MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd12cd27c1ce9f7c43ad069b21aca05d6510216d317371939b05429cdc850074. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd12cd27c1ce9f7c43ad069b21aca05d6510216d317371939b05429cdc850074
SHA3-384 hash: faad9dd529abbeb3d8d874e95f71dba55a0310a3c0faedd222b7ebe2f285dea3ec155315951c0431a5dae313fbc32db7
SHA1 hash: e1a1716a5ecd14cd34bd26045ea7a53918d08b35
MD5 hash: 7ed3c01b8793f3572c7c0892fab3b339
humanhash: oven-alaska-network-july
File name:7ed3c01b8793f3572c7c0892fab3b339.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:349'184 bytes
First seen:2021-10-29 18:36:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b4e1899733b7c624a2bcad81ab4ebcf1 (10 x RaccoonStealer, 2 x Smoke Loader, 1 x ArkeiStealer)
ssdeep 6144:QMJh8mslUVKvg7P7Q7bC8eYEbDCJ0hgm6yQOy3I:Qa/syKvs7Q7G8eYEbGJ0htX
Threatray 5'197 similar samples on MalwareBazaar
TLSH T1B4748C10A6A1C434F5F312F849B6A36AB93F79B2AB7490CF12D516ED4674AE0EC31317
File icon (PE):PE icon
dhash icon bada8abecee6baa2 (1 x Smoke Loader)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
292
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7ed3c01b8793f3572c7c0892fab3b339.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-29 19:33:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/af8550f3-88cc-4a9a-adb7-5f3e3843951c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.27942.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b1ffcea2-74a2-4d43-957f-c81a95b4da4a
Result
Threat name:
Amadey Raccoon SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/879574
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
Early bird code injection technique detected
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Raccoon Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 512009 Sample: r7oFL1z7IE.exe Startdate: 29/10/2021 Architecture: WINDOWS Score: 100 73 nusurtal4f.net 2->73 75 netomishnetojuk.net 2->75 77 2 other IPs or domains 2->77 99 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->99 101 Antivirus detection for URL or domain 2->101 103 Antivirus detection for dropped file 2->103 105 10 other signatures 2->105 11 r7oFL1z7IE.exe 2->11         started        14 rbjutrh 2->14         started        signatures3 process4 signatures5 123 Contains functionality to inject code into remote processes 11->123 125 Injects a PE file into a foreign processes 11->125 16 r7oFL1z7IE.exe 11->16         started        127 Multi AV Scanner detection for dropped file 14->127 129 Machine Learning detection for dropped file 14->129 19 rbjutrh 14->19         started        process6 signatures7 91 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 16->91 93 Maps a DLL or memory area into another process 16->93 95 Checks if the current machine is a virtual machine (disk enumeration) 16->95 97 Creates a thread in another existing process (thread injection) 16->97 21 explorer.exe 16 16->21 injected process8 dnsIp9 85 216.128.137.31, 80 AS-CHOOPAUS United States 21->85 87 sysaheu90.top 185.98.87.159, 49755, 49756, 49757 VM-HOSTINGRU Russian Federation 21->87 89 4 other IPs or domains 21->89 55 C:\Users\user\AppData\Roaming\wejutrh, PE32 21->55 dropped 57 C:\Users\user\AppData\Roaming\rbjutrh, PE32 21->57 dropped 59 C:\Users\user\AppData\Local\Temp\AE5A.exe, PE32 21->59 dropped 61 9 other malicious files 21->61 dropped 115 System process connects to network (likely due to code injection or exploit) 21->115 117 Benign windows process drops PE files 21->117 119 Deletes itself after installation 21->119 121 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->121 26 37B5.exe 1 21->26         started        30 5B6D.exe 21->30         started        32 AE5A.exe 21->32         started        34 6 other processes 21->34 file10 signatures11 process12 dnsIp13 65 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 26->65 dropped 131 Multi AV Scanner detection for dropped file 26->131 133 DLL reload attack detected 26->133 135 Detected unpacking (changes PE section rights) 26->135 151 3 other signatures 26->151 137 Machine Learning detection for dropped file 30->137 139 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 30->139 141 Maps a DLL or memory area into another process 30->141 143 Injects a PE file into a foreign processes 32->143 37 AE5A.exe 32->37         started        79 toptelete.top 104.21.9.146, 49857, 80 CLOUDFLARENETUS United States 34->79 81 cdn.discordapp.com 162.159.130.233, 443, 49780, 49787 CLOUDFLARENETUS United States 34->81 83 3 other IPs or domains 34->83 67 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 34->67 dropped 69 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 34->69 dropped 71 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 34->71 dropped 145 Antivirus detection for dropped file 34->145 147 Detected unpacking (overwrites its own PE header) 34->147 149 Early bird code injection technique detected 34->149 153 4 other signatures 34->153 40 44C6.exe 34->40         started        43 AdvancedRun.exe 34->43         started        45 powershell.exe 34->45         started        47 at.exe 34->47         started        file14 signatures15 process16 file17 107 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 37->107 109 Maps a DLL or memory area into another process 37->109 111 Checks if the current machine is a virtual machine (disk enumeration) 37->111 113 Creates a thread in another existing process (thread injection) 37->113 63 C:\Users\user\AppData\Local\...\sqtvvs.exe, PE32 40->63 dropped 49 AdvancedRun.exe 43->49         started        51 conhost.exe 45->51         started        53 conhost.exe 47->53         started        signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd12cd27c1ce9f7c43ad069b21aca05d6510216d317371939b05429cdc850074/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2021-10-29 17:51:36 UTC
AV detection:
26 of 44 (59.09%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xujm2j6bz2pxyq5na2nsdlfalvsrailngfzxde43avbjzxefab2a._file
Verdict:
malicious
Similar samples:
21bbaa87c03c30215b45e0886639f3861608f8a78621570e57c8826973e298c5
Smoke Loader
3909715a0ad1126b31e48c3603f265f64f7d2c92f4204d7b527eec96f52ae987
Smoke Loader
8b4f750ce68702f0a291c770fc0f556bc34fb7e2a9eaa66d79b294a1d3bf7ddf
Smoke Loader
9efdd1358f8d37219f5a6b36ef82d03fa5612c5e54c72cd1507c7c2bcf71e2af
Smoke Loader
dd3b7c750d4debae8a008400189657be324b956b23bcc781392b3b8548fe9ef8
Smoke Loader
+ 5'187 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:djvu family:raccoon family:redline family:smokeloader family:vidar botnet:517 botnet:68e2d75238f7c69859792d206401b6bde2b2515c botnet:706 botnet:936 botnet:999888988 botnet:9b47742e621d3b0f1b0b79db6ed26e2c33328c05 botnet:z0rm1on agilenet backdoor collection discovery evasion infostealer persistence ransomware spyware stealer trojan
Link:
https://tria.ge/reports/211029-w9gdjadhb4/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Modifies file permissions
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
Nirsoft
Vidar Stealer
Amadey
Detected Djvu ransomware
Djvu Ransomware
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Turns off Windows Defender SpyNet reporting
Vidar
Windows security bypass
Malware Config
C2 Extraction:
http://xacokuo8.top/
http://hajezey1.top/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
http://193.56.146.214/
https://193.56.146.214/
93.115.20.139:28978
185.215.113.45/g4MbvE/index.php
https://mas.to/@lilocc
185.215.113.94:15564
https://mas.to/@xeroxxx
http://rlrz.org/lancer
Unpacked files
SH256 hash:
7504bf3fa2768578ecf547d7ad5ee704bb32a345726f4d6007e4905db82c873c
MD5 hash:
67832761c9fb6dcaa2caaa433aeef1e9
SHA1 hash:
1f40855c5efb001c8dff2d10e10b8c68d573d68f
Link:
https://www.unpac.me/results/931a3c4f-3cc7-4f3d-831d-7b788b50aab5/
SH256 hash:
bd12cd27c1ce9f7c43ad069b21aca05d6510216d317371939b05429cdc850074
MD5 hash:
7ed3c01b8793f3572c7c0892fab3b339
SHA1 hash:
e1a1716a5ecd14cd34bd26045ea7a53918d08b35
Link:
https://www.unpac.me/results/931a3c4f-3cc7-4f3d-831d-7b788b50aab5/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bd12cd27c1ce/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd12cd27c1ce9f7c43ad069b21aca05d6510216d317371939b05429cdc850074

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe bd12cd27c1ce9f7c43ad069b21aca05d6510216d317371939b05429cdc850074

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1719493/
  
Delivery method
Distributed via web download

Comments