MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7e23283d1389c625db8fd92a4218e4a717a3a62a2db621df3b378be57f13c6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7e23283d1389c625db8fd92a4218e4a717a3a62a2db621df3b378be57f13c6f
SHA3-384 hash: d3dc73e451b049165a3bb0ebc4255c558775d1746e305b8f684dd279ac5df880ef88e6118a72d4df16184a62ab3d6c07
SHA1 hash: 71b9f69b6f6a82ad8fd5eb384410b11c857edca8
MD5 hash: b9805b61b68b929eaca05b8232ae3c1d
humanhash: moon-snake-golf-kitten
File name:JonnyBoi_Loader.ps1
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:462 bytes
First seen:2022-09-06 17:44:42 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12:s8AdjL+yT27L87HGrdvhIW+4MRHF7vQnD5j+CrBicIM+yn:WvT27LmGrdB+4MRHF7vmD4GB5/n
Threatray 5'619 similar samples on MalwareBazaar
TLSH T182F0DC134CD15120C218C69FF45EC30744E6ED0CF8DAB0D0F8E08C07EC02009A9BDC10
Reporter Anonymous
Tags:ps1 Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
319
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Other.Malware-gen.4202.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/631787652916aa42941642a5/reports/37ac999c-1d0e-431c-a9a4-c45faf5e5aea/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
Raccoon Stealer v2, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1065895
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Powershell drops PE file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 698421 Sample: JonnyBoi_Loader.ps1 Startdate: 06/09/2022 Architecture: WINDOWS Score: 100 66 t.me 2->66 84 Snort IDS alert for network traffic 2->84 86 Multi AV Scanner detection for domain / URL 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 5 other signatures 2->90 10 powershell.exe 14 22 2->10         started        15 gsrcbwg 2->15         started        signatures3 process4 dnsIp5 68 85.192.63.184, 49707, 80 LINEGROUP-ASRU Russian Federation 10->68 56 C:\s.exe, PE32 10->56 dropped 92 Powershell drops PE file 10->92 17 s.exe 10->17         started        20 powershell.exe 6 10->20         started        22 conhost.exe 10->22         started        24 BackgroundTransferHost.exe 49 10->24         started        94 Machine Learning detection for dropped file 15->94 file6 signatures7 process8 signatures9 76 Detected unpacking (changes PE section rights) 17->76 78 Machine Learning detection for dropped file 17->78 80 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 17->80 82 3 other signatures 17->82 26 explorer.exe 14 17->26 injected process10 dnsIp11 70 www.vispavolley.net 46.252.151.147, 443, 49745, 49749 ASSUPERNOVAIT Italy 26->70 72 ojinsei.com 178.20.42.96, 49719, 49720, 49721 ASN-FRWInternetServiceProviderIT Russian Federation 26->72 74 qeextension.com 85.187.128.60, 443, 49722, 49725 A2HOSTINGUS United States 26->74 58 C:\Users\user\AppData\Roaming\gsrcbwg, PE32 26->58 dropped 60 C:\Users\user\AppData\Local\Temp\9115.exe, PE32 26->60 dropped 62 C:\Users\user\AppData\Local\Temp\8491.exe, PE32 26->62 dropped 64 4 other files (3 malicious) 26->64 dropped 96 System process connects to network (likely due to code injection or exploit) 26->96 98 Benign windows process drops PE files 26->98 100 Injects code into the Windows Explorer (explorer.exe) 26->100 102 2 other signatures 26->102 31 312E.exe 1 26->31         started        34 4321.exe 1 26->34         started        36 56AA.exe 1 26->36         started        38 4 other processes 26->38 file12 signatures13 process14 signatures15 104 Machine Learning detection for dropped file 31->104 106 Contains functionality to inject code into remote processes 31->106 108 Writes to foreign memory regions 31->108 40 conhost.exe 31->40         started        42 AppLaunch.exe 31->42         started        110 Allocates memory in foreign processes 34->110 112 Injects a PE file into a foreign processes 34->112 44 conhost.exe 34->44         started        46 AppLaunch.exe 34->46         started        48 conhost.exe 36->48         started        50 conhost.exe 38->50         started        52 conhost.exe 38->52         started        54 conhost.exe 38->54         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d7e23283d1389c625db8fd92a4218e4a717a3a62a2db621df3b378be57f13c6f/
Threat name:
Script.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-09-06 17:45:07 UTC
File Type:
Text (PowerShell)
AV detection:
4 of 26 (15.38%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=27rdfa6rhcogexny7wjkiimojjyxuotculnwehptwn4l4v7rhrxq._file
Verdict:
malicious
Similar samples:
0415805018d38301c22d1fbb3c706139e9741c9dd9b7f0ee48305472642bbe93
Smoke Loader
12d0f4e279c8b87d94fba44d8e4a85c553cd96b90256716bd98096ca4c2ba359
Smoke Loader
2c440478968af666a120debc6d82a54a731ba91ac3f9b160eb356c9b52104609
Smoke Loader
38499e2889590574aa401acf16f8aba05e693e3da4aa0ac6e71f5d690446d29e
Smoke Loader
3b5adc36b8fd04b224008a8b2fc3770532115de8973d21a0f8b3226df887c1d4
Smoke Loader
3c634ef22177b0460a3f9eda7c0320292604c3ba13029955761ea2b6522d3c1f
Smoke Loader
5c1b807913b1a6b8c14a004a2b1830ccc10c61c3b54b16c32faca280360c805b
Smoke Loader
7a1e4107599b275852d1353c20e84e2cfff2bd25c862d78a13937906a7e3709b
Smoke Loader
a7f8a7823e07753434f6ea1e082c5a8c98f6499acd807a50698cd6832101c105
Smoke Loader
b5aedf88db5ca22f172a80f49264d768d19c0481e12ffd1b653ed01a2d6be104
Smoke Loader
+ 5'609 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader botnet:654b3e7f2d409dcde795b5d2dacf4955 botnet:747 botnet:nam5 backdoor infostealer spyware stealer trojan
Link:
https://tria.ge/reports/220906-wbqjjsggf3/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Detects Smokeloader packer
Raccoon
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
78.153.144.6:2510
103.89.90.61:34589
http://46.249.58.152/
Dropper Extraction:
http://85.192.63.184/s.exe
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d7e23283d138/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d7e23283d1389c625db8fd92a4218e4a717a3a62a2db621df3b378be57f13c6f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments