MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2182bd67553bff631bb93f7a016163c7cb82485cf9614bf566c9b49e821b158. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2182bd67553bff631bb93f7a016163c7cb82485cf9614bf566c9b49e821b158
SHA3-384 hash: 6b99829331ab74620218af7608d89348b347a7bc7177c2fb5bf2a6fbeafe53e4813a8370076c56b831c21140182fdd78
SHA1 hash: ad2e5d9f525909ead63b561202391e6abdd59483
MD5 hash: 050902ef3cb5d1ad0f03b11c767b6555
humanhash: item-king-nebraska-six
File name:050902ef3cb5d1ad0f03b11c767b6555.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:220'160 bytes
First seen:2021-09-21 13:31:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 671b36eaed947d2e663f25178077764c (3 x Stop, 1 x ArkeiStealer, 1 x RaccoonStealer)
ssdeep 3072:MxS5xkv/nEQQQQiPYDLTT7rHIU579m9TcgNl0Xidn1Av5IxAwjtqAGM:MDXnbPYPou9ATvWidnShBwjtw
Threatray 5'867 similar samples on MalwareBazaar
TLSH T1AD24BE4035D0CAB9D69311305B64DBE026BAFCB1596087877B96376EEF302C077AE35A
File icon (PE):PE icon
dhash icon 327e7c7d727e6e76 (14 x RedLineStealer, 13 x RaccoonStealer, 3 x Stop)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
394
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
050902ef3cb5d1ad0f03b11c767b6555.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-21 13:35:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f98da0c1-6c10-469d-b073-8d2fa35c3636

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189884/
Detection(s):
Win.Packed.Generic-9895572-0
Create hunting rule

Win.Packed.Generic-9895679-0
Create hunting rule

Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bc95d89a-298b-47ba-9f47-17994e9a69dd
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/854984
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 487424 Sample: X9CNruvUZm.exe Startdate: 21/09/2021 Architecture: WINDOWS Score: 100 54 kevonahira2.top 2->54 56 clientconfig.passport.net 2->56 58 api.ip.sb 2->58 78 Multi AV Scanner detection for submitted file 2->78 80 Yara detected SmokeLoader 2->80 82 Yara detected RedLine Stealer 2->82 84 3 other signatures 2->84 10 X9CNruvUZm.exe 2->10         started        13 siguded 2->13         started        15 siguded 2->15         started        signatures3 process4 signatures5 90 Detected unpacking (changes PE section rights) 10->90 92 Contains functionality to inject code into remote processes 10->92 94 Injects a PE file into a foreign processes 10->94 17 X9CNruvUZm.exe 10->17         started        96 Multi AV Scanner detection for dropped file 13->96 20 siguded 13->20         started        22 siguded 15->22         started        process6 signatures7 70 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 17->70 72 Maps a DLL or memory area into another process 17->72 74 Checks if the current machine is a virtual machine (disk enumeration) 17->74 24 explorer.exe 6 17->24 injected 76 Creates a thread in another existing process (thread injection) 20->76 process8 dnsIp9 64 kevonahira2.top 194.87.234.157, 49771, 49772, 49773 MTW-ASRU Russian Federation 24->64 66 216.128.137.31, 80 AS-CHOOPAUS United States 24->66 68 3 other IPs or domains 24->68 46 C:\Users\user\AppData\Roaming\siguded, PE32 24->46 dropped 48 C:\Users\user\AppData\Local\Temp\FE0C.exe, PE32 24->48 dropped 50 C:\Users\user\AppData\Local\Temp\BB6F.exe, PE32 24->50 dropped 52 C:\Users\user\...\siguded:Zone.Identifier, ASCII 24->52 dropped 98 System process connects to network (likely due to code injection or exploit) 24->98 100 Benign windows process drops PE files 24->100 102 Deletes itself after installation 24->102 104 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->104 29 BB6F.exe 2 24->29         started        32 1001.exe 3 24->32         started        34 FE0C.exe 24->34         started        file10 signatures11 process12 signatures13 106 Antivirus detection for dropped file 29->106 108 Multi AV Scanner detection for dropped file 29->108 110 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->110 120 2 other signatures 29->120 36 BB6F.exe 15 24 29->36         started        40 conhost.exe 29->40         started        112 Detected unpacking (changes PE section rights) 32->112 114 Query firmware table information (likely to detect VMs) 32->114 116 Tries to detect sandboxes and other dynamic analysis tools (window names) 32->116 122 2 other signatures 32->122 42 conhost.exe 32->42         started        118 Machine Learning detection for dropped file 34->118 44 FE0C.exe 34->44         started        process14 dnsIp15 60 146.70.35.170, 30905, 49824 TENET-1ZA United Kingdom 36->60 62 api.ip.sb 36->62 86 Tries to harvest and steal browser information (history, passwords, etc) 36->86 88 Tries to steal Crypto Currency Wallets 36->88 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e2182bd67553bff631bb93f7a016163c7cb82485cf9614bf566c9b49e821b158/
Threat name:
Win32.Trojan.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-21 08:36:57 UTC
AV detection:
23 of 45 (51.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4imcxvtvko77mmn3sp32afqwhr6lqjefz6lbjp2wnsnut2bbwfma._file
Verdict:
malicious
Similar samples:
0fb73b5a78afbb7675fcf2e772b1f2c45bb5791973434c2edd18539f611b93c6
Smoke Loader
1eb3574e7faa18d12759034dcc5a26ac90d79badef17cf1a744854d9a9e41cb0
Smoke Loader
4389750bcd2f3b674dd5452cc38d70e6e9dbd09b2acdd8eea0d11de1cbb68b18
Smoke Loader
79d1a0d0bd8b5672374ab7c97365a6b0276efc6755900cdbdcdb77019e69457a
Smoke Loader
9434421e8f743533a557a717bd9fc444b5047c3c73848029762068520ec9fc26
Smoke Loader
9b219f917b2990b8e0ab9a60f9d7b61c281dbef457b20c2b0a1e5e8b1989d74c
Smoke Loader
a4ffe5148767a4349cc43b105357623c0a47f64433a55d0aaed63f3a2a3e4493
Smoke Loader
b5b8be0cd8c49e313fb626534cc7d705ef7591184753faaddcd87e0f74a2cac1
Smoke Loader
e6caab24402f364bef57cd70a56650b7d657d3098e63361de7ddef5539199a66
Smoke Loader
f9a8afdccfeca1e80e4e695cc01a288b9aa7efcbb08a514ea346c9cfa9742cdb
Smoke Loader
+ 5'857 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:tofsee family:xmrig botnet:installayz botnet:installexe backdoor discovery evasion infostealer miner persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/210921-qsyzcshfd7/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner Payload
Raccoon
RedLine
RedLine Payload
SmokeLoader
Tofsee
Windows security bypass
xmrig
Malware Config
C2 Extraction:
http://venerynnet1.top/
http://kevonahira2.top/
http://vegangelist3.top/
http://kingriffaele4.top/
http://arakeishant5.top/
146.70.35.170:30905
80.85.137.89:17954
109.234.34.165:35254
Unpacked files
SH256 hash:
61a8d403c777699f36db41e26c95ee6f29ff6cdbc4b3768bd06db2aa6bdfe2f7
MD5 hash:
cfcd9c4378e041fb0d07d607727c024b
SHA1 hash:
7e06773d4a2e07501b171e0187e2997cc7de1dac
Link:
https://www.unpac.me/results/cdc6c317-466b-4e54-ba0a-1a70a189d924/
SH256 hash:
e2182bd67553bff631bb93f7a016163c7cb82485cf9614bf566c9b49e821b158
MD5 hash:
050902ef3cb5d1ad0f03b11c767b6555
SHA1 hash:
ad2e5d9f525909ead63b561202391e6abdd59483
Link:
https://www.unpac.me/results/cdc6c317-466b-4e54-ba0a-1a70a189d924/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e2182bd67553bff631bb93f7a016163c7cb82485cf9614bf566c9b49e821b158

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe e2182bd67553bff631bb93f7a016163c7cb82485cf9614bf566c9b49e821b158

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1612961/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/189884/

Comments