MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2c71a3b927301a484057e79c1d8a08c45512181b6378ca2627d34ddec49d4f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2c71a3b927301a484057e79c1d8a08c45512181b6378ca2627d34ddec49d4f4
SHA3-384 hash: 7b612d86a076fe63ab62fbaa14bef3db94ed3273df98d6621512d033d6be3b6a397815a5364e2105dbec573efe08aa8c
SHA1 hash: 7a88c164746ef0faf3a176bc963bbb0c1740cf87
MD5 hash: dd20fb289cc004d0796fd12b2e3f263a
humanhash: bacon-princess-bulldog-kitten
File name:dd20fb289cc004d0796fd12b2e3f263a.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:305'664 bytes
First seen:2021-06-17 06:45:27 UTC
Last seen:2021-06-17 07:44:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 364098e961c6433a5f030e6d84a48050 (13 x RedLineStealer, 1 x Smoke Loader)
ssdeep 6144:e0n5z5VYLAtivQ6TPCGFmJGnBeBii6MNtKYiFF:l5VVYLAtiv5TqGFmsiiBE8
Threatray 1'581 similar samples on MalwareBazaar
TLSH F8548D00BBA0C035F6F712F849769769A53D7EB06B6490CB52E51AEE56346F0EC3131B
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
287
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dd20fb289cc004d0796fd12b2e3f263a.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-17 07:03:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9b59972d-7d37-4351-80fa-26e62ef20b64

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector01
Create hunting rule
Link:
https://www.capesandbox.com/analysis/166508/
Detection(s):
SecuriteInfo.com.Troj.Kryptik-TR.13826.27956.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/83fe84d0-9fb1-4c71-8f07-52a414fd102a
Result
Threat name:
Raccoon SmokeLoader Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/803542
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Creates files in alternative data streams (ADS)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Raccoon Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 435957 Sample: P4SRvI1baM.exe Startdate: 17/06/2021 Architecture: WINDOWS Score: 100 89 18.52.17.84.bl.spamcop.net 2->89 91 i.instagram.com 2->91 93 9 other IPs or domains 2->93 117 Found malware configuration 2->117 119 Antivirus detection for URL or domain 2->119 121 Multi AV Scanner detection for submitted file 2->121 127 10 other signatures 2->127 9 explorer.exe 13 2->9         started        14 udgcecw 2->14         started        16 dvjxlkau.exe 2->16         started        18 9 other processes 2->18 signatures3 123 System process connects to network (likely due to code injection or exploit) 89->123 125 Tries to resolve many domain names, but no domain seems valid 91->125 process4 dnsIp5 109 999080321yes1t3481-service10020125999080321.ru 9->109 111 999080321utest1341-service10020125999080321.ru 9->111 115 23 other IPs or domains 9->115 81 C:\Users\user\AppData\Roaming\udgcecw, PE32 9->81 dropped 83 C:\Users\user\AppData\Local\TempC85.exe, PE32 9->83 dropped 85 C:\Users\user\AppData\Local\Temp263.exe, PE32 9->85 dropped 87 4 other files (2 malicious) 9->87 dropped 155 System process connects to network (likely due to code injection or exploit) 9->155 157 Benign windows process drops PE files 9->157 159 Performs DNS queries to domains with low reputation 9->159 177 3 other signatures 9->177 20 EC85.exe 80 9->20         started        25 explorer.exe 9->25         started        27 E263.exe 2 9->27         started        37 11 other processes 9->37 161 DLL reload attack detected 14->161 163 Detected unpacking (changes PE section rights) 14->163 165 Contains functionality to inject code into remote processes 14->165 167 Injects a PE file into a foreign processes 14->167 29 udgcecw 1 14->29         started        169 Detected unpacking (overwrites its own PE header) 16->169 179 2 other signatures 16->179 31 svchost.exe 16->31         started        113 127.0.0.1 unknown unknown 18->113 171 Changes security center settings (notifications, updates, antivirus, firewall) 18->171 173 DLL side loading technique detected 18->173 33 P4SRvI1baM.exe 1 18->33         started        35 MpCmdRun.exe 18->35         started        file6 175 Tries to resolve many domain names, but no domain seems valid 111->175 signatures7 process8 dnsIp9 95 tttttt.me 95.216.186.40, 443, 49721 HETZNER-ASDE Germany 20->95 97 34.76.8.115, 49722, 80 GOOGLEUS United States 20->97 67 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 20->67 dropped 69 C:\Users\user\AppData\...\vcruntime140.dll, PE32 20->69 dropped 71 C:\Users\user\AppData\...\ucrtbase.dll, PE32 20->71 dropped 79 56 other files (none is malicious) 20->79 dropped 129 Detected unpacking (changes PE section rights) 20->129 131 Detected unpacking (overwrites its own PE header) 20->131 133 Tries to steal Mail credentials (via file access) 20->133 149 2 other signatures 20->149 39 cmd.exe 20->39         started        99 999080321test51-service10020125999080321.xyz 25->99 101 192.168.2.1 unknown unknown 25->101 135 System process connects to network (likely due to code injection or exploit) 25->135 137 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->137 139 Performs DNS queries to domains with low reputation 25->139 73 C:\Users\user\AppData\Local\...\dvjxlkau.exe, PE32 27->73 dropped 141 Uses netsh to modify the Windows network and firewall settings 27->141 143 Modifies the windows firewall 27->143 41 cmd.exe 27->41         started        43 cmd.exe 27->43         started        45 sc.exe 27->45         started        49 3 other processes 27->49 75 C:\Users\user\AppData\Local\Temp\AE30.tmp, PE32 29->75 dropped 145 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 29->145 151 2 other signatures 29->151 103 82.202.161.188, 423, 49734, 49739 THEFIRST-ASRU Russian Federation 31->103 105 40.93.207.1, 25, 49839 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->105 107 14 other IPs or domains 31->107 77 C:\Windows\SysWOW64\...\systemprofile:.repos, data 31->77 dropped 147 Creates files in alternative data streams (ADS) 31->147 153 2 other signatures 33->153 47 conhost.exe 35->47         started        file10 signatures11 process12 process13 51 conhost.exe 39->51         started        53 timeout.exe 39->53         started        55 conhost.exe 41->55         started        57 conhost.exe 43->57         started        59 conhost.exe 45->59         started        61 conhost.exe 49->61         started        63 conhost.exe 49->63         started        65 conhost.exe 49->65         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2c71a3b927301a484057e79c1d8a08c45512181b6378ca2627d34ddec49d4f4/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-06-17 06:46:12 UTC
AV detection:
20 of 46 (43.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wldruo4soma2jbafpz44dwfarrcvcimbwy3yzitcpu2n33cj2t2a._file
Verdict:
malicious
Similar samples:
13cb7156b54db1b9d8ff5c405e9324899cd7ef801bdff04b1155dd9b104f7cdc
Smoke Loader
1b7769f85c3874451b85f83ab1ddc08b0d07fe76f354e0c7b397308894095673
Smoke Loader
211360b0cb7bd4e1fa953a5452efd4e0e28f1917ba51ed4c2e6f6800ea86780f
Smoke Loader
612e83248527b731211cc4161bf7c9bf3c15c59312725ef1285902558c3ceb70
Smoke Loader
63761462358e1f880dafe51b3de8036f10bc60354b981cddc8075aed22e1251d
Smoke Loader
8b7e447356ade4824db0565f713751a6c0b37cc560269ced9cc6176e1d1fdd24
Smoke Loader
90c0cf976bc9377697fb31e8ca6f21aee0168cc5471a8ac33ece631ee346afa9
Smoke Loader
ae7ae9ea7fd0100b620704d462083caaedda2c5c5618ceeca54c1d7673b6be4a
Smoke Loader
b46bcadf27236d47a847bf4d96e24db984c7f61485b0eec1f97ca1e3c3ac4079
Smoke Loader
b82b210a1ead0d52042310991c59e3417ea2606f00591b7bd4440e8d23d31f88
Smoke Loader
+ 1'571 additional samples on MalwareBazaar
Result
Malware family:
tofsee
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:smokeloader family:tofsee botnet:50f8ded12c46443e43915127b1219ac2fc439bb6 backdoor discovery evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/210617-9xca124gtj/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Raccoon
SmokeLoader
Tofsee
Windows security bypass
Malware Config
C2 Extraction:
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
Unpacked files
SH256 hash:
feac37e8974af1f9868c959ee101c7965d1ef8b399ef74ffb55dfaef3cfff8fc
MD5 hash:
b299a210a56aba5e4d3f2b5dba0a82a1
SHA1 hash:
69d24d62a1e9b1abe4d0458ebcf1f707a047b949
Link:
https://www.unpac.me/results/e2319e5b-e296-420c-a8b9-099ba0f13250/
SH256 hash:
b2c71a3b927301a484057e79c1d8a08c45512181b6378ca2627d34ddec49d4f4
MD5 hash:
dd20fb289cc004d0796fd12b2e3f263a
SHA1 hash:
7a88c164746ef0faf3a176bc963bbb0c1740cf87
Link:
https://www.unpac.me/results/e2319e5b-e296-420c-a8b9-099ba0f13250/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2c71a3b927301a484057e79c1d8a08c45512181b6378ca2627d34ddec49d4f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_smokeloader_a2
Create hunting rule
Author:pnx

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe b2c71a3b927301a484057e79c1d8a08c45512181b6378ca2627d34ddec49d4f4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1362305/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/166508/

Comments