MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c866cc0f79ccb6ba694ebf8ee3179871fbdcc20b5390df0650e4f8e570cd4c6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	c866cc0f79ccb6ba694ebf8ee3179871fbdcc20b5390df0650e4f8e570cd4c6e
SHA3-384 hash:	f4dda119e7518b001cf9bab86c81cee9fa4e532923b863b4c7242eae39e5956a4522887e044bea668b437f32719e8062
SHA1 hash:	9c31a7426dc7c0e106bbb9fec5b62ff2bc702acf
MD5 hash:	b2719a913029914185c2de856c1a6770
humanhash:	steak-asparagus-white-early
File name:	b2719a913029914185c2de856c1a6770
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	190'464 bytes
First seen:	2022-07-22 11:52:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b5d67d85726d53f797f7d82017938c03 (2 x RedLineStealer, 2 x Smoke Loader)
ssdeep	3072:6TfpS7N4oCrN3V8tdxh+6VW9DV8nzAR8VYN5WoMhaRRXHgoQ:mpSSNlKVGh8V2WoMATXHgo
Threatray	1'412 similar samples on MalwareBazaar
TLSH	T1EF14BE2136D0C873C7A3513158709AB55A7BB86EAB7895BFB354372E2E303D22A74353
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	c01edecea68c8ccc (154 x RedLineStealer, 98 x Smoke Loader, 36 x Stop)
Reporter	openctibr
Tags:	exe OpenCTI.BR Sandboxed Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

317

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b2719a913029914185c2de856c1a6770

Verdict:

No threats detected

Analysis date:

2022-07-22 12:22:37 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8ea0b45f-3f1a-4d0d-b474-afb69d945102

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/293397/

Detection(s):

Win.Malware.Pwsx-9957252-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a custom TCP request

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/27054/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/62da8fef0e298a94f3ed7324/reports/b500561f-3d0c-4064-8e8e-cb3521b3396d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/00b95336-b00a-4b72-a114-675797c6f224

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1039209

Signature

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c866cc0f79ccb6ba694ebf8ee3179871fbdcc20b5390df0650e4f8e570cd4c6e/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2022-07-21 18:49:25 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zbtmyd3zzs3lu2kox6hogf4yoh55zqqlkoin6bsq4t4ok4gnjrxa._file

Verdict:

malicious

Smoke Loader

104fae3c4dcf6339429a9242d76cec45644e5b2e072fdfa0d5f477c7ec7ebcfb

Smoke Loader

3f947f5a849f11be9079a5c2418240e2faf7e53b63662c85b92fad8f47ea4d09

Smoke Loader

3ffe0cd89ec6899d39c06e83e857d3429823bb641fdbfc5b384d835817ea479b

Smoke Loader

b9ba3633e6ae613c553bb7311affb973b5d3c5f41de5a9e5f1b048cb2cda8a34

Smoke Loader

cef4f5f561b5c481c67e0a9a3dd751d18d696b61c7a5dab5ebb29535093741b4

Smoke Loader

d75a7ee1a791ac1260fa1e83e6cd066dcf1446f2d52b136d226b8de8c284cd06

Smoke Loader

+ 1'402 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:raccoon family:socelars family:vidar botnet:1415 discovery spyware stealer suricata vmprotect

Link:

https://tria.ge/reports/220722-n2al1sfaa8/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Delays execution with timeout.exe

Enumerates system info in registry

Kills process with taskkill

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

VMProtect packed file

Process spawned unexpected child process

Raccoon

Socelars

Socelars payload

Vidar

suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

Malware Config

C2 Extraction:

https://hueduy.s3.eu-west-1.amazonaws.com/sdaiufh711/
https://t.me/korstonsales
https://climatejustice.social/@ffoleg94

Unpacked files

SH256 hash:

c866cc0f79ccb6ba694ebf8ee3179871fbdcc20b5390df0650e4f8e570cd4c6e

MD5 hash:

b2719a913029914185c2de856c1a6770

SHA1 hash:

9c31a7426dc7c0e106bbb9fec5b62ff2bc702acf

Link:

https://www.unpac.me/results/6137e6a9-4a8d-451d-b591-4f4cba3786f6/

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c866cc0f79cc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c866cc0f79ccb6ba694ebf8ee3179871fbdcc20b5390df0650e4f8e570cd4c6e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.