MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b212d74816e467554e05c5c73ff9657fe5f8ae01d2aecd1e55d67fd49b37d974. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	b212d74816e467554e05c5c73ff9657fe5f8ae01d2aecd1e55d67fd49b37d974
SHA3-384 hash:	0475941df79f7386a30a4dec32ff803fe4814b00efa05946ef05e0cfda56e2b958c9d23f756289ed7181cf5ed034bd3f
SHA1 hash:	fb2aef60db001cf8f08d990710128a35dda05f01
MD5 hash:	cebed438dc12bcfdb5192dee5b3aee6d
humanhash:	zulu-muppet-butter-cold
File name:	cebed438dc12bcfdb5192dee5b3aee6d.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	138'240 bytes
First seen:	2021-09-27 12:32:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3cd0350cb20713093b4eb51a8785dabd (3 x ArkeiStealer, 2 x RaccoonStealer, 2 x Stop)
ssdeep	3072:uMikEZ6kJCz27UBcAXD/55sFaRJja73lZ2z0OHz:uMKZL2X8Y7jYj2AOT
Threatray	4'864 similar samples on MalwareBazaar
TLSH	T119D3BE1C7A8FD532DD9A59318830C6A0A62DBC313E61DE833B54672F2F71291563B3A7
File icon (PE):
dhash icon	fcfcb4f4d4d4d8c0 (19 x RedLineStealer, 16 x RaccoonStealer, 14 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

125

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

cebed438dc12bcfdb5192dee5b3aee6d.exe

Verdict:

No threats detected

Analysis date:

2021-09-27 12:36:23 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2f5fbefe-3bc9-476a-893b-4fdbf037ceb2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/192086/

Detection(s):

Win.Packed.Filerepmalware-9897102-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7c7fca58-9a06-4a9b-9377-01b74d47c476

Result

Threat name:

RedLine SmokeLoader

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/858954

Signature

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Connects to many ports of the same IP (likely port scanning)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Query firmware table information (likely to detect VMs)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected RedLine Stealer

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b212d74816e467554e05c5c73ff9657fe5f8ae01d2aecd1e55d67fd49b37d974/

Threat name:

Win32.Trojan.Racealer

Status:

Malicious

First seen:

2021-09-27 08:47:32 UTC

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Verdict:

malicious

Smoke Loader

296cb7c456c55688de080e9940722307f1ee92acbfec61696e21ec985794a3ff

Smoke Loader

5e1a4b9ced78b15872e2723b231e3934c4874c6ea28ebf6c983a61f5040b5f96

Smoke Loader

9f154115fa8045aa05f15f7cd1de9623ebe32e8ea400279ecb5dfa3596952e3b

Smoke Loader

b7915e2c423abfd40c013439cc726587a44fc207696637b2a431abce68963dd4

Smoke Loader

c631cb26f2e253d64adb3caf2ef5f15930caf089a6dc9fa7e0ac2e9512cd57d3

Smoke Loader

e0caf6fb02b0ef2bd64b0e04e1793a502b4a3b350a5be41c1baea88842530383

Smoke Loader

edf6beb88780fb3085332f843b73418f52bbf095265dad631cf8e187644cb565

Smoke Loader

+ 4'854 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:djvu family:redline family:smokeloader family:vidar botnet:paladin backdoor discovery evasion infostealer persistence ransomware spyware stealer themida trojan

Link:

https://tria.ge/reports/210927-psgjmshaa8/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Creates scheduled task(s)

Delays execution with timeout.exe

Kills process with taskkill

Modifies registry class

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Checks whether UAC is enabled

Looks up external IP address via web service

Checks BIOS information in registry

Deletes itself

Loads dropped DLL

Modifies file permissions

Reads user/profile data of web browsers

Themida packer

Downloads MZ/PE file

Executes dropped EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vidar Stealer

Detected Djvu ransomware

Djvu Ransomware

RedLine

RedLine Payload

SmokeLoader

Vidar

Malware Config

C2 Extraction:

http://govsurplusstore.com/upload/
http://best-forsale.com/upload/
http://chmxnautoparts.com/upload/
http://kwazone.com/upload/
94.26.228.204:32917

Unpacked files

SH256 hash:

5e52071fd7832c439965575105f0a8d309fc5c923523689f94c6aaaa4230ec8a

MD5 hash:

0723090cb25a2ec591eb170730b0e737

SHA1 hash:

d6e2422a17cfe0de3cc43053cf595b7a28897386

Link:

https://www.unpac.me/results/d39259b9-82f0-4193-afd0-7004961d611f/

SH256 hash:

b212d74816e467554e05c5c73ff9657fe5f8ae01d2aecd1e55d67fd49b37d974

MD5 hash:

cebed438dc12bcfdb5192dee5b3aee6d

SHA1 hash:

fb2aef60db001cf8f08d990710128a35dda05f01

Link:

https://www.unpac.me/results/d39259b9-82f0-4193-afd0-7004961d611f/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/b212d74816e4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b212d74816e467554e05c5c73ff9657fe5f8ae01d2aecd1e55d67fd49b37d974

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

exe b212d74816e467554e05c5c73ff9657fe5f8ae01d2aecd1e55d67fd49b37d974

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1644574/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/192086/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample