MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c64d6d97f813bc36de79ab49f2a9ef0f45c14fc43e7e6e7a4b54053b8bc05791. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c64d6d97f813bc36de79ab49f2a9ef0f45c14fc43e7e6e7a4b54053b8bc05791
SHA3-384 hash: 3720464c1001c942f20e0695120a7aa030aa7317c3b45bcc68b2fe71c24851df08a6f18c8233d1c22ceab2026df38880
SHA1 hash: 52e93fc5822ebfe6bec03b73aa7e4a5532d50525
MD5 hash: 9f48aa305e591b5106d427be33f048a3
humanhash: bacon-zebra-hawaii-paris
File name:9f48aa305e591b5106d427be33f048a3.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:243'712 bytes
First seen:2021-10-05 17:21:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dd19d1f0ffda5384bb572fd4e5082d7e (4 x RaccoonStealer, 3 x RedLineStealer, 2 x ArkeiStealer)
ssdeep 6144:24AwhPQpXSC0OGCDhlw1wv9HjnIbAuMt55:2hiAXSC0OGylw1sjI7O55
Threatray 5'039 similar samples on MalwareBazaar
TLSH T1EC349E1077E0C034F1FB16F948B9A3B8A92DBDB06B3495CB96D52AEA56746E0DD30343
File icon (PE):PE icon
dhash icon e8e8e8e8aa62a499 (21 x RaccoonStealer, 11 x ArkeiStealer, 4 x RedLineStealer)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
399
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9f48aa305e591b5106d427be33f048a3.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-05 17:37:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3730806b-04ab-4bd1-8bb8-d1bbbf9c55fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/195162/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.17667.19118.5918.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/615c89bde3d213d202b7afa5/reports/23041fb2-28eb-47cd-9da5-e7bbc3f32d2b/overview
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ecdb8bcf-91b8-452f-a7c7-7fb2a411b718
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/865021
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Copying Sensitive Files with Credential Data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses known network protocols on non-standard ports
Yara detected AntiVM3
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 497453 Sample: NF3zeW1ZZO.exe Startdate: 05/10/2021 Architecture: WINDOWS Score: 100 89 defeatwax.ru 2->89 121 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->121 123 Multi AV Scanner detection for submitted file 2->123 125 Yara detected UAC Bypass using CMSTP 2->125 127 11 other signatures 2->127 11 NF3zeW1ZZO.exe 2->11         started        14 cchawis 2->14         started        16 svchost.exe 1 2->16         started        19 3 other processes 2->19 signatures3 process4 dnsIp5 145 Detected unpacking (changes PE section rights) 11->145 21 NF3zeW1ZZO.exe 11->21         started        147 Contains functionality to inject code into remote processes 14->147 149 Injects a PE file into a foreign processes 14->149 24 cchawis 14->24         started        87 192.168.2.1 unknown unknown 16->87 signatures6 process7 signatures8 129 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->129 131 Maps a DLL or memory area into another process 21->131 133 Checks if the current machine is a virtual machine (disk enumeration) 21->133 135 Creates a thread in another existing process (thread injection) 21->135 26 explorer.exe 12 21->26 injected process9 dnsIp10 91 193.56.146.41, 49787, 9080 LVLT-10753US unknown 26->91 93 privacy-toolz-for-you-3000.top 194.169.163.96, 49763, 49765, 49767 NETRACK-ASRU Russian Federation 26->93 95 2 other IPs or domains 26->95 79 C:\Users\user\AppData\Roaming\cchawis, PE32 26->79 dropped 81 C:\Users\user\AppData\Local\Temp\F70E.exe, PE32 26->81 dropped 83 C:\Users\user\AppData\Local\Temp\D9F0.exe, PE32 26->83 dropped 85 4 other malicious files 26->85 dropped 151 System process connects to network (likely due to code injection or exploit) 26->151 153 Benign windows process drops PE files 26->153 155 Deletes itself after installation 26->155 157 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->157 31 F70E.exe 26->31         started        36 C144.exe 26->36         started        38 D9F0.exe 15 3 26->38         started        40 2 other processes 26->40 file11 signatures12 process13 dnsIp14 101 91.219.236.243, 49822, 80 SERVERASTRA-ASHU Hungary 31->101 103 teletop.top 172.67.176.216, 49821, 80 CLOUDFLARENETUS United States 31->103 67 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 31->67 dropped 69 C:\Users\user\AppData\...\vcruntime140.dll, PE32 31->69 dropped 71 C:\Users\user\AppData\...\ucrtbase.dll, PE32 31->71 dropped 75 56 other files (none is malicious) 31->75 dropped 107 Detected unpacking (changes PE section rights) 31->107 109 Detected unpacking (overwrites its own PE header) 31->109 111 Tries to steal Mail credentials (via file access) 31->111 113 Tries to harvest and steal browser information (history, passwords, etc) 31->113 42 C144.exe 36->42         started        105 cdn.discordapp.com 162.159.130.233, 443, 49793, 49797 CLOUDFLARENETUS United States 38->105 115 Hides threads from debuggers 38->115 117 Injects a PE file into a foreign processes 38->117 119 Contains functionality to hide a thread from the debugger 38->119 45 D9F0.exe 38->45         started        73 C:\Users\user\AppData\Local\...\bveobejv.exe, PE32 40->73 dropped 48 cmd.exe 40->48         started        51 C8E6.exe 2 40->51         started        53 cmd.exe 40->53         started        55 3 other processes 40->55 file15 signatures16 process17 dnsIp18 137 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 42->137 139 Maps a DLL or memory area into another process 42->139 141 Checks if the current machine is a virtual machine (disk enumeration) 42->141 143 Creates a thread in another existing process (thread injection) 42->143 97 193.56.146.60, 49901, 49904, 49907 LVLT-10753US unknown 45->97 57 conhost.exe 45->57         started        77 C:\Windows\SysWOW64\...\bveobejv.exe (copy), PE32 48->77 dropped 59 conhost.exe 48->59         started        99 93.115.20.139, 28978, 49898, 49900 MVPShttpswwwmvpsnetEU Romania 51->99 61 conhost.exe 53->61         started        63 conhost.exe 55->63         started        65 conhost.exe 55->65         started        file19 signatures20 process21
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c64d6d97f813bc36de79ab49f2a9ef0f45c14fc43e7e6e7a4b54053b8bc05791/
Threat name:
Win32.Ransomware.Stop
Create hunting rule
Status:
Malicious
First seen:
2021-10-05 17:22:08 UTC
AV detection:
26 of 45 (57.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yzgw3f7yco6dnxtzvne7fkppb5c4ct6ehz7g46slkqctxc6ak6iq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
09228fe3797c2de61f4cc484d22b7eed17ec9cc7d2e722c650ef525def22801b
Smoke Loader
2232ded5541847acb7f73006ebe047b9008b4876f90590d9ffd324360f785037
Smoke Loader
29712959e15dd06735537ee66cdef63de2e25518e60308294c3cd5e227e14c1a
Smoke Loader
47ecf9882778e09cd99f29b89aa75d4396e783c1ef5c8e931601d6c1957fb3e5
Smoke Loader
6232bd70528f163b7aa8e8d76f6c4e63a0660eb112eabf2cc1859cc9e83ca755
Smoke Loader
678f03e1574817fdf555ebe8701534034315d008addfb0dd7aac8fd35d17e855
Smoke Loader
7fc5854433b6ba7716cd9d6b4923869d716fa6580fae0b0c839e698966982b37
Smoke Loader
e206cdfadd769d8506f7dde22b1a3277075506810b455f491ff08fd42707a0a0
Smoke Loader
e75403c1077023cfb59ba3da7edbe73ac058beb80d631666fc84acbd1fa25d50
Smoke Loader
f2edf69ca64bb435d61ded2c3ca210d1bd19952c19275b7bd65d0d707fedadaa
Smoke Loader
+ 5'029 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:tofsee family:xmrig botnet:5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4 botnet:proliv backdoor evasion infostealer miner persistence stealer trojan
Link:
https://tria.ge/reports/211005-vxkpraabd9/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Windows security modification
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Nirsoft
XMRig Miner Payload
Modifies Windows Defender Real-time Protection settings
Raccoon
RedLine
RedLine Payload
SmokeLoader
Tofsee
Windows security bypass
xmrig
Malware Config
C2 Extraction:
http://fiskahlilian16.top/
http://paishancho17.top/
http://ydiannetter18.top/
http://azarehanelle19.top/
http://quericeriant20.top/
93.115.20.139:28978
193.56.146.60:56554
Unpacked files
SH256 hash:
592b089027938156e18387e4402b965a5f1ffc25e96d7efc3aa9331254587bdd
MD5 hash:
2dbb1eb8c40c88994738a736ad55c79b
SHA1 hash:
88e2fc9242606c7dfcd68d5da8c6d457837157a3
Link:
https://www.unpac.me/results/276feb79-a504-43f5-971d-5ba1df3414c6/
SH256 hash:
c64d6d97f813bc36de79ab49f2a9ef0f45c14fc43e7e6e7a4b54053b8bc05791
MD5 hash:
9f48aa305e591b5106d427be33f048a3
SHA1 hash:
52e93fc5822ebfe6bec03b73aa7e4a5532d50525
Link:
https://www.unpac.me/results/276feb79-a504-43f5-971d-5ba1df3414c6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c64d6d97f813/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c64d6d97f813bc36de79ab49f2a9ef0f45c14fc43e7e6e7a4b54053b8bc05791

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe c64d6d97f813bc36de79ab49f2a9ef0f45c14fc43e7e6e7a4b54053b8bc05791

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1653238/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/195162/

Comments