MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0c09c00990cc693789f83e8dfb4d3e7db62a583d246cea22b2c6bb3a2c3e6f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0c09c00990cc693789f83e8dfb4d3e7db62a583d246cea22b2c6bb3a2c3e6f0
SHA3-384 hash: 9588a7247cf0f57a8c4c6e7f2c17aae7c539e5f3fddd796cc7ae8751ad21f5ad41a7af1438d768b784f78cfc76179ce3
SHA1 hash: fc05a397204075db47095fd79c551c1a0c49e1c6
MD5 hash: 1d1f1db339f3a24f0d36c55f73170823
humanhash: four-stairway-island-oscar
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:188'928 bytes
First seen:2023-03-14 21:08:19 UTC
Last seen:2023-03-14 22:29:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c5cca9d2a82fe533fcc4c2209568ef92 (1 x Smoke Loader, 1 x AuroraStealer, 1 x RedLineStealer)
ssdeep 3072:LoqvXo/yHi3fSwlOU7Oo1oog2KzDn9DAzz67FWXkf6yYEZV:dvXlCeo1i2KdDAzz6IXo7
Threatray 4'359 similar samples on MalwareBazaar
TLSH T178045C4383A07F61E5214B72CE2FC6FA768DF9108E59BB7922186A2F04B13F1D663751
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 916a6a6e6a6a6a60 (1 x Amadey, 1 x Smoke Loader)
Reporter andretavare5
Tags:exe Smoke Loader


Avatar
andretavare5
Sample downloaded from https://akkolsizidinliyor.com/tmp/index.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
311
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-03-14 21:10:19 UTC
Tags:
loader smoke trojan stealer
Link:
https://app.any.run/tasks/b04f2b2a-d577-48a5-a6e8-e93b252e08da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/374405/
Detection(s):
SecuriteInfo.com.Win32.RansomX-gen.10706.18887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Searching for synchronization primitives
Reading critical registry keys
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6410e26f06c49bd8b6b5c937/reports/7015ceff-f234-403b-ad35-7b133ea00463/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d0c09c00990cc693789f83e8dfb4d3e7db62a583d246cea22b2c6bb3a2c3e6f0
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f612cdd1-9f9e-4b7b-b504-a955e8d47b67
Result
Threat name:
Aurora, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1193734
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara Aurora Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 826635 Sample: file.exe Startdate: 14/03/2023 Architecture: WINDOWS Score: 100 67 Snort IDS alert for network traffic 2->67 69 Multi AV Scanner detection for domain / URL 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 10 other signatures 2->73 9 file.exe 2->9         started        12 ajviswh 2->12         started        14 7C8A.exe 2->14         started        process3 signatures4 99 Detected unpacking (changes PE section rights) 9->99 101 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->101 103 Maps a DLL or memory area into another process 9->103 105 Creates a thread in another existing process (thread injection) 9->105 16 explorer.exe 2 9 9->16 injected 107 Multi AV Scanner detection for dropped file 12->107 109 Machine Learning detection for dropped file 12->109 111 Checks if the current machine is a virtual machine (disk enumeration) 12->111 process5 dnsIp6 55 201.124.81.159, 49696, 49699, 49707 UninetSAdeCVMX Mexico 16->55 57 vispik.at 190.229.19.7, 49695, 49700, 49702 TelecomArgentinaSAAR Argentina 16->57 59 8 other IPs or domains 16->59 47 C:\Users\user\AppData\Roaming\ajviswh, PE32 16->47 dropped 49 C:\Users\user\AppData\Local\Temp\D917.exe, PE32 16->49 dropped 51 C:\Users\user\AppData\Local\Temp\AFBE.exe, PE32+ 16->51 dropped 53 2 other malicious files 16->53 dropped 75 System process connects to network (likely due to code injection or exploit) 16->75 77 Benign windows process drops PE files 16->77 79 Deletes itself after installation 16->79 81 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->81 21 D917.exe 15 4 16->21         started        25 AFBE.exe 16 16->25         started        27 7C8A.exe 16->27         started        file7 signatures8 process9 dnsIp10 61 fronxtracking.com 176.124.192.199, 49713, 80 GULFSTREAMUA Russian Federation 21->61 63 api.ip.sb 21->63 83 Multi AV Scanner detection for dropped file 21->83 85 Detected unpacking (changes PE section rights) 21->85 87 Detected unpacking (overwrites its own PE header) 21->87 97 2 other signatures 21->97 65 138.201.198.8, 49733, 8081 HETZNER-ASDE Germany 25->65 89 Antivirus detection for dropped file 25->89 91 Detected unpacking (creates a PE file in dynamic memory) 25->91 93 Tries to harvest and steal browser information (history, passwords, etc) 25->93 29 cmd.exe 25->29         started        31 cmd.exe 25->31         started        33 WMIC.exe 1 25->33         started        35 conhost.exe 25->35         started        95 Machine Learning detection for dropped file 27->95 signatures11 process12 process13 37 conhost.exe 29->37         started        39 WMIC.exe 29->39         started        41 conhost.exe 31->41         started        43 WMIC.exe 31->43         started        45 conhost.exe 33->45         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0c09c00990cc693789f83e8dfb4d3e7db62a583d246cea22b2c6bb3a2c3e6f0/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-03-14 21:09:07 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2dajyaezbtdjg6e7qpun7ngt47nwfjmd2jdm5irlfrv3hiwd43ya._file
Verdict:
malicious
Similar samples:
0baa53972ce2be403f9e5d9d3a7f5d7098858a3acd9e16a315f6e4f5e0b2c902
Smoke Loader
31125dd90470955ca70e23ae2c3fd372db8b991a7c92bfb49d442b67539602c3
Smoke Loader
47ffcfc1a0233a7bcb0b4fc36d47f20d6c1293977cf489a6c39aed02f361af2c
Smoke Loader
6f8eb4e3c8240ae778f371c9c702a6091f7dda83b67debd802aeed4d9ea08620
Smoke Loader
74d9950fb4a58f99306f9310d3bb295f865f164e16f2f53b6baec947ee5cfca5
Smoke Loader
a9160cdf243372acd9607902bc5160bfa284e64599131dcb0d6d0228ea4f3664
Smoke Loader
ac3b9b3caa7962e5775de79c23d1f674ad4161f135af447a480ced3d3ca983a5
Smoke Loader
c45365acb54ee1edf3eda04ca895367520f3dcc86772c8561ba6eca0479fe331
Smoke Loader
ef0384f195f7550887ab50c82f606b259a6722de97053138db67896da26d93d8
Smoke Loader
+ 4'349 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader botnet:pub4 backdoor discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/230314-zzfk2ahh37/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Program crash
Checks installed software on the system
Executes dropped EXE
Reads user/profile data of web browsers
Downloads MZ/PE file
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
http://vispik.at/tmp/
http://ekcentric.com/tmp/
http://hbeat.ru/tmp/
http://mordo.ru/tmp/
Unpacked files
SH256 hash:
93aa95fb6ff1197842539ad7d33661578c19614b641bc01b1339e9c74e8f6077
MD5 hash:
79e11ad9206a0e4207a1916c41d485e3
SHA1 hash:
7b2e2d5c564fe560f76bf3db8ce91acef6db1b3e
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/a4ceb964-7959-477e-b85f-8fd9d5c8fad3/
Parent samples :
8d817b65185a02fb3050ec898ba6dc15f88e97428402de127d0fe79e6480421d
e9abf1a9ce327a916ba7191b471e3039d5e50093fe7346944a83d020e89da470
3358510dd07f7a0f84f6b8ff788bf5fb661c2259ebff3696c964f928a166a58c
e6ac1fe76c5644ac4f6624ffd984aebf33708da63cd425e58218eac16b9500c3
b3c1c51816ed1e710c16b9979424f6e048de948320e1560664f02b7fd68a1c70
bfa7f935ce2d538f08ef9b71990ff857c855ae47f402010207533a85831b0d69
d0c09c00990cc693789f83e8dfb4d3e7db62a583d246cea22b2c6bb3a2c3e6f0
9b6da424a0f27a420231b67553454bf11d1283164fd176d688ddd43f2a6c4dfc
35c8d963860e8a3b6f74aae074eeae71dbcd50f4ac55e72f4509f15eb45e6f09
6fcfc6e9c3504129087f399f02026f0857e51702803c00e15c16a98d94414974
86d03866f50e32545514b56e8fc46122c136d24e80954b7f6291b870a1e2a5ac
e5147ae13310b2b93da17d2800a21956788671c907f7dd19a3918c0b9fcc051b
a55fb5f4931b56a67accf6b1e95d17bb96a3e12b5a960816c60dfd06bb440d9c
ba22d964e19050f18e2616497d28864c3f3e7e4f6769b6b55020002af356fd52
cd3e1831de588644e2706fa76f1b8bdd13e575cd648b6db24ddc4c9016ab978b
92a5b282a453a1d71a1d800a95018b6248da4a8cdcc58e82c56266be169cc98c
1b47e6ab6638a2d79d7a5f80627f4e96a7169b8083c6d69fb8f32ee6efcc2aa5
8566c357f42e4e6f442564c63c376540b4e4d0ee72d38f83a3de84a83931a6ce
49d393dd5011f729861bba497ebc7a0fc1312dff59820659e922bf109dd66ac3
84f201911eea13e0a46afa437f7a5942a1d70afab17edcb4fe65680d1599f602
SH256 hash:
d0c09c00990cc693789f83e8dfb4d3e7db62a583d246cea22b2c6bb3a2c3e6f0
MD5 hash:
1d1f1db339f3a24f0d36c55f73170823
SHA1 hash:
fc05a397204075db47095fd79c551c1a0c49e1c6
Link:
https://www.unpac.me/results/a4ceb964-7959-477e-b85f-8fd9d5c8fad3/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d0c09c00990c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d0c09c00990cc693789f83e8dfb4d3e7db62a583d246cea22b2c6bb3a2c3e6f0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/374405/

Comments