MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d27e90665d0a697e1fea9dfc3641c9785bfbf8fbd7ef885d82788943417d1ccd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d27e90665d0a697e1fea9dfc3641c9785bfbf8fbd7ef885d82788943417d1ccd
SHA3-384 hash: 72a84dd97d5afab15359cb8f53af3f942686eeb9997631fdb83c32bcc9310a9b34f4700bb79aa4c5296691329927474e
SHA1 hash: 06dff415d576c5c91c72fa821caed6059d9abdc7
MD5 hash: 2a838bb8b42d0fe72bb89b3129603e01
humanhash: bravo-gee-foxtrot-texas
File name:SecuriteInfo.com.Mal.GandCrypt-A.4160.29287
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:180'224 bytes
First seen:2021-03-31 14:36:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baf6552e1c7923d039841ba11b7a0d4e (4 x RedLineStealer, 1 x ArkeiStealer, 1 x Smoke Loader)
ssdeep 3072:yHjdVcceaCsXa9o/Lsa37RVaIt998CAUz124NWO/0CR0Cc:0dmcIs2o/LsORVRzQ4NR0i
Threatray 569 similar samples on MalwareBazaar
TLSH 34049D00B6E5C473E1961A740820D6A65936FCB19F349ACB7B943F7E5E362D18A37383
Reporter SecuriteInfoCom
Tags:Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Mal.GandCrypt-A.4160.29287
Verdict:
No threats detected
Analysis date:
2021-03-31 14:40:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a5841349-9b08-42c2-92d7-93fd3c97a6b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/129417/
Detection(s):
SecuriteInfo.com.Mal.GandCrypt-A.4160.29287.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending a UDP request
Creating a file in the %temp% directory
Deleting of the original file
Enabling autorun by creating a file
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Djvu RedLine Tofsee Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/660517
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Found ransom note / readme
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Renames NTDLL to bypass HIPS
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Yara detected Djvu Ransomware
Yara detected RedLine Stealer
Yara detected Tofsee
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 379188 Sample: SecuriteInfo.com.Mal.GandCr... Startdate: 31/03/2021 Architecture: WINDOWS Score: 100 94 79.52.17.84.in-addr.arpa 2->94 96 www.google.ru 2->96 98 10 other IPs or domains 2->98 124 Antivirus detection for URL or domain 2->124 126 Multi AV Scanner detection for submitted file 2->126 128 Found ransom note / readme 2->128 130 8 other signatures 2->130 10 SecuriteInfo.com.Mal.GandCrypt-A.4160.exe 1 2->10         started        13 206A.exe 19 2->13         started        17 uwubigu 1 2->17         started        19 5 other processes 2->19 signatures3 process4 dnsIp5 140 Detected unpacking (changes PE section rights) 10->140 142 Renames NTDLL to bypass HIPS 10->142 144 Maps a DLL or memory area into another process 10->144 21 explorer.exe 3 10 10->21 injected 116 jfas.top 13->116 118 api.2ip.ua 13->118 84 C:\_readme.txt, ASCII 13->84 dropped 86 C:\Users\user\Desktop\...\WUTJSCBCFX.docx, data 13->86 dropped 88 C:\Users\user\Desktop\KZWFNRXYKI.jpg, data 13->88 dropped 92 2 other files (1 malicious) 13->92 dropped 146 Multi AV Scanner detection for dropped file 13->146 148 Detected unpacking (overwrites its own PE header) 13->148 150 Machine Learning detection for dropped file 13->150 152 Modifies existing user documents (likely ransomware behavior) 13->152 90 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 17->90 dropped 154 Checks if the current machine is a virtual machine (disk enumeration) 17->154 156 Creates a thread in another existing process (thread injection) 17->156 120 192.168.2.1 unknown unknown 19->120 158 Injects a PE file into a foreign processes 19->158 file6 signatures7 process8 dnsIp9 100 91.203.5.155, 49756, 80 VOLIA-ASUA Ukraine 21->100 102 junntd.xyz 37.75.52.162, 49731, 49752, 80 VFM-ASVodafoneMaltaLtdASMT Malta 21->102 104 9 other IPs or domains 21->104 64 C:\Users\user\AppData\Roaming\uwubigu, PE32 21->64 dropped 66 C:\Users\user\AppData\Local\Temp\4990.exe, PE32 21->66 dropped 68 C:\Users\user\AppData\Local\Temp\3F3E.exe, PE32 21->68 dropped 70 3 other malicious files 21->70 dropped 132 System process connects to network (likely due to code injection or exploit) 21->132 134 Benign windows process drops PE files 21->134 136 Deletes itself after installation 21->136 138 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->138 26 2EB3.exe 85 21->26         started        31 3F3E.exe 21->31         started        33 621A.exe 21->33         started        35 4 other processes 21->35 file10 signatures11 process12 dnsIp13 106 static.parafia-strumiany.pl 104.244.76.207, 49762, 80 PONYNETUS United States 26->106 108 api.faceit.com 104.17.63.50, 443, 49760 CLOUDFLARENETUS United States 26->108 72 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 26->72 dropped 74 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 26->74 dropped 76 C:\Users\user\AppData\...\softokn3[1].dll, PE32 26->76 dropped 82 9 other files (none is malicious) 26->82 dropped 160 Detected unpacking (changes PE section rights) 26->160 162 Detected unpacking (overwrites its own PE header) 26->162 164 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->164 178 3 other signatures 26->178 37 cmd.exe 26->37         started        78 C:\Users\user\AppData\Local\...\xgafxwrn.exe, PE32 31->78 dropped 166 Machine Learning detection for dropped file 31->166 168 Uses netsh to modify the Windows network and firewall settings 31->168 170 Modifies the windows firewall 31->170 39 cmd.exe 31->39         started        41 cmd.exe 31->41         started        43 sc.exe 31->43         started        50 3 other processes 31->50 110 api.ip.sb 33->110 112 umbrelladownload.uno 91.214.124.137, 40355, 49797, 49802 VPSSC-ASUA Ukraine 33->112 172 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 33->172 174 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 33->174 176 Tries to harvest and steal browser information (history, passwords, etc) 33->176 114 api.2ip.ua 77.123.139.190, 443, 49745, 49754 VOLIA-ASUA Ukraine 35->114 80 C:\Users\user\AppData\Local\...\206A.exe, PE32 35->80 dropped 45 206A.exe 13 35->45         started        48 icacls.exe 35->48         started        file14 signatures15 process16 dnsIp17 52 conhost.exe 39->52         started        54 conhost.exe 41->54         started        56 conhost.exe 43->56         started        122 api.2ip.ua 45->122 58 conhost.exe 50->58         started        60 conhost.exe 50->60         started        62 conhost.exe 50->62         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d27e90665d0a697e1fea9dfc3641c9785bfbf8fbd7ef885d82788943417d1ccd/
Threat name:
Win32.Trojan.Ranumbot
Create hunting rule
Status:
Malicious
First seen:
2021-03-31 14:37:04 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
03d92e1238fcdb64e522bad8b8c152d85de2036a6aedf152e5c3bf24d3017d07
Smoke Loader
1c88f5a9499a54522c8338fb93c326debeb890fb08251ce29fcf19ae7441d11c
Smoke Loader
73188b6122dcf35a0d26fedf3679c9713e6f21ccf78499d8788ed39feb7fdb4a
Smoke Loader
7af76f869eab565b2b7d3ec5f141e5d8cd94551a6b1b31e0d8af7c3ea2b5a7db
Smoke Loader
87cd4125176db45ac6d32ff5979fcaf1d29eeac328323f545326bf0d63400967
Smoke Loader
abdcbcd7837ddda736f49656e7cba74a20d82335063a7c3c3a57058113f686ab
Smoke Loader
addfb046313926c0cfb9e4293f76c408d8e6798e129f1a1043835088c54aa69b
Smoke Loader
d0d946651c56c06d9ca14c32608fe26da018ed117f7d196fb4aef17c63e1de6f
Smoke Loader
deceb572b4fd9c2e2c964ea1a574082a7bb6cc3952ad0c2eaeabe64f20d706fe
Smoke Loader
fb2e2174a3ec526861932043c1aa5b5e62e3abed0bb73e88e495eab66635e758
Smoke Loader
+ 559 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader family:tofsee family:vidar backdoor bootkit discovery evasion persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/210331-8j1mr53f7j/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Looks up external IP address via web service
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Modifies file permissions
Reads local data of messenger clients
Reads user/profile data of web browsers
themida
Creates new service(s)
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Tofsee
Vidar
Malware Config
C2 Extraction:
http://xsss99.icu/upload/
http://bingooodsg.icu/upload/
http://junntd.xyz/upload/
http://ginessa11.xyz/upload/
http://overplayninsx.xyz/upload/
http://bananinze.com/upload/
http://daunimlas.com/upload/
Unpacked files
SH256 hash:
9182f5904e7eba21a624a9773b407b91b3ce62fe468eb2f08900097a2c11c736
MD5 hash:
83214661ec613049f6ac027885953f70
SHA1 hash:
48771dca71cded7df146802801f4c09b8fd0fd3b
Link:
https://www.unpac.me/results/0c81d43e-dda7-4c27-b639-8f14de974319/
SH256 hash:
d27e90665d0a697e1fea9dfc3641c9785bfbf8fbd7ef885d82788943417d1ccd
MD5 hash:
2a838bb8b42d0fe72bb89b3129603e01
SHA1 hash:
06dff415d576c5c91c72fa821caed6059d9abdc7
Link:
https://www.unpac.me/results/0c81d43e-dda7-4c27-b639-8f14de974319/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d27e90665d0a697e1fea9dfc3641c9785bfbf8fbd7ef885d82788943417d1ccd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_smokeloader_a2
Create hunting rule
Author:pnx

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/129417/

Comments