MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bc
SHA3-384 hash: 08215831251d601c15c9be5653400b7f7aa51b5f7632fa821e505e11bea4dd7d1761ed0c16d2b1bfae1e1f04a1e8d023
SHA1 hash: 50b071b6dda483c10e7bb88ed391f655a86c31bd
MD5 hash: dd0b14b1a014231980a5b51acc414da7
humanhash: minnesota-speaker-sodium-golf
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:1'425'920 bytes
First seen:2023-09-09 17:14:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b371a654456d34022f3f69293c8f272c (3 x RedLineStealer, 1 x Smoke Loader)
ssdeep 24576:ITCI5zSJd/z8sNwu8Kuey+wrRv6WMV0t0X7L3kCc51t7O9+ZiGyOGzHYv2HMi7j:sCI5zM+u8KueyF6WMy82Zi0GzQ8j
Threatray 2'249 similar samples on MalwareBazaar
TLSH T1546512A1B1A2C972E4B2263209B0E7F45E3E7821CB715E8F77D10BBB4B241D0A5F1756
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter andretavare5
Tags:exe Smoke Loader


Avatar
andretavare5
Sample downloaded from http://77.91.68.238/love/no230.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
319
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2023-09-09 17:17:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bcea491a-a4a7-4a8f-ad68-f8395157763f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/447656/
Detection(s):
SecuriteInfo.com.Trojan.Siggen21.27584.29115.7055.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Launching a service
Creating a file
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a system process
Gathering data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
control greyware lolbin packed
Link:
https://www.filescan.io/uploads/64fca817f31091fe114b6d1f/reports/c4d753f2-8696-4155-af85-23fd6e87101c/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/35d47a40-16e6-414a-aaf8-a0376455f587
Result
Threat name:
Mystic Stealer, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1306711
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1306711 Sample: file.exe Startdate: 09/09/2023 Architecture: WINDOWS Score: 100 105 Snort IDS alert for network traffic 2->105 107 Found malware configuration 2->107 109 Malicious sample detected (through community Yara rule) 2->109 111 10 other signatures 2->111 12 file.exe 2->12         started        15 rundll32.exe 2->15         started        process3 signatures4 155 Contains functionality to inject code into remote processes 12->155 157 Writes to foreign memory regions 12->157 159 Allocates memory in foreign processes 12->159 161 Injects a PE file into a foreign processes 12->161 17 AppLaunch.exe 1 4 12->17         started        20 WerFault.exe 21 9 12->20         started        process5 file6 71 C:\Users\user\AppData\Local\...\v2986601.exe, PE32 17->71 dropped 73 C:\Users\user\AppData\Local\...\f4452297.exe, PE32 17->73 dropped 22 v2986601.exe 1 4 17->22         started        process7 file8 75 C:\Users\user\AppData\Local\...\v7348974.exe, PE32 22->75 dropped 77 C:\Users\user\AppData\Local\...\e6122167.exe, PE32 22->77 dropped 121 Antivirus detection for dropped file 22->121 123 Machine Learning detection for dropped file 22->123 26 v7348974.exe 1 4 22->26         started        signatures9 process10 file11 89 C:\Users\user\AppData\Local\...\v7758148.exe, PE32 26->89 dropped 91 C:\Users\user\AppData\Local\...\d9184870.exe, PE32 26->91 dropped 135 Antivirus detection for dropped file 26->135 137 Machine Learning detection for dropped file 26->137 30 v7758148.exe 1 4 26->30         started        34 d9184870.exe 26->34         started        signatures12 process13 dnsIp14 93 C:\Users\user\AppData\Local\...\v5153711.exe, PE32 30->93 dropped 95 C:\Users\user\AppData\Local\...\c6608501.exe, PE32 30->95 dropped 163 Machine Learning detection for dropped file 30->163 37 c6608501.exe 30->37         started        40 v5153711.exe 1 4 30->40         started        97 77.91.124.82, 19071, 49730, 49737 ECOTEL-ASRU Russian Federation 34->97 165 Antivirus detection for dropped file 34->165 167 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->167 169 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 34->169 171 Tries to harvest and steal browser information (history, passwords, etc) 34->171 file15 signatures16 process17 file18 113 Machine Learning detection for dropped file 37->113 115 Writes to foreign memory regions 37->115 117 Allocates memory in foreign processes 37->117 119 Injects a PE file into a foreign processes 37->119 43 AppLaunch.exe 37->43         started        46 AppLaunch.exe 37->46         started        48 WerFault.exe 37->48         started        85 C:\Users\user\AppData\Local\...\b0310728.exe, PE32 40->85 dropped 87 C:\Users\user\AppData\Local\...\a8829678.exe, PE32 40->87 dropped 50 a8829678.exe 40->50         started        52 b0310728.exe 40->52         started        signatures19 process20 signatures21 139 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 43->139 141 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 43->141 143 Maps a DLL or memory area into another process 43->143 153 2 other signatures 43->153 54 explorer.exe 43->54 injected 145 Writes to foreign memory regions 50->145 147 Allocates memory in foreign processes 50->147 149 Injects a PE file into a foreign processes 50->149 59 AppLaunch.exe 9 1 50->59         started        61 WerFault.exe 19 9 50->61         started        151 Machine Learning detection for dropped file 52->151 63 AppLaunch.exe 13 52->63         started        65 WerFault.exe 9 52->65         started        67 AppLaunch.exe 52->67         started        69 AppLaunch.exe 52->69         started        process22 dnsIp23 99 77.91.68.29, 49741, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 54->99 101 77.91.124.231, 49742, 49756, 80 ECOTEL-ASRU Russian Federation 54->101 79 C:\Users\user\AppData\Roaming\wdtvrih, PE32 54->79 dropped 81 C:\Users\user\AppData\Local\Temp\B4F7.exe, PE32 54->81 dropped 83 C:\Users\user\AppData\Local\Temp\4549.exe, PE32 54->83 dropped 125 System process connects to network (likely due to code injection or exploit) 54->125 127 Benign windows process drops PE files 54->127 129 Hides that the sample has been downloaded from the Internet (zone.identifier) 54->129 131 Disable Windows Defender notifications (registry) 59->131 133 Disable Windows Defender real time protection (registry) 59->133 103 5.42.92.211, 49727, 49767, 49787 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 63->103 file24 signatures25
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bc/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-09-09 17:15:06 UTC
File Type:
PE (Exe)
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zm3issrred5v67crbjffckr27ubm7hxoi44k5ilc3nvogu3z6o6a._file
Verdict:
malicious
Similar samples:
03cef1108b01e5304207d3fb3a53f024ec18e0178c6dc16454723a9c7852ab25
Smoke Loader
15b5e85db3255b5984baeefc6baea2fbe1bacb772b3002bbd69df33fdb57833a
Smoke Loader
2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368
Smoke Loader
2432f37cfbe720ce2f627a725367676d71bb944d2306c1eab9bab6b0cab5e01d
Smoke Loader
4663b4277cecac818e54c11c72e9cf1ad537fe10a266e09ebb9f0026ab9a96a5
Smoke Loader
8df6ff949de778a20deb98bd90e21d9e9449045b73f75cd62c051957997882bb
Smoke Loader
9804e545d90777ee1ad26ab56f61c3eab559a0875ab0974e7f7f0f21fb96ca98
Smoke Loader
a65bbeacb8d8b1c313b78f6a2271c7d422e9a24d1fec755609559f09d7a45cc8
Smoke Loader
d5959835f49e857df7464a105909b237768ba59b9d8d9629ee966a45defbc4db
Smoke Loader
e0e95a98754efc7dd70507be038e6b3db9014d9fbcf1df0b86dc982c0ede72d4
Smoke Loader
+ 2'239 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:healer family:redline family:smokeloader botnet:virad backdoor dropper evasion infostealer persistence trojan
Link:
https://tria.ge/reports/230909-vsjlwsda34/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
SmokeLoader
Malware Config
C2 Extraction:
77.91.124.82:19071
http://77.91.68.29/fks/
Unpacked files
SH256 hash:
26e159b75fcf5f44ad870f2f34c112b7f144fedd396631eec36717a68917262a
MD5 hash:
0c85b965ede99b4d279ed38b554720a8
SHA1 hash:
e949f48fde7be7c9d4dc7851b93eca09866f3f77
Link:
https://www.unpac.me/results/d333f8e0-ff03-44aa-8eef-84758cd6314e/
SH256 hash:
cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bc
MD5 hash:
dd0b14b1a014231980a5b51acc414da7
SHA1 hash:
50b071b6dda483c10e7bb88ed391f655a86c31bd
Link:
https://www.unpac.me/results/d333f8e0-ff03-44aa-8eef-84758cd6314e/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cb36894a3120/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/447656/

Comments