 70 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 41->70 dropped 72 C:\Users\user\AppData\...\mozglue[1].dll, PE32 41->72 dropped 74 5 other files (none is malicious) 41->74 dropped 120 Multi AV Scanner detection for dropped file 41->120 122 May check the online IP address of the machine 41->122 126 2 other signatures 41->126 file15 signatures16 process17 process18 54 conhost.exe 44->54         started        56 conhost.exe 46->56         started        58 conhost.exe 48->58         started        60 conhost.exe 52->60         started        62 conhost.exe 52->62         started        64 conhost.exe 52->64         started       
Gathering data
Threat name:
Win32.Trojan.Hynamer
Create hunting rule
Status:
Malicious
First seen:
2021-07-26 20:48:33 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v3szwmqi33zrd2p5baqyfsdb7g2x247rknmqkz26oo6gz2w45yxq._file
Verdict:
suspicious
Similar samples:
6942f06c0718cbc965d52519949816c8c77bc9bca7cc654802ea6841c35fe3b3
Smoke Loader
79894af8bd699d14ae712c0a8c8ce0e5e613c462ec7d2f29b5541ca87b9d397c
Smoke Loader
7b608f567cdbb7a9ccce2a9937b34bb3b73e178efc3d2b9bc29e5fe905462bee
Smoke Loader
c97f7b2a1d29e6ab8e802c3c814e1962452a9ab375a0f0c13ef6d4e4edefe9c2
Smoke Loader
d3849946eb2dd2aa6bebcddb30751a4a99bc05ee5011db3f5081df2f970a1854
Smoke Loader
fa04b562a9b95f20ba6ae99375dec999128843910969bc5ccf964df3b5ee7882
Smoke Loader
fa1409fe184c11483708f197504246fb15ae88942e1b18a9266e0d0f4dca8290
Smoke Loader
fa49ec9a6afac3db69d66e560157aee92bfffa30c24d2a7855a4d3bcf2d894e2
Smoke Loader
+ 2'455 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:tofsee family:vidar family:xmrig botnet:170 botnet:828 botnet:pro2 backdoor discovery evasion infostealer miner persistence spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210727-5j15q8f97e/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
XMRig Miner Payload
Raccoon
RedLine
RedLine Payload
SmokeLoader
Tofsee
Vidar
Windows security bypass
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
xmrig
Malware Config
C2 Extraction:
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
https://xeronxikxxx.tumblr.com/
147.124.222.75:42864
95.217.122.120:8374
Unpacked files
SH256 hash:
8ac5259909dbe5f2072c1806f3438f9740dbb4ba8f8f786925a643e73f58e73a
MD5 hash:
5fd3463632f363a8adcf7105209eb6ec
SHA1 hash:
0a2aa8aea269d9580ba623add2af44fea45c2714
Link:
https://www.unpac.me/results/910b0ec2-fe59-44c3-b7fa-8f0d84b3b3ad/
SH256 hash:
aee59b3208def311e9fd082182c861f9b57d73f1535905675e73bc6ceadcee2f
MD5 hash:
0e496e74ee09b4467f25f8350e5b089b
SHA1 hash:
f938fdd56c3efc912c453e8923e8561691fd4008
Link:
https://www.unpac.me/results/910b0ec2-fe59-44c3-b7fa-8f0d84b3b3ad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aee59b3208def311e9fd082182c861f9b57d73f1535905675e73bc6ceadcee2f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe aee59b3208def311e9fd082182c861f9b57d73f1535905675e73bc6ceadcee2f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1476589/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/174414/

Comments