MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d23c6e45bb29e2aba8b63bcd30e7aa86b5069d26c4e4441c1224a524a90fc67a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d23c6e45bb29e2aba8b63bcd30e7aa86b5069d26c4e4441c1224a524a90fc67a
SHA3-384 hash: 4209a31390e0034f148fb520a14a37b377e7d22cc6f78c6eab2f26045629bb8e6d3c7a82554c72793035ee693fad036b
SHA1 hash: 67fafdf89d8a25ba84cb6558056f467b0563885a
MD5 hash: a45784efe5996d70ca57d7b62bf10f3a
humanhash: california-beer-kentucky-pasta
File name:win_setup__621835ee08161.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:6'396'773 bytes
First seen:2022-02-25 02:32:49 UTC
Last seen:2022-04-12 14:16:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:JM9tkOwkMVBEO4Si2fOJPhZUEhlNP629+JDOyo:JM9SPrVdI5LOEhrDMVo
Threatray 6'030 similar samples on MalwareBazaar
TLSH T1475633A57ACA0119E41D9370E5E0E8A204DA0B3E2F54405BBD472B07A7EBD42773DF9E
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter adm1n_usa32
Tags:bridmz52-top exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
257
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
win_setup__621835ee08161.exe
Verdict:
Malicious activity
Analysis date:
2022-02-25 02:25:36 UTC
Tags:
loader trojan rat redline evasion opendir stealer
Link:
https://app.any.run/tasks/dd0ca421-a7cb-4bc6-9274-adba25e97b10

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector03
Create hunting rule
Link:
https://www.capesandbox.com/analysis/244570/
Detection(s):
Win.Dropper.Pswtool-9857487-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Tiny-9901377-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
Sending a custom TCP request
Launching a process
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/7364/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe overlay packed racealer shell32.dll
Link:
https://www.filescan.io/uploads/62183fe60cd58dbd92380458/reports/1a1759a8-683d-4f4a-ba9c-d6ceb00310ce/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MassLogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e9bba050-fc85-478d-90c4-512ce06a6d51
Result
Threat name:
Cookie Stealer RedLine SmokeLoader gzRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/946150
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables Windows Defender (via service or powershell)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to evade analysis by execution special instruction which cause usermode exception
Yara detected Cookie Stealer
Yara detected gzRat
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 578636 Sample: win_setup__621835ee08161.exe Startdate: 25/02/2022 Architecture: WINDOWS Score: 100 57 185.117.75.191 HSAE Netherlands 2->57 59 duoproc.net 185.18.52.211, 49750, 49754, 80 WORLDSTREAMNL Spain 2->59 61 7 other IPs or domains 2->61 67 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->67 69 Multi AV Scanner detection for domain / URL 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 24 other signatures 2->73 10 win_setup__621835ee08161.exe 10 2->10         started        signatures3 process4 file5 43 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->43 dropped 13 setup_installer.exe 20 10->13         started        process6 file7 45 C:\Users\user\AppData\...\setup_install.exe, PE32 13->45 dropped 47 C:\Users\...\621835e55c98e_Fri01fe9da870.exe, PE32 13->47 dropped 49 C:\...\621835e45c21c_Fri0141b0cc6969.exe, PE32 13->49 dropped 51 15 other files (9 malicious) 13->51 dropped 16 setup_install.exe 1 13->16         started        process8 signatures9 65 Adds a directory exclusion to Windows Defender 16->65 19 cmd.exe 1 16->19         started        21 cmd.exe 1 16->21         started        23 cmd.exe 1 16->23         started        25 5 other processes 16->25 process10 signatures11 28 621835cbbe0b9_Fri0153014d5.exe 15 4 19->28         started        33 621835cacc770_Fri01eb836dc.exe 1 21->33         started        35 621835cc85d51_Fri014462486eb.exe 23->35         started        75 Adds a directory exclusion to Windows Defender 25->75 77 Disables Windows Defender (via service or powershell) 25->77 37 621835dd0837c_Fri01d4a50c.exe 25->37         started        39 621835cd4c5dd_Fri0118aad72e.exe 25->39         started        41 powershell.exe 26 25->41         started        process12 dnsIp13 63 toptechnewsinc.com 172.67.198.31, 49747, 80 CLOUDFLARENETUS United States 28->63 53 fef05ba3-bc81-426d-9bdf-3b8d95b83715.exe, PE32 28->53 dropped 79 Antivirus detection for dropped file 28->79 81 Multi AV Scanner detection for dropped file 28->81 83 Detected unpacking (changes PE section rights) 28->83 85 Detected unpacking (overwrites its own PE header) 28->85 87 Machine Learning detection for dropped file 33->87 89 Disables Windows Defender (via service or powershell) 33->89 91 Sample uses process hollowing technique 35->91 55 C:\Users\...\621835dd0837c_Fri01d4a50c.tmp, PE32 37->55 dropped 93 Obfuscated command line found 37->93 file14 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d23c6e45bb29e2aba8b63bcd30e7aa86b5069d26c4e4441c1224a524a90fc67a/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-25 02:34:38 UTC
File Type:
PE (Exe)
Extracted files:
562
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1c57e67bf823c9c15d3afb19746746df06a218fb70816a26b150efb072660d6d
Smoke Loader
1d7c3a08d1e69e704039850f64a88363fc6c9f3721907aa3c0d8165ae20de3a1
Smoke Loader
6059bdd4738c812b60b43a1e0ade3099cfad2dfd306e8fa41c30484a9830d38b
Smoke Loader
74c2576ed018b452120e3b82ff97b560754bc7d948e8aa81d3b0b35954411b91
Smoke Loader
7ffeae85c9e4be6675aa85f9fb8883c9a41960de2f7437be9e41288682329b3c
Smoke Loader
c5061cf2961513f91ee1b2c0f50bf8a11928ac068b02ba825b3b0410de507224
Smoke Loader
fe6f9b44e20c4b49f5d0d57e0986627269ed6570e179cfd515ad1bf27cfb4f6f
Smoke Loader
+ 6'020 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:icedid family:onlylogger family:redline family:smokeloader botnet:media24222 campaign:2715004312 aspackv2 backdoor banker infostealer loader spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/220225-c1wmbafeal/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
OnlyLogger Payload
IcedID, BokBot
OnlyLogger
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Win32/IcedID Request Cookie
Malware Config
C2 Extraction:
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://pjure.at/upload/
http://puffersweiven.com/upload/
http://algrcabel.ru/upload/
http://pelangiqq99.com/upload/
http://elsaunny.com/upload/
http://korphoto.com/upload/
http://hangxachtaythodoan.com/upload/
http://pkodev.net/upload/
http://go-piratia.ru/upload/
http://piratia.su/upload/
92.255.57.154:11841
Unpacked files
SH256 hash:
565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c
MD5 hash:
83b531c1515044f8241cd9627fbfbe86
SHA1 hash:
d2f7096e18531abb963fc9af7ecc543641570ac8
Link:
https://www.unpac.me/results/c29b06aa-88d5-401b-8814-00af9e8295f6/
SH256 hash:
7ce780809c834eadfd03cd9f19245ef3b258d63d712d84afc2b017e01288abb1
MD5 hash:
ab4e365cadf97f131d3f2a9e560c2c96
SHA1 hash:
bdcd0732b2e13ad89ec90e72e19d33dd68912008
Link:
https://www.unpac.me/results/c29b06aa-88d5-401b-8814-00af9e8295f6/
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Link:
https://www.unpac.me/results/c29b06aa-88d5-401b-8814-00af9e8295f6/
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
e718a2f50e72d94ee2c9455603d98f67e7705aefc283351c182b5e503d59f6d8
MD5 hash:
5264c8567cf762e7cd37971a88b28a45
SHA1 hash:
ffd23a453665086713bbeccf0029c5b026d4c47e
Link:
https://www.unpac.me/results/c29b06aa-88d5-401b-8814-00af9e8295f6/
SH256 hash:
c68a66f557657c75dc436d8d1737711209eee6c371f95d521502c31891c34d9d
MD5 hash:
c39d8f34384a775135cb5fd909dc893c
SHA1 hash:
fa7420c2125d4475c6b9e16845eb5bebd474006f
Link:
https://www.unpac.me/results/c29b06aa-88d5-401b-8814-00af9e8295f6/
SH256 hash:
b01a013d362a26756b1f2f839130261385514f4d38b3db9052689e29cd53c0b9
MD5 hash:
7111fcfae8f5d7197149ae83d8f30aab
SHA1 hash:
e985c1eeda48abd371a27bdb6b6bc31e8a875c6a
Link:
https://www.unpac.me/results/c29b06aa-88d5-401b-8814-00af9e8295f6/
SH256 hash:
7fe5b7140f072a1ee5100f31b94991fb314cbe29e002c2efb6dfff2affa6e5c2
MD5 hash:
de9b7a4dca201b8186817b7e33985228
SHA1 hash:
8b44f0a787288b6d363db471f56fb6ae59b1a3f5
Link:
https://www.unpac.me/results/c29b06aa-88d5-401b-8814-00af9e8295f6/
SH256 hash:
abca3ef4971ea9cf196e429902da91fb3f0db2b502ed8dbe33bee639bb4d0b2c
MD5 hash:
e63b0af4990bdfb854b09570164175e1
SHA1 hash:
2363fd653143e88f92e8bc388d7cc5ed28e66ac2
Link:
https://www.unpac.me/results/c29b06aa-88d5-401b-8814-00af9e8295f6/
SH256 hash:
272b0ca6b3897389841923a3e1d355af53e1a54da891e7c4ad440a05cd11ba35
MD5 hash:
185fe2d8258fd367db38fa3801926ac9
SHA1 hash:
08ad1535d76a53b9320a8dac27512712dba6d83d
Link:
https://www.unpac.me/results/c29b06aa-88d5-401b-8814-00af9e8295f6/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/c29b06aa-88d5-401b-8814-00af9e8295f6/
SH256 hash:
245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa
MD5 hash:
4f93004835598b36011104e6f25dbdba
SHA1 hash:
6cb45092356c54f68d26f959e4a05ce80ef28483
Link:
https://www.unpac.me/results/c29b06aa-88d5-401b-8814-00af9e8295f6/
SH256 hash:
6ca972b43d38046b25d61c92aaa889e3d7bf4f309f4b92c36efbc352fa4826aa
MD5 hash:
a424d94945c00b4be3f48e66efce48b6
SHA1 hash:
5b93cce8af09eb8347ce40f56af20c4a6df0b279
Link:
https://www.unpac.me/results/c29b06aa-88d5-401b-8814-00af9e8295f6/
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/c29b06aa-88d5-401b-8814-00af9e8295f6/
SH256 hash:
e16f68152fa7be7dd8aff55aeff59ddeae48b4b95e3d3ba33016f65e632a6706
MD5 hash:
a8e7034f8220f722f4aca2edcc9c42eb
SHA1 hash:
656d7d88fffd3820deb1741564807990c3851114
Link:
https://www.unpac.me/results/c29b06aa-88d5-401b-8814-00af9e8295f6/
SH256 hash:
4881ef58bea54a28a2161930d9b2dbc8da736b7b313ff1cd1b06d5c8963d1cc3
MD5 hash:
67e41f54ba172049252a1db69a38c81c
SHA1 hash:
367a45679850c457a7bf62169634e59801529164
Link:
https://www.unpac.me/results/c29b06aa-88d5-401b-8814-00af9e8295f6/
SH256 hash:
dd9da8532255e09936e7312887c66047bdebf75bc32c981eb8881e15fe02272f
MD5 hash:
41a95eaa33552d0565672da162af235c
SHA1 hash:
e2679a3986238e71092db944e7fa5c8d984240dc
Link:
https://www.unpac.me/results/c29b06aa-88d5-401b-8814-00af9e8295f6/
SH256 hash:
bf3eaca95c9110905292acd099628013ab513f3124f3a9906b8e634e0b85c321
MD5 hash:
67d5ca8fae30fa6d4bda07a53d614ee1
SHA1 hash:
8b76c0444a198645cc32645ea12ac83fec8aad80
Link:
https://www.unpac.me/results/c29b06aa-88d5-401b-8814-00af9e8295f6/
SH256 hash:
4653815d4291387759a6d160f195af18cb9ef8d7223678131014d9b38f3619f6
MD5 hash:
e11439264258f4d0f2c6deb2c76b1042
SHA1 hash:
06463e91d61e25ebce14093404d92b3139698667
Link:
https://www.unpac.me/results/c29b06aa-88d5-401b-8814-00af9e8295f6/
SH256 hash:
d16f099894425697c376675d12bd348c5ee737840ec8b633a851e41b4f00458d
MD5 hash:
fd7c553da4631248ed5d2fd5a5d38d7c
SHA1 hash:
15994f270dcb1c3e34c0bda10547aa6abe73b490
Link:
https://www.unpac.me/results/c29b06aa-88d5-401b-8814-00af9e8295f6/
SH256 hash:
d23c6e45bb29e2aba8b63bcd30e7aa86b5069d26c4e4441c1224a524a90fc67a
MD5 hash:
a45784efe5996d70ca57d7b62bf10f3a
SHA1 hash:
67fafdf89d8a25ba84cb6558056f467b0563885a
Link:
https://www.unpac.me/results/c29b06aa-88d5-401b-8814-00af9e8295f6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d23c6e45bb29e2aba8b63bcd30e7aa86b5069d26c4e4441c1224a524a90fc67a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe d23c6e45bb29e2aba8b63bcd30e7aa86b5069d26c4e4441c1224a524a90fc67a

(this sample)

anyrun
any.run
https://app.any.run/tasks/dd0ca421-a7cb-4bc6-9274-adba25e97b10
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/244570/

Comments