MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af5379419906d8162669c4809ca28cdc4a4b656658c94f1ba18afb29437e699f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af5379419906d8162669c4809ca28cdc4a4b656658c94f1ba18afb29437e699f
SHA3-384 hash: 7049ab461109d4a43d3db94d36c67c6b800ab17e7f8ea20e4bbc5b5928281a0539781a06682fa947f95d8aa760175851
SHA1 hash: c7ce2858079043cdae9ee2353043e88931506ec5
MD5 hash: d6ff26f04a3c22e9dd2ca8016999bef8
humanhash: muppet-ink-sink-delta
File name:tel.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:296'448 bytes
First seen:2022-05-26 08:21:12 UTC
Last seen:2022-05-26 08:37:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f7252dd48caccbbc5da09bec4657c48c (2 x RedLineStealer, 1 x Smoke Loader)
ssdeep 6144:gV4DWQztF4YzsPgbRx+XtitYr2LiXQ+jiVztNR2B2tbK1E:gODW8F4YzDFx+wtYr5Q+jivNRs+bZ
Threatray 4'421 similar samples on MalwareBazaar
TLSH T14E547C10BAD0C835F1B732F48A7B936CA93EB9A1DB2491CB52D466EE1A346D4DC31317
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9824e790c6e72158 (2 x RedLineStealer, 2 x Smoke Loader, 1 x Stop)
Reporter Finch39487976
Tags:EternityWorm exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
330
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
tel.exe
Verdict:
No threats detected
Analysis date:
2022-05-26 08:24:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/efda04b2-d787-40db-996a-e7b83339462c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/274685/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.49064370.21676.1150.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed pandora
Link:
https://www.filescan.io/uploads/628f38836eb3ff32632f67a5/reports/513eae76-4c8f-4fe1-894d-a1e9555c14fb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/82575f5c-e1ea-464b-8660-5dd7b15d284c
Result
Threat name:
RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
rans.bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1002005
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 634501 Sample: tel.exe Startdate: 26/05/2022 Architecture: WINDOWS Score: 100 74 soapbeginshops.com 2->74 88 Snort IDS alert for network traffic 2->88 90 Multi AV Scanner detection for domain / URL 2->90 92 Malicious sample detected (through community Yara rule) 2->92 94 12 other signatures 2->94 11 tel.exe 2->11         started        14 vegeifb 2->14         started        signatures3 process4 signatures5 116 Detected unpacking (changes PE section rights) 11->116 118 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 11->118 120 Maps a DLL or memory area into another process 11->120 16 explorer.exe 8 11->16 injected 122 Checks if the current machine is a virtual machine (disk enumeration) 14->122 124 Creates a thread in another existing process (thread injection) 14->124 process6 dnsIp7 68 happyday9risce.com 34.118.86.4, 49764, 49767, 49768 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 16->68 70 soapbeginshops.com 16->70 72 motionberry999xerz.ru 16->72 52 C:\Users\user\AppData\Roaming\vegeifb, PE32 16->52 dropped 54 C:\Users\user\AppData\Local\Temp\6802.exe, PE32 16->54 dropped 56 C:\Users\user\AppData\Local\Temp\54D7.exe, PE32 16->56 dropped 58 C:\Users\user\...\vegeifb:Zone.Identifier, ASCII 16->58 dropped 80 System process connects to network (likely due to code injection or exploit) 16->80 82 Benign windows process drops PE files 16->82 84 Injects code into the Windows Explorer (explorer.exe) 16->84 86 3 other signatures 16->86 21 6802.exe 18 48 16->21         started        26 explorer.exe 8 16->26         started        28 54D7.exe 2 16->28         started        30 7 other processes 16->30 file8 signatures9 process10 dnsIp11 76 soapbeginshops.com 21->76 60 C:\Users\user\Desktop\SQRKHNBNYN.exe, PE32 21->60 dropped 62 C:\Users\user\Desktop62EBFQQYWPS.exe, PE32 21->62 dropped 64 C:\Users\user\Desktop\FENIVHOIKN.exe, PE32 21->64 dropped 66 36 other files (26 malicious) 21->66 dropped 96 Machine Learning detection for dropped file 21->96 98 Modifies existing user documents (likely ransomware behavior) 21->98 32 unarchiver.exe 21->32         started        78 happyday9risce.com 26->78 100 System process connects to network (likely due to code injection or exploit) 26->100 102 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->102 104 Tries to steal Mail credentials (via file / registry access) 26->104 114 3 other signatures 26->114 106 Antivirus detection for dropped file 28->106 108 Writes to foreign memory regions 28->108 110 Allocates memory in foreign processes 28->110 112 Injects a PE file into a foreign processes 28->112 34 cmd.exe 1 28->34         started        36 InstallUtil.exe 28->36         started        file12 signatures13 process14 process15 38 cmd.exe 32->38         started        40 7za.exe 32->40         started        42 conhost.exe 34->42         started        44 timeout.exe 1 34->44         started        process16 46 conhost.exe 38->46         started        48 powershell.exe 38->48         started        50 conhost.exe 40->50         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af5379419906d8162669c4809ca28cdc4a4b656658c94f1ba18afb29437e699f/
Threat name:
Win32.Trojan.DiskWriter
Create hunting rule
Status:
Malicious
First seen:
2022-05-25 20:27:29 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v5jxsqmza3mbmjtjysajzium3rfewzlgldeu6g5brl5ssq36ngpq._file
Verdict:
malicious
Similar samples:
380352f1c2acc2574f8eb08b31232252835758f1c35229c07ae48b375508adf0
Smoke Loader
38ccecf332445e56428fba1f9352f2977b3afdfe31f84d69ea50129079d9344b
Smoke Loader
49c7ce5e90b5bce33ac0ea6f02d309e030e81462e290e83403048822e52b1500
Smoke Loader
808a1353be2e23a511c577b86ca5c2e37ee4a30d8b5abde669e7cc2f9d91d5e2
Smoke Loader
aac5a9949dd50c434924869ec0ccdd28dacaf9729ba2cbf0744b3c9731b91010
Smoke Loader
b8e63ce3226f61cde7d51196c3ca300ca39882f4715e87938ed5d3ae68ef879d
Smoke Loader
cdcb92f83216720f2d567392a6a4d9bc1b90b3f900b783934a402d310ae5ff46
Smoke Loader
ef538d7c9dbc1375659c258adcc719b020621b8ced9666032ec2a823192a5608
Smoke Loader
+ 4'411 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader botnet:camp1 backdoor infostealer spyware suricata trojan
Link:
https://tria.ge/reports/220526-j9j37sdfcj/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Executes dropped EXE
RedLine
RedLine Payload
SmokeLoader
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
Malware Config
C2 Extraction:
http://motionberry999xerz.ru/
http://happyday9risce.com/
http://kokihap7siexz3.com/
https://motionberry999xerz.ru/
https://happyday9risce.com/
https://kokihap7siexz3.com/
65.109.11.10:8599
Unpacked files
SH256 hash:
fdcc84c80c8260fe57c28e701d9137d89618a727044e989ac93703bb1397c498
MD5 hash:
27dcf2d9fca102d2f1f92b1f6c8385d0
SHA1 hash:
d10d2ba16045cac1a6757d207916ac34fb77a223
Link:
https://www.unpac.me/results/8fa72485-8c77-4641-8c92-0f0b4cabca01/
SH256 hash:
af5379419906d8162669c4809ca28cdc4a4b656658c94f1ba18afb29437e699f
MD5 hash:
d6ff26f04a3c22e9dd2ca8016999bef8
SHA1 hash:
c7ce2858079043cdae9ee2353043e88931506ec5
Link:
https://www.unpac.me/results/8fa72485-8c77-4641-8c92-0f0b4cabca01/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af5379419906d8162669c4809ca28cdc4a4b656658c94f1ba18afb29437e699f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Smoke Loader

Executable exe 856ef7f611f594731015621e730d9713ae59824f3280703bd3c7de5ba8884767

Smoke Loader

zip 608d90507e8477ca85b911f790799f13f8d04cc380d346b78358237a9480de6d

Smoke Loader

HTML Application (hta) hta 249df49fd640dc7efbfc27fc2eb836bcff0090557f1b65bb710645cea68c296f

Smoke Loader

Executable exe af5379419906d8162669c4809ca28cdc4a4b656658c94f1ba18afb29437e699f

(this sample)

  
Dropped by
SHA256 249df49fd640dc7efbfc27fc2eb836bcff0090557f1b65bb710645cea68c296f
  
URLhaus
https://urlhaus.abuse.ch/url/2198160/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2206383/
Cape
Cape
https://www.capesandbox.com/analysis/274685/
  
Dropped by
MD5 3bfd999eda204b57268a50624de91537

Comments