MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc99c52dc9e81adde22cc958053e11bd63605cb90953d86d75a9896d585a17a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	dc99c52dc9e81adde22cc958053e11bd63605cb90953d86d75a9896d585a17a0
SHA3-384 hash:	20c144d6c52680675ab65d075218a59057a8f7a0d5ea7f39ec0d8dc7b8820949425c42683edc8233586a16e93346fbbb
SHA1 hash:	51e445724b8f9d5587b8158ad3db421ff5116cde
MD5 hash:	d72f175456ff83f6ada507bb5903fb00
humanhash:	football-six-arkansas-mississippi
File name:	d72f175456ff83f6ada507bb5903fb00.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	198'144 bytes
First seen:	2021-08-16 15:39:17 UTC
Last seen:	2021-08-16 16:59:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	32eca4427f106c548c06ec4f87d7efd7 (4 x Smoke Loader, 1 x RedLineStealer, 1 x RaccoonStealer)
ssdeep	3072:BnO59tS1XiKO2vzu5ArBN8PR3QuKT0yB3edoMZ6P3p:Bh1XvBv7lFMAP3
Threatray	5'322 similar samples on MalwareBazaar
TLSH	T19714C021F9A0D5F3F4D6013804A2FAE05AA8FD75E650065B27983E9F5F703E0563A39E
dhash icon	10367878727e7636 (8 x RaccoonStealer, 4 x Smoke Loader, 2 x DanaBot)
Reporter	abuse_ch
Tags:	Dofoil exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

266

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

d72f175456ff83f6ada507bb5903fb00.exe

Verdict:

Suspicious activity

Analysis date:

2021-08-16 15:40:02 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/98410d09-7b65-4c4e-a7af-24bf41dd6c6e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

zeus

Link:

https://www.capesandbox.com/analysis/179608/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.18163.9089.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Connection attempt to an infection source

Creating a process from a recently created file

Unauthorized injection to a recently created process

Query of malicious DNS domain

Unauthorized injection to a recently created process by context flags manipulation

Deleting of the original file

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Unauthorized injection to a system process

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b725a94f-6c01-497c-8875-36b0bf4b2024

Result

Threat name:

Raccoon RedLine SmokeLoader

Detection:

malicious

Classification:

bank.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/833679

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if browser processes are running

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to resolve many domain names, but no domain seems valid

Tries to steal Mail credentials (via file access)

Uses known network protocols on non-standard ports

Yara detected Raccoon Stealer

Yara detected RedLine Stealer

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dc99c52dc9e81adde22cc958053e11bd63605cb90953d86d75a9896d585a17a0/

Threat name:

Win32.Backdoor.Mokes

Status:

Malicious

First seen:

2021-08-16 14:59:15 UTC

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3sm4kloj5ann3yrmzfmakpqrxvrwaxfzbfj5q3lvvgew2wc2c6qa._file

Verdict:

suspicious

Smoke Loader

33c9743aff75b1eebaef927059a4373de1ed4f8e984735c775cac98c18bdec90

Smoke Loader

39894026621d1c5fabeca0fe3b0ba3fe2e97d99e17d50227ead4ac7c64ee080c

Smoke Loader

663d11c6a687961e8b5cda09b720a9511d972a9ea164cf8c385037a33eea53fa

Smoke Loader

a579df463934b191934477803f2045e998e3acca5932492eb4a090cc8857182a

Smoke Loader

ce2fe316faac707fdef9aed79c1eb348f74a538fb5617ceea0a003b964c146e4

Smoke Loader

e545972e3e71fb03424e4a4e00144be6d67b1c92ca8c34608725cf10ffe944bf

Smoke Loader

eaa52f460d64093ebcf267e2fa4ebe342b31ee442127afe065892b790409eb33

Smoke Loader

fd58afa96d56df9d4bb20955601fc4b7e379b9964eccf31cb1904252f709dbc7

Smoke Loader

+ 5'312 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor suricata trojan

Link:

https://tria.ge/reports/210816-z5bc9cybh6/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

SmokeLoader

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Malware Config

C2 Extraction:

http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/