MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3849946eb2dd2aa6bebcddb30751a4a99bc05ee5011db3f5081df2f970a1854. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3849946eb2dd2aa6bebcddb30751a4a99bc05ee5011db3f5081df2f970a1854
SHA3-384 hash: cbb4cbbb34fd5c583f980ef80b831209377f8b0c191e6ffebac13ed4067597282583d86061a7da38b7327489d816da8f
SHA1 hash: 3548a576e212c7924413e58157b697a66a2d0077
MD5 hash: cdcaae5709190ead7b126d3f06456d9f
humanhash: early-march-johnny-virginia
File name:cdcaae5709190ead7b126d3f06456d9f.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:332'800 bytes
First seen:2021-07-27 15:28:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cd8b6907b5cf87baf066346ab3baafdd (2 x RedLineStealer, 1 x DanaBot, 1 x Smoke Loader)
ssdeep 6144:oVFzlJyKsUnXQx5E8bBDDs9OwwI04c3Jr0MEfVc8NmivV7HKU:2/9sUnXqi8bBDIO1IpwNXqJtb
Threatray 2'481 similar samples on MalwareBazaar
TLSH T154649C20BAA0C435F6B212F84579937DA5397EB0A73451CF62E03EEE46346E5AC31B53
dhash icon ead8a89cc6e68ee0 (43 x RaccoonStealer, 31 x RedLineStealer, 20 x Smoke Loader)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cdcaae5709190ead7b126d3f06456d9f.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-27 15:31:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7c60b242-8a90-4d71-9dcb-e95840f2b3cf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174398/
Detection(s):
Win.Packed.Generic-9881388-0
Create hunting rule

Win.Packed.Generic-9881389-0
Create hunting rule

Win.Packed.Generic-9881403-0
Create hunting rule

Win.Packed.Raccoon-9881528-0
Create hunting rule

Win.Packed.Raccoon-9881377-1
Create hunting rule

Win.Packed.Mokes-9881731-0
Create hunting rule

Win.Packed.Mokes-9881739-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Connection attempt to an infection source
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Searching for analyzing tools
Searching for the window
Connection attempt
Sending an HTTP POST request
Launching a process
Query of malicious DNS domain
Sending a TCP request to an infection source
Deleting of the original file
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/be327b4b-8e2e-4cd5-a333-01583faa9f2c
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/822629
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates files in alternative data streams (ADS)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the windows firewall
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar stealer
Yara detected Zeppelin Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 455043 Sample: hy7pOckn2v.exe Startdate: 27/07/2021 Architecture: WINDOWS Score: 100 84 mx3.hotmail.com 2->84 86 telete.in 195.201.225.248, 443, 49745 HETZNER-ASDE Germany 2->86 88 22 other IPs or domains 2->88 136 Malicious sample detected (through community Yara rule) 2->136 138 Antivirus detection for URL or domain 2->138 140 Multi AV Scanner detection for submitted file 2->140 144 18 other signatures 2->144 11 hy7pOckn2v.exe 2->11         started        14 aghttgd 2->14         started        16 svchost.exe 2->16         started        18 11 other processes 2->18 signatures3 142 Tries to resolve many domain names, but no domain seems valid 84->142 process4 dnsIp5 154 Detected unpacking (changes PE section rights) 11->154 156 Contains functionality to inject code into remote processes 11->156 158 Injects a PE file into a foreign processes 11->158 21 hy7pOckn2v.exe 11->21         started        24 aghttgd 14->24         started        160 Changes security center settings (notifications, updates, antivirus, firewall) 16->160 90 127.0.0.1 unknown unknown 18->90 signatures6 process7 signatures8 146 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->146 148 Maps a DLL or memory area into another process 21->148 150 Checks if the current machine is a virtual machine (disk enumeration) 21->150 26 explorer.exe 28 21->26 injected 152 Creates a thread in another existing process (thread injection) 24->152 process9 dnsIp10 92 readinglistforjuly9.xyz 26->92 94 readinglistforjuly8.xyz 26->94 96 13 other IPs or domains 26->96 76 C:\Users\user\AppData\Roaming\aghttgd, PE32 26->76 dropped 78 C:\Users\user\AppData\Local\Temp\FE9F.exe, PE32 26->78 dropped 80 C:\Users\user\AppData\Local\Temp\DA0F.exe, PE32 26->80 dropped 82 11 other files (10 malicious) 26->82 dropped 162 System process connects to network (likely due to code injection or exploit) 26->162 164 Benign windows process drops PE files 26->164 166 Performs DNS queries to domains with low reputation 26->166 170 2 other signatures 26->170 31 AC23.exe 95 26->31         started        36 9F11.exe 2 26->36         started        38 B51C.exe 26->38         started        40 6 other processes 26->40 file11 168 Tries to resolve many domain names, but no domain seems valid 94->168 signatures12 process13 dnsIp14 98 xeronxikxxx.tumblr.com 31->98 100 116.202.183.50, 49741, 80 HETZNER-ASDE Germany 31->100 102 xeronxikxxx.tumblr.com 74.114.154.22, 443, 49738 AUTOMATTICUS Canada 31->102 62 C:\Users\user\AppData\Local\...\Reds[1].exe, PE32 31->62 dropped 64 C:\ProgramData\1E1H3A13RJP7HHQJ.exe, PE32 31->64 dropped 66 C:\...\1E1H3A13RJP7HHQJ.exe:Zone.Identifier, ASCII 31->66 dropped 74 12 other files (none is malicious) 31->74 dropped 110 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->110 112 Creates files in alternative data streams (ADS) 31->112 114 Machine Learning detection for dropped file 31->114 128 2 other signatures 31->128 68 C:\Users\user\AppData\Local\...\bksqjloo.exe, PE32 36->68 dropped 116 Detected unpacking (changes PE section rights) 36->116 118 Detected unpacking (overwrites its own PE header) 36->118 130 2 other signatures 36->130 42 cmd.exe 36->42         started        44 cmd.exe 36->44         started        46 sc.exe 36->46         started        50 2 other processes 36->50 120 Query firmware table information (likely to detect VMs) 38->120 122 Tries to detect sandboxes and other dynamic analysis tools (window names) 38->122 132 2 other signatures 38->132 48 conhost.exe 38->48         started        104 www.geodatatool.com 158.69.65.151, 443, 49739, 49740 OVHFR Canada 40->104 106 iplogger.org 88.99.66.31, 443, 49743, 49744 HETZNER-ASDE Germany 40->106 108 geoiptool.com 40->108 70 C:\Users\user\AppData\...\2_protected.exe, PE32+ 40->70 dropped 72 C:\Users\user\AppData\...\1_protected.exe, PE32+ 40->72 dropped 124 May check the online IP address of the machine 40->124 134 2 other signatures 40->134 file15 126 Tries to resolve many domain names, but no domain seems valid 98->126 signatures16 process17 process18 52 conhost.exe 42->52         started        54 conhost.exe 44->54         started        56 conhost.exe 46->56         started        58 conhost.exe 50->58         started        60 conhost.exe 50->60         started       
Gathering data
Threat name:
Win32.Trojan.Hynamer
Create hunting rule
Status:
Malicious
First seen:
2021-07-26 18:33:18 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ocjsrxlfxjku27lzxnta5i2jkm3ybpokai5wp2qqhps7fykdbka._file
Verdict:
suspicious
Similar samples:
0e3e6cf4f7fcc5367f2ffa78947973a92b69d8aaca5fdaa5a01ff786003470a8
Smoke Loader
201f2b8cd0d15399da2d0b98ff9b7d50d515deeea3f9435062b4b0a4548b0082
Smoke Loader
79894af8bd699d14ae712c0a8c8ce0e5e613c462ec7d2f29b5541ca87b9d397c
Smoke Loader
d317f4c95d2c1e6a7147538d0a3a343e8bfbfbd175dcfbb3d3b1672dc0aca8d2
Smoke Loader
efb3c9f650a8178b7a20476b6456707a9c0b3aeead9ef4af7cc12dd0f9d6cee4
Smoke Loader
f47560806cc02ef4c609e43a06b3c7230f6f9c6117d9ec7819535f152070df3c
Smoke Loader
fa1409fe184c11483708f197504246fb15ae88942e1b18a9266e0d0f4dca8290
Smoke Loader
fa49ec9a6afac3db69d66e560157aee92bfffa30c24d2a7855a4d3bcf2d894e2
Smoke Loader
+ 2'471 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:tofsee family:vidar family:xmrig botnet:828 botnet:@gromov1337 botnet:pro2 backdoor discovery evasion infostealer miner persistence spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210727-9sqg61bxje/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
XMRig Miner Payload
Raccoon
RedLine
RedLine Payload
SmokeLoader
Tofsee
Vidar
Windows security bypass
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
xmrig
Malware Config
C2 Extraction:
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
https://xeronxikxxx.tumblr.com/
95.217.122.120:8374
95.215.207.185:64399
Unpacked files
SH256 hash:
d065c8a41c2287cb3ed4fd55a1a76c13995937723c7b44cf6d4763a15dea89c1
MD5 hash:
3c9f95cbbd5f3e4ee70435e06de00ddf
SHA1 hash:
7dee35214654080e76fc275eedd5c2d7b1e1453d
Link:
https://www.unpac.me/results/ac01acfe-dde5-44da-b862-20503d4a38dc/
SH256 hash:
d3849946eb2dd2aa6bebcddb30751a4a99bc05ee5011db3f5081df2f970a1854
MD5 hash:
cdcaae5709190ead7b126d3f06456d9f
SHA1 hash:
3548a576e212c7924413e58157b697a66a2d0077
Link:
https://www.unpac.me/results/ac01acfe-dde5-44da-b862-20503d4a38dc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d3849946eb2dd2aa6bebcddb30751a4a99bc05ee5011db3f5081df2f970a1854

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe d3849946eb2dd2aa6bebcddb30751a4a99bc05ee5011db3f5081df2f970a1854

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1476557/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/174398/

Comments