MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b996410101b932721193c3cbe614edfe760875dab9d0067e16220fcec55d32fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b996410101b932721193c3cbe614edfe760875dab9d0067e16220fcec55d32fb
SHA3-384 hash: 40ff4008a37ec7f5a219c8354742d6d6f09cd6e5db5bbdc9ab808526d7e5306da55d9bfb7ba9f754dcf711b47056e311
SHA1 hash: 71e83bdf5826fb869ff57b972b92ffbb45309cc5
MD5 hash: 4c11583ce952a936c73ad17428805541
humanhash: nebraska-johnny-saturn-one
File name:4c11583ce952a936c73ad17428805541.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:148'992 bytes
First seen:2021-11-24 19:03:17 UTC
Last seen:2021-11-24 21:05:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bf61ae69989d1072f08e18d6fa6b3469 (3 x RedLineStealer, 3 x Smoke Loader, 1 x RaccoonStealer)
ssdeep 3072:q+oemgaoSit+07RkVzWIqvjE2qtR376Ivy2:T3aI+074bqc7d9
Threatray 5'343 similar samples on MalwareBazaar
TLSH T1F3E3BE1073E0C075D1A7193068B6DBB12AFA7C325A7942BB37A8127F1F713D05AA536B
File icon (PE):PE icon
dhash icon fcfcb4f4d4d4d8c0 (19 x RedLineStealer, 16 x RaccoonStealer, 14 x Smoke Loader)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
338
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4c11583ce952a936c73ad17428805541.exe
Verdict:
Suspicious activity
Analysis date:
2021-11-24 19:09:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4bbac040-03ce-4ece-b1dc-c7530214303c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.5190.32698.6337.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Launching a process
Changing a file
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Query of malicious DNS domain
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/619e8ca6f36138de3f3a68d6/reports/0f10c2ee-5ff1-43e7-bdbe-2b23e59c98bc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b1f02bab-9995-4c59-b079-c2b72738afa0
Result
Threat name:
Djvu RedLine SmokeLoader Tofsee Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/895680
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Djvu Ransomware
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 528158 Sample: J73PTzDghy.exe Startdate: 24/11/2021 Architecture: WINDOWS Score: 100 92 tzgl.org 2->92 94 srtuiyhuali.at 2->94 96 4 other IPs or domains 2->96 142 Multi AV Scanner detection for domain / URL 2->142 144 Antivirus detection for URL or domain 2->144 146 Antivirus detection for dropped file 2->146 148 19 other signatures 2->148 11 J73PTzDghy.exe 2->11         started        14 moixtplc.exe 2->14         started        16 wgjfcaw 2->16         started        18 gcjfcaw 2->18         started        signatures3 process4 signatures5 160 Contains functionality to inject code into remote processes 11->160 162 Injects a PE file into a foreign processes 11->162 164 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 11->164 20 J73PTzDghy.exe 11->20         started        166 Detected unpacking (changes PE section rights) 14->166 168 Detected unpacking (overwrites its own PE header) 14->168 170 Writes to foreign memory regions 14->170 172 Allocates memory in foreign processes 14->172 23 svchost.exe 1 14->23         started        174 Machine Learning detection for dropped file 16->174 26 wgjfcaw 16->26         started        176 Maps a DLL or memory area into another process 18->176 178 Checks if the current machine is a virtual machine (disk enumeration) 18->178 180 Creates a thread in another existing process (thread injection) 18->180 process6 dnsIp7 150 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->150 152 Maps a DLL or memory area into another process 20->152 154 Checks if the current machine is a virtual machine (disk enumeration) 20->154 28 explorer.exe 12 20->28 injected 102 quadoil.ru 85.143.175.153, 443, 49820, 49905 TRADERSOFTRU Russian Federation 23->102 104 microsoft-com.mail.protection.outlook.com 52.101.24.0, 25, 49818 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->104 156 System process connects to network (likely due to code injection or exploit) 23->156 158 Creates a thread in another existing process (thread injection) 26->158 signatures8 process9 dnsIp10 110 185.233.81.115, 443, 49816 SUPERSERVERSDATACENTERRU Russian Federation 28->110 112 192.162.246.70, 49792, 80 DATACHEAP-LLC-ASRU Russian Federation 28->112 114 12 other IPs or domains 28->114 84 C:\Users\user\AppData\Roaming\wgjfcaw, PE32 28->84 dropped 86 C:\Users\user\AppData\Roaming\gcjfcaw, PE32 28->86 dropped 88 C:\Users\user\AppData\Local\Temp\F32D.exe, PE32 28->88 dropped 90 11 other malicious files 28->90 dropped 182 System process connects to network (likely due to code injection or exploit) 28->182 184 Benign windows process drops PE files 28->184 186 Deletes itself after installation 28->186 188 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->188 33 A4FD.exe 2 28->33         started        37 183.exe 28->37         started        39 EFBF.exe 2 28->39         started        41 4 other processes 28->41 file11 signatures12 process13 dnsIp14 74 C:\Users\user\AppData\Local\...\moixtplc.exe, PE32 33->74 dropped 116 Detected unpacking (changes PE section rights) 33->116 118 Detected unpacking (overwrites its own PE header) 33->118 120 Machine Learning detection for dropped file 33->120 138 2 other signatures 33->138 44 cmd.exe 1 33->44         started        47 netsh.exe 3 33->47         started        49 cmd.exe 2 33->49         started        60 3 other processes 33->60 122 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 37->122 124 Maps a DLL or memory area into another process 37->124 140 2 other signatures 37->140 126 Antivirus detection for dropped file 39->126 128 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->128 130 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 39->130 51 EFBF.exe 39->51         started        54 conhost.exe 39->54         started        106 192.168.2.1 unknown unknown 41->106 108 file-file-host4.com 41->108 76 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 41->76 dropped 78 C:\ProgramData\sqlite3.dll, PE32 41->78 dropped 132 Tries to harvest and steal browser information (history, passwords, etc) 41->132 134 Tries to evade analysis by execution special instruction which cause usermode exception 41->134 136 Injects a PE file into a foreign processes 41->136 56 F32D.exe 41->56         started        58 99B2.exe 41->58         started        file15 signatures16 process17 dnsIp18 80 C:\Windows\SysWOW64\...\moixtplc.exe (copy), PE32 44->80 dropped 62 conhost.exe 44->62         started        64 conhost.exe 47->64         started        66 conhost.exe 49->66         started        98 185.159.80.90, 38655, 49861 HOSTING-SOLUTIONSUS Netherlands 51->98 100 api.2ip.ua 77.123.139.190, 443, 49918, 49920 VOLIA-ASUA Ukraine 56->100 82 C:\Users\user\AppData\Local\...\F32D.exe, PE32 56->82 dropped 68 conhost.exe 60->68         started        70 conhost.exe 60->70         started        72 conhost.exe 60->72         started        file19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b996410101b932721193c3cbe614edfe760875dab9d0067e16220fcec55d32fb/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2021-11-24 17:20:07 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xglecaibxezheemtypf6mfhn7z3aq5o2xhiam7qweih45rk5gl5q._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
07741f444f37245f829e5b349f34d923f64c2af50d0e69ebf247adfb20e70979
Smoke Loader
0d62bb4a0b9c5d7684491458a0759551373a0fb211f062705ae0cafe1ac1a605
Smoke Loader
51160ae1edfcf45c5e3e6e1bedc4a5bdcfc27d5e23cb08c511ecd43b816b4c08
Smoke Loader
67ad7348d5bfbb13a98697962b46a7a833137b636b49c6eac2829c2d425e9dfa
Smoke Loader
888b7c0da59de4fb96352a4db14b1674881eea78028100bd8ffd8757f21fffdc
Smoke Loader
ce231785f06d7c6b33b20dded67b62f759ec23b23bee89b01fcb00953f7028c9
Smoke Loader
+ 5'333 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:redline family:smokeloader family:tofsee family:xmrig botnet:default backdoor discovery evasion infostealer miner persistence spyware stealer trojan
Link:
https://tria.ge/reports/211124-xqyn5sggc2/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Drops desktop.ini file(s)
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Arkei Stealer Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner Payload
Arkei
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Tofsee
Windows security bypass
xmrig
Malware Config
C2 Extraction:
http://nalirou70.top/
http://xacokuo80.top/
quadoil.ru
lakeflex.ru
http://185.10.68.50/lYWcN6H7B1.php
http://file-file-host4.com/tratata.php
185.159.80.90:38655
194.58.69.100:37026
Unpacked files
SH256 hash:
cdb9c842ba86fc328ec80226975c54c24a3ee9868cbbaab14d2b651cc80e70e6
MD5 hash:
f7ff52793660cabb5ebd2bd4b9810336
SHA1 hash:
23e6a68262b479a1ff214b09dbfe159292475a22
Link:
https://www.unpac.me/results/48188d70-e190-4b93-a392-e42a0ceee1de/
SH256 hash:
b996410101b932721193c3cbe614edfe760875dab9d0067e16220fcec55d32fb
MD5 hash:
4c11583ce952a936c73ad17428805541
SHA1 hash:
71e83bdf5826fb869ff57b972b92ffbb45309cc5
Link:
https://www.unpac.me/results/48188d70-e190-4b93-a392-e42a0ceee1de/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b996410101b9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b996410101b932721193c3cbe614edfe760875dab9d0067e16220fcec55d32fb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe b996410101b932721193c3cbe614edfe760875dab9d0067e16220fcec55d32fb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1800988/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/209150/

Comments