MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbdc6849d5c183ee2e1be181eab8b3153be1283bd2596a6529bef5bbc2c621c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bbdc6849d5c183ee2e1be181eab8b3153be1283bd2596a6529bef5bbc2c621c1
SHA3-384 hash: 4fe2f553e93647c10bf763508eacbbf12b11538f120f81ae08bb6907ff514c024a524218ec34c7780c23d17191211c76
SHA1 hash: e24f4c297761cdace677aebca01b790a0d505875
MD5 hash: e8629d155a3ebbbc700095026d894696
humanhash: enemy-october-fourteen-eleven
File name:e8629d155a3ebbbc700095026d894696.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:347'136 bytes
First seen:2021-11-05 19:18:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2bde03b8e77a01221a51ce447d5c160e (3 x Smoke Loader, 3 x RaccoonStealer, 1 x RedLineStealer)
ssdeep 6144:2+W8vBWxfeApmE0xZmk150WF+RpUowFp0gAU4B1mQx9m1:2+WSBWtZstLmkv0G+RpUowFpkrXm1
TLSH T1AB748D00A7B0C039F5B252F879B593A9B53A7DA1AB3450CF13D52AEE5A346E0EC70717
File icon (PE):PE icon
dhash icon b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/202824/
Detection(s):
SecuriteInfo.com.ArtemisE8629D155A3E.10648.19528.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/618583abc03a81a50242d9c1/reports/38d50f15-965f-44da-b39b-f2c3163649b2/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/df93e6f9-e2cb-4317-a153-0e2203dc79bc
Result
Threat name:
RedLine SmokeLoader Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/884287
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Renames NTDLL to bypass HIPS
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 516739 Sample: QJX8FxGICW.exe Startdate: 05/11/2021 Architecture: WINDOWS Score: 100 84 quadoil.ru 85.143.175.153, 443, 49842, 49911 TRADERSOFTRU Russian Federation 2->84 86 microsoft-com.mail.protection.outlook.com 104.47.54.36, 25, 49834 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->86 88 5 other IPs or domains 2->88 100 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->100 102 Multi AV Scanner detection for domain / URL 2->102 104 Antivirus detection for URL or domain 2->104 106 18 other signatures 2->106 11 QJX8FxGICW.exe 2->11         started        14 ttjbwge 2->14         started        16 kcubarcj.exe 2->16         started        18 4 other processes 2->18 signatures3 process4 signatures5 116 Contains functionality to inject code into remote processes 11->116 118 Injects a PE file into a foreign processes 11->118 20 QJX8FxGICW.exe 11->20         started        120 Machine Learning detection for dropped file 14->120 23 ttjbwge 14->23         started        122 Detected unpacking (changes PE section rights) 16->122 124 Detected unpacking (overwrites its own PE header) 16->124 126 Writes to foreign memory regions 16->126 128 Allocates memory in foreign processes 16->128 process6 signatures7 108 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->108 110 Maps a DLL or memory area into another process 20->110 112 Checks if the current machine is a virtual machine (disk enumeration) 20->112 25 explorer.exe 14 20->25 injected 114 Creates a thread in another existing process (thread injection) 23->114 process8 dnsIp9 94 192.162.246.70, 49778, 80 DATACHEAP-LLC-ASRU Russian Federation 25->94 96 216.128.137.31, 80 AS-CHOOPAUS United States 25->96 98 7 other IPs or domains 25->98 66 C:\Users\user\AppData\Roaming\ttjbwge, PE32 25->66 dropped 68 C:\Users\user\AppData\Roaming\rfjbwge, PE32 25->68 dropped 70 C:\Users\user\AppData\Local\Temp\FC5F.exe, PE32 25->70 dropped 72 12 other malicious files 25->72 dropped 130 System process connects to network (likely due to code injection or exploit) 25->130 132 Benign windows process drops PE files 25->132 134 Deletes itself after installation 25->134 136 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->136 30 12A8.exe 1 25->30         started        34 F2C8.exe 2 25->34         started        36 268E.exe 25->36         started        39 3 other processes 25->39 file10 signatures11 process12 dnsIp13 74 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 30->74 dropped 138 Multi AV Scanner detection for dropped file 30->138 140 DLL reload attack detected 30->140 142 Detected unpacking (changes PE section rights) 30->142 152 5 other signatures 30->152 76 C:\Users\user\AppData\Local\...\kcubarcj.exe, PE32 34->76 dropped 144 Detected unpacking (overwrites its own PE header) 34->144 146 Uses netsh to modify the Windows network and firewall settings 34->146 148 Modifies the windows firewall 34->148 41 cmd.exe 1 34->41         started        44 cmd.exe 2 34->44         started        46 sc.exe 1 34->46         started        52 3 other processes 34->52 90 cdn.discordapp.com 162.159.129.233, 443, 49826, 49835 CLOUDFLARENETUS United States 36->90 78 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 36->78 dropped 150 Machine Learning detection for dropped file 36->150 92 45.9.20.149, 10844, 49905 DEDIPATH-LLCUS Russian Federation 39->92 80 C:\Users\user\AppData\Local\...\ninth.vbs, ASCII 39->80 dropped 82 C:\Users\user\AppData\...\repudiations.exe, PE32 39->82 dropped 48 E33C.exe 39->48         started        50 wscript.exe 39->50         started        file14 signatures15 process16 file17 64 C:\Windows\SysWOW64\...\kcubarcj.exe (copy), PE32 41->64 dropped 54 conhost.exe 41->54         started        56 conhost.exe 44->56         started        58 conhost.exe 46->58         started        60 conhost.exe 52->60         started        62 conhost.exe 52->62         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bbdc6849d5c183ee2e1be181eab8b3153be1283bd2596a6529bef5bbc2c621c1/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-11-05 19:19:08 UTC
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xpogqsovygb64lq34ga6voftcu56ckb32jmwuzjjx323xqwgehaq._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:raccoon family:redline family:smokeloader family:tofsee family:xmrig botnet:101 botnet:1cb6d1b7211b77f96ff654c9904c9c8522f8a677 botnet:23435346346 botnet:243f5e3056753d9f9706258dce4f79e57c3a9c44 botnet:8dec62c1db2959619dca43e02fa46ad7bd606400 botnet:love botnet:superstar backdoor discovery evasion infostealer miner persistence ransomware spyware stealer trojan
Link:
https://tria.ge/reports/211105-x1hqnscff3/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Core1 .NET packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner Payload
Detected Djvu ransomware
Djvu Ransomware
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Tofsee
Windows security bypass
xmrig
Malware Config
C2 Extraction:
http://hefahei60.top/
http://pipevai40.top/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
quadoil.ru
lakeflex.ru
185.215.113.29:36224
91.242.229.222:21475
93.115.20.139:28978
185.92.73.142:52097
Unpacked files
SH256 hash:
f35e1d71747c52cddab320ae5b9ed35b24f3e1ec9b7434f6d36d7134c3eb66f8
MD5 hash:
2dff2302971aa16b6460fb12e203a6c0
SHA1 hash:
63b43efd66a20df66d92cf9a1c47ff64fb6a497e
Link:
https://www.unpac.me/results/6edbf995-3a3a-4364-9808-e7cd74feedb0/
SH256 hash:
bbdc6849d5c183ee2e1be181eab8b3153be1283bd2596a6529bef5bbc2c621c1
MD5 hash:
e8629d155a3ebbbc700095026d894696
SHA1 hash:
e24f4c297761cdace677aebca01b790a0d505875
Link:
https://www.unpac.me/results/6edbf995-3a3a-4364-9808-e7cd74feedb0/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bbdc6849d5c1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bbdc6849d5c183ee2e1be181eab8b3153be1283bd2596a6529bef5bbc2c621c1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe bbdc6849d5c183ee2e1be181eab8b3153be1283bd2596a6529bef5bbc2c621c1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1740412/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/202824/

Comments