MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9138283041d58f85b1e3a19e450bd26e8dac1df4e1a5a9df44fd7b7ec9ac06a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9138283041d58f85b1e3a19e450bd26e8dac1df4e1a5a9df44fd7b7ec9ac06a
SHA3-384 hash: be0cc942f201d5122e021a9a06d699e7e3d902f3386798d1f5caa5870c7c9e959787519c45396e463a7c7c08e1afb760
SHA1 hash: f42a7a36d0a9fbaa450c7312b5c4efd33b26ccbf
MD5 hash: 529e92c9a78553d4fe2bf54549320a63
humanhash: king-floor-salami-april
File name:SecuriteInfo.com.Trojan.Win32.RedLine.RDAC.MTB.26407.26321
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:5'175'816 bytes
First seen:2023-02-17 17:41:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b0a438491df559e2ae875aca71787ff8 (4 x RedLineStealer, 1 x Amadey, 1 x Smoke Loader)
ssdeep 98304:q8DHRN3EqJHIOgX5c6Voph+KeVpUkRksrDUnX7+7aVJtBXSfBF:NUMHyX5mh+Dfss8nXq7aVK
Threatray 7'650 similar samples on MalwareBazaar
TLSH T19936233313294005E0E98839CD2B7EB535FB1F3B8BC298787596B9C629716F1E51BA43
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f0f06cc8a0a0c8c8 (1 x Smoke Loader, 1 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe signed Smoke Loader

Code Signing Certificate

Organisation:HDD`WOW Toshiba SATA-III 12Tb HDWG460EZSTA N300 (7200rpm) 1504~Mb 1.5 Rtl
Issuer:HDD`WOW Toshiba SATA-III 12Tb HDWG460EZSTA N300 (7200rpm) 1504~Mb 1.5 Rtl
Algorithm:sha1WithRSAEncryption
Valid from:2023-02-15T10:42:31Z
Valid to:2033-02-16T10:42:31Z
Serial number: 15c3d805caccf98b4219f716f407c251
Thumbprint Algorithm:SHA256
Thumbprint: 11994d4862548f30fc19fffecebfd8ea661cae55b640f2e7d49d31a401a387ee
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://pp.webmobile.ma/download/File_pass1234.zip
Verdict:
Malicious activity
Analysis date:
2023-02-17 13:32:46 UTC
Tags:
evasion opendir loader trojan rat redline stealer vidar
Link:
https://app.any.run/tasks/30214be0-9cc8-40cc-9d15-c91712b9317b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/367773/
Detection(s):
SecuriteInfo.com.Trojan.Win32.RedLine.RDAC.MTB.26407.26321.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
DNS request
Replacing files
Sending a custom TCP request
Sending an HTTP GET request
Launching a service
Reading critical registry keys
Launching a process
Creating a file
Sending a UDP request
Forced system process termination
Searching for synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Blocking the Windows Defender launch
Query of malicious DNS domain
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63efbc6b01064cfb16683c6e/reports/daa55ec1-b86e-4c3f-9811-b33f62a0e935/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d9138283041d58f85b1e3a19e450bd26e8dac1df4e1a5a9df44fd7b7ec9ac06a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ea844d7d-7a2b-44e1-9fa1-0ad6fc120792
Result
Threat name:
Amadey, Glupteba, Nymaim, PrivateLoader,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1178178
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected Glupteba
Yara detected Nymaim
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 811004 Sample: SecuriteInfo.com.Trojan.Win... Startdate: 17/02/2023 Architecture: WINDOWS Score: 100 146 45.12.253.98 CMCSUS Germany 2->146 182 Malicious sample detected (through community Yara rule) 2->182 184 Antivirus detection for URL or domain 2->184 186 Multi AV Scanner detection for dropped file 2->186 188 22 other signatures 2->188 11 SecuriteInfo.com.Trojan.Win32.RedLine.RDAC.MTB.26407.26321.exe 10 49 2->11         started        16 svchost.exe 1 2->16         started        18 svchost.exe 2->18         started        20 2 other processes 2->20 signatures3 process4 dnsIp5 174 87.240.132.67 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 11->174 176 87.240.137.140 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 11->176 180 18 other IPs or domains 11->180 138 C:\Users\...\sQIxd4JW8RHyN9owrdGCGoTb.exe, PE32 11->138 dropped 140 C:\Users\...\oaB9z0ftBNzaq15yUnaapIrG.exe, PE32 11->140 dropped 142 C:\Users\...\oO7KZf2KP5wMli0Q1XWs1tGh.exe, PE32 11->142 dropped 144 21 other malicious files 11->144 dropped 220 Creates HTML files with .exe extension (expired dropper behavior) 11->220 222 Disables Windows Defender (deletes autostart) 11->222 224 Modifies Group Policy settings 11->224 228 2 other signatures 11->228 22 oO7KZf2KP5wMli0Q1XWs1tGh.exe 17 11->22         started        26 oaB9z0ftBNzaq15yUnaapIrG.exe 2 11->26         started        29 6fLWL0O9TqXTbu31pH7J2iA7.exe 11->29         started        35 10 other processes 11->35 178 40.127.240.158 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->178 226 Query firmware table information (likely to detect VMs) 16->226 31 WerFault.exe 18->31         started        33 WerFault.exe 18->33         started        file6 signatures7 process8 dnsIp9 154 149.154.167.99 TELEGRAMRU United Kingdom 22->154 156 192.168.2.1 unknown unknown 22->156 112 C:\Users\...\J6m9HKEhsCoYr5q1DuizWpRy.exe, PE32 22->112 dropped 128 2 other malicious files 22->128 dropped 37 J6m9HKEhsCoYr5q1DuizWpRy.exe 22->37         started        114 C:\Users\...\oaB9z0ftBNzaq15yUnaapIrG.tmp, PE32 26->114 dropped 208 Obfuscated command line found 26->208 42 oaB9z0ftBNzaq15yUnaapIrG.tmp 26->42         started        116 C:\Windows\Temp\321.exe, PE32 29->116 dropped 118 C:\Windows\Temp\123.exe, PE32 29->118 dropped 44 321.exe 29->44         started        46 123.exe 29->46         started        158 157.240.253.35 FACEBOOKUS United States 35->158 160 45.66.159.142 ENZUINC-US Russian Federation 35->160 120 C:\Users\user\AppData\Local\...\gwG13Ee.exe, PE32 35->120 dropped 122 C:\Users\user\AppData\Local\...\fpl9898.exe, PE32+ 35->122 dropped 124 C:\Users\user\AppData\Local\...\Install.exe, PE32 35->124 dropped 126 C:\Users\user\AppData\Local\...\4567546.dll, PE32 35->126 dropped 210 Query firmware table information (likely to detect VMs) 35->210 212 Writes to foreign memory regions 35->212 214 Allocates memory in foreign processes 35->214 216 3 other signatures 35->216 48 gwG13Ee.exe 35->48         started        50 Install.exe 35->50         started        52 explorer.exe 35->52 injected 54 jp0X6hbcTuwehhowo11tLXNr.exe 35->54         started        file10 signatures11 process12 dnsIp13 148 87.240.132.72 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 37->148 150 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 37->150 152 6 other IPs or domains 37->152 94 C:\Users\...\wsDqdw_ZoPvyKhM_la0vwMG2.exe, PE32 37->94 dropped 96 C:\Users\...\q6FyngfCvgtnP_mz2CusdlO2.exe, PE32 37->96 dropped 98 C:\Users\...\hnRZFguEmemB8MVyr5p75YGj.exe, PE32+ 37->98 dropped 106 16 other malicious files 37->106 dropped 190 Multi AV Scanner detection for dropped file 37->190 192 Creates HTML files with .exe extension (expired dropper behavior) 37->192 194 Disables Windows Defender (deletes autostart) 37->194 202 2 other signatures 37->202 100 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 42->100 dropped 102 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 42->102 dropped 108 8 other files (7 malicious) 42->108 dropped 56 FRec217.exe 42->56         started        196 Writes to foreign memory regions 44->196 198 Allocates memory in foreign processes 44->198 200 Injects a PE file into a foreign processes 44->200 60 vbc.exe 44->60         started        63 WerFault.exe 44->63         started        65 conhost.exe 44->65         started        67 WerFault.exe 46->67         started        75 2 other processes 46->75 110 2 other malicious files 48->110 dropped 69 gxs78Gp.exe 48->69         started        104 C:\Users\user\AppData\Local\...\Install.exe, PE32 50->104 dropped 71 Install.exe 50->71         started        73 rundll32.exe 52->73         started        file14 signatures15 process16 dnsIp17 162 45.12.253.56 CMCSUS Germany 56->162 164 45.12.253.72 CMCSUS Germany 56->164 166 45.12.253.75 CMCSUS Germany 56->166 130 C:\Users\user\AppData\...\wVzM7dXxehL.exe, PE32 56->130 dropped 77 wVzM7dXxehL.exe 56->77         started        168 65.21.213.208 CP-ASDE United States 60->168 218 Tries to harvest and steal browser information (history, passwords, etc) 60->218 80 cmd.exe 60->80         started        170 20.42.73.29 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 63->170 172 13.89.179.12 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 67->172 132 C:\Users\user\AppData\Local\...\gFU55ON.exe, PE32 69->132 dropped 134 C:\Users\user\AppData\Local\...\cPy2566.exe, PE32 69->134 dropped 82 gFU55ON.exe 69->82         started        136 C:\Users\user\AppData\Local\...\IvpHtma.exe, PE32 71->136 dropped file18 signatures19 process20 file21 230 Multi AV Scanner detection for dropped file 77->230 85 conhost.exe 80->85         started        90 C:\Users\user\AppData\Local\...\bML23qD.exe, PE32 82->90 dropped 92 C:\Users\user\AppData\Local\...\abz25.exe, PE32 82->92 dropped 87 abz25.exe 82->87         started        signatures22 process23 signatures24 204 Multi AV Scanner detection for dropped file 87->204 206 Disable Windows Defender notifications (registry) 87->206
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d9138283041d58f85b1e3a19e450bd26e8dac1df4e1a5a9df44fd7b7ec9ac06a/
Threat name:
Win32.Infostealer.PrivateLoader
Create hunting rule
Status:
Malicious
First seen:
2023-02-17 02:52:31 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ejyfayedvmpqwy6him6iuf5e3unvqo7jynfvhpuj7l3p3e2ybva._file
Verdict:
malicious
Similar samples:
053e095aadd84662c18caec141b4dca4f26ad9ac28ba9e82db02ea1aef9eb9b3
Smoke Loader
147b5d6c844bd5f6962ca6ab96a0ce8103eac401ec77a61f3632e14757c199c2
Smoke Loader
39c748040f01c934c73c23f4612cb33a0846219d8dd7ba3e0adbbc9d047027e4
Smoke Loader
3f7646cd60e5f51c13eb35ef9f00d10c66fc309b486498a1978cccc2405d3373
Smoke Loader
c2051ed80860178c791220b7ab760d038e03091e4c02395a92eed4aea3872ae7
Smoke Loader
d677f86403915b15ab62b1278cc7e6a8f2a98de2ba6a84ee67e06c1ffd696bc1
Smoke Loader
+ 7'640 additional samples on MalwareBazaar
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader loader spyware stealer vmprotect
Link:
https://tria.ge/reports/230217-v9zz7sgb3z/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
VMProtect packed file
PrivateLoader
Unpacked files
SH256 hash:
d9138283041d58f85b1e3a19e450bd26e8dac1df4e1a5a9df44fd7b7ec9ac06a
MD5 hash:
529e92c9a78553d4fe2bf54549320a63
SHA1 hash:
f42a7a36d0a9fbaa450c7312b5c4efd33b26ccbf
Link:
https://www.unpac.me/results/25633a31-a2e9-4d71-904d-f85ca504596d/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d9138283041d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d9138283041d58f85b1e3a19e450bd26e8dac1df4e1a5a9df44fd7b7ec9ac06a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/367773/

Comments