MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b45b46943761b574b53d2938b6e6c331d778f77bf1690d3b09a07450867118b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b45b46943761b574b53d2938b6e6c331d778f77bf1690d3b09a07450867118b5
SHA3-384 hash: abd92bc98ff2e1f60bf6eaf6b5f6915262bb28cdc67ff64cf968d366c635d51836f4e87a8ab2551a5ba91104983fac62
SHA1 hash: 2f0af707ae10b4c951754502b0706a584d854958
MD5 hash: a264af8f7ed226954afde7c6d8abef8e
humanhash: oxygen-eight-mississippi-sweet
File name:a264af8f7ed226954afde7c6d8abef8e
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:195'072 bytes
First seen:2021-07-14 16:27:40 UTC
Last seen:2021-07-14 17:53:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f9c1cf1b2cfb3ee96a94f56e9a89c09a (6 x Smoke Loader)
ssdeep 3072:OBNmvUkeC4b2NIk6/EbA5zWz8BAO4fm5lakUguSH:icU8RDw5qwOO4kNui
Threatray 563 similar samples on MalwareBazaar
TLSH T1EC14AE1036E0D031DAE71A306474D7A12A3BB9323A71968F3761E7AE5E303D2DA76347
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a264af8f7ed226954afde7c6d8abef8e
Verdict:
Suspicious activity
Analysis date:
2021-07-14 16:34:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/eb1ebf0d-67de-46a6-9bd5-ecf99f723f50

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector01
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171770/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.24383.13823.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e05e83c7-0189-48a8-b810-ede1a9407168
Result
Threat name:
Raccoon RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816407
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
DLL side loading technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Mail credentials (via file access)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 448819 Sample: 9CMjcYFBxo Startdate: 14/07/2021 Architecture: WINDOWS Score: 100 69 securebiz.org 2->69 71 astdg.top 2->71 73 9 other IPs or domains 2->73 115 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->115 117 Multi AV Scanner detection for domain / URL 2->117 119 Found malware configuration 2->119 121 13 other signatures 2->121 9 9CMjcYFBxo.exe 2->9         started        12 bffwvth 2->12         started        14 svchost.exe 2->14         started        16 9 other processes 2->16 signatures3 process4 dnsIp5 133 DLL reload attack detected 9->133 135 Detected unpacking (changes PE section rights) 9->135 19 9CMjcYFBxo.exe 1 9->19         started        22 bffwvth 1 12->22         started        137 Changes security center settings (notifications, updates, antivirus, firewall) 14->137 65 127.0.0.1 unknown unknown 16->65 67 192.168.2.1 unknown unknown 16->67 139 DLL side loading technique detected 16->139 signatures6 process7 file8 123 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 19->123 125 Renames NTDLL to bypass HIPS 19->125 127 Maps a DLL or memory area into another process 19->127 25 explorer.exe 19 19->25 injected 41 C:\Users\user\AppData\Local\Temp\AE30.tmp, PE32 22->41 dropped 129 Checks if the current machine is a virtual machine (disk enumeration) 22->129 131 Creates a thread in another existing process (thread injection) 22->131 signatures9 process10 dnsIp11 75 999080321newfolder1002-01462599908032135.site 82.118.23.111, 49733, 49735, 49746 GREENFLOID-ASUA Ukraine 25->75 77 999080321yomtest251-service10020125999080321.ru 25->77 79 86 other IPs or domains 25->79 43 C:\Users\user\AppData\Roaming\bffwvth, PE32 25->43 dropped 45 C:\Users\user\AppData\Local\Temp\C2D5.exe, PE32 25->45 dropped 47 C:\Users\user\AppData\Local\Temp\BDB3.exe, PE32 25->47 dropped 49 7 other files (5 malicious) 25->49 dropped 141 System process connects to network (likely due to code injection or exploit) 25->141 143 Benign windows process drops PE files 25->143 145 Performs DNS queries to domains with low reputation 25->145 149 4 other signatures 25->149 30 745F.exe 80 25->30         started        35 A391.exe 1 25->35         started        37 AEAD.exe 2 5 25->37         started        39 12 other processes 25->39 file12 147 Tries to resolve many domain names, but no domain seems valid 77->147 signatures13 process14 dnsIp15 81 telete.in 195.201.225.248, 443, 49737 HETZNER-ASDE Germany 30->81 83 34.89.184.90, 49738, 80 GOOGLEUS United States 30->83 51 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 30->51 dropped 53 C:\Users\user\AppData\...\vcruntime140.dll, PE32 30->53 dropped 55 C:\Users\user\AppData\...\ucrtbase.dll, PE32 30->55 dropped 63 56 other files (none is malicious) 30->63 dropped 89 Detected unpacking (changes PE section rights) 30->89 91 Detected unpacking (overwrites its own PE header) 30->91 93 Tries to steal Mail credentials (via file access) 30->93 95 Contains functionality to steal Internet Explorer form passwords 30->95 57 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 35->57 dropped 97 DLL reload attack detected 35->97 111 5 other signatures 35->111 59 C:\Users\user\AppData\...\MicrosoftApi.exe, PE32+ 37->59 dropped 61 C:\Users\user\...\ICSharpCode.SharpZipLib.dll, PE32 37->61 dropped 99 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 37->99 101 Query firmware table information (likely to detect VMs) 37->101 103 Tries to detect sandboxes and other dynamic analysis tools (window names) 37->103 113 2 other signatures 37->113 85 45.32.235.238, 45555, 49773 AS-CHOOPAUS United States 39->85 87 999080321newfolder1002-01462599908032135.site 39->87 105 System process connects to network (likely due to code injection or exploit) 39->105 107 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->107 109 Tries to harvest and steal browser information (history, passwords, etc) 39->109 file16 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b45b46943761b574b53d2938b6e6c331d778f77bf1690d3b09a07450867118b5/
Threat name:
Win32.Trojan.GenericML
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 16:28:06 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wrnunfbxmg2xjnj5fe4lnzwdghlxr5336fuq2oyjub2fbbtrdc2q._file
Verdict:
suspicious
Similar samples:
08158e947e60d291cb15ea3f5d34dddaaf596225ee75f21b8789bef807e8c65e
Smoke Loader
2b4e74f6d31e2ce71fa3de3caba5fbf6b070885d43c956aa57deced79e79826b
Smoke Loader
42409087896ad827ca16b713215988bed28560c5fe0c929f7c30294854b5bfc2
Smoke Loader
4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6
Smoke Loader
5e30a88fb1c9a45bd6697990493098ca05e87b2560172ae89e9811ea887ff8b4
Smoke Loader
948bae9510601455f2ba50d694a6561bf2e85071b86161a0186672616ae17a77
Smoke Loader
9f42f0539f682f13af0c8da768e854d2bd2d547047caf431b7e5136f6955f81d
Smoke Loader
b148a9228e806a666a057a6d69180ed21dbdc26ee28e754b00e98efdcae15c66
Smoke Loader
e4c8a48cc9630445efd47fab3bc452992b4b8d0ca35ede65bbc4edb8194af3a9
Smoke Loader
fc5f8356ee7ba0be1f0f4c24ac4944481759352d665bbc1208295d39cd3da30f
Smoke Loader
+ 553 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:tofsee family:vidar family:xmrig botnet:824 botnet:btccach botnet:pro2 botnet:q backdoor discovery evasion infostealer miner persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/210714-nzsma2wb4j/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
XMRig Miner Payload
Raccoon
RedLine
RedLine Payload
SmokeLoader
Tofsee
Vidar
Windows security bypass
xmrig
Malware Config
C2 Extraction:
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
45.32.235.238:45555
151.80.46.103:8374
185.53.46.82:3214
https://olegf9844.tumblr.com/
Unpacked files
SH256 hash:
3639600a6ddb9abd9646e644c99435b152e2b874bd24f7e3c35ed147a76fe86d
MD5 hash:
9017528c8960c1dc290cfbe61a455eb8
SHA1 hash:
9f773c892052218f8c5f8efba140a3cd35c22a21
Link:
https://www.unpac.me/results/64ae86ec-2603-42de-baff-85adf815c6db/
SH256 hash:
b45b46943761b574b53d2938b6e6c331d778f77bf1690d3b09a07450867118b5
MD5 hash:
a264af8f7ed226954afde7c6d8abef8e
SHA1 hash:
2f0af707ae10b4c951754502b0706a584d854958
Link:
https://www.unpac.me/results/64ae86ec-2603-42de-baff-85adf815c6db/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b45b46943761b574b53d2938b6e6c331d778f77bf1690d3b09a07450867118b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_DLInjector01
Create hunting rule
Author:ditekSHen
Description:Detects specific downloader injector shellcode

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe b45b46943761b574b53d2938b6e6c331d778f77bf1690d3b09a07450867118b5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1453980/
Cape
Cape
https://www.capesandbox.com/analysis/171770/

Comments


Avatar
zbet commented on 2021-07-14 16:27:41 UTC

url : hxxp://privacytoolsforyoufree.xyz/downloads/toolspab2.exe