MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5748b9c18c3e264c771b8abe50805fe070719b459493d37eec86f972fd1d5ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5748b9c18c3e264c771b8abe50805fe070719b459493d37eec86f972fd1d5ac
SHA3-384 hash: 596a2f76c6d70f1e975a8e86445a556507893892978ee6f253547dcca7080ae7ef80e1841d49c81cdb6addf7323634d0
SHA1 hash: 4e6b68d0e7d08a38505a27b11cceedd49db3b32d
MD5 hash: 92d5edc6e361638054987dd3b69d29a4
humanhash: tennessee-princess-quiet-happy
File name:92d5edc6e361638054987dd3b69d29a4.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:260'608 bytes
First seen:2021-07-15 09:33:56 UTC
Last seen:2021-07-15 11:21:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cef53b294a0c62899318fea6dc1dac66 (2 x Smoke Loader, 1 x Loki, 1 x RaccoonStealer)
ssdeep 3072:q/BNm16PaipVynTKzHcV5rMKS4ETVNdzKZ3InUqe5hhuCQzjVa48YNSmE:KU65qKzg5rS4EZN9k3IU8bzZut
Threatray 127 similar samples on MalwareBazaar
TLSH T14244AE1132B0C427CDE209B05475ABA42F3ABD626A70754F26573F1FDE32291B66A387
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
92d5edc6e361638054987dd3b69d29a4.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-15 09:36:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/452185d8-1eb5-49e4-bf39-164f65424c52

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector01
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171918/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.32154.16493.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e16e76a4-6826-4103-91e1-7f2daa67227f
Result
Threat name:
Djvu Raccoon RedLine SmokeLoader Tofsee
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816779
Signature
.NET source code contains very large strings
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
DLL side loading technique detected
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Renames NTDLL to bypass HIPS
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Mail credentials (via file access)
Yara detected Djvu Ransomware
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 449190 Sample: 6FORhr7lC1.exe Startdate: 15/07/2021 Architecture: WINDOWS Score: 100 77 iplogger.org 2->77 79 fastpool.xyz 2->79 81 11 other IPs or domains 2->81 93 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->93 95 Found malware configuration 2->95 97 Antivirus detection for URL or domain 2->97 101 12 other signatures 2->101 10 6FORhr7lC1.exe 2->10         started        13 rwgttbh 2->13         started        15 svchost.exe 2->15         started        17 9 other processes 2->17 signatures3 99 Tries to resolve many domain names, but no domain seems valid 77->99 process4 dnsIp5 133 DLL reload attack detected 10->133 135 Detected unpacking (changes PE section rights) 10->135 20 6FORhr7lC1.exe 1 10->20         started        137 Contains functionality to inject code into remote processes 13->137 139 Injects a PE file into a foreign processes 13->139 23 rwgttbh 1 13->23         started        141 Changes security center settings (notifications, updates, antivirus, firewall) 15->141 26 MpCmdRun.exe 15->26         started        75 127.0.0.1 unknown unknown 17->75 143 DLL side loading technique detected 17->143 signatures6 process7 file8 103 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->103 105 Renames NTDLL to bypass HIPS 20->105 107 Maps a DLL or memory area into another process 20->107 28 explorer.exe 11 20->28 injected 65 C:\Users\user\AppData\Local\Temp\AE30.tmp, PE32 23->65 dropped 109 Checks if the current machine is a virtual machine (disk enumeration) 23->109 111 Creates a thread in another existing process (thread injection) 23->111 33 conhost.exe 26->33         started        signatures9 process10 dnsIp11 87 999080321yomtest251-service10020125999080321.ru 28->87 89 999080321yirtest231-service10020125999080321.ru 28->89 91 84 other IPs or domains 28->91 67 C:\Users\user\AppData\Roaming\rwgttbh, PE32 28->67 dropped 69 C:\Users\user\AppData\Local\Temp\8089.exe, PE32+ 28->69 dropped 71 C:\Users\user\AppData\Local\Temp\6ED3.exe, PE32 28->71 dropped 73 3 other files (1 malicious) 28->73 dropped 145 System process connects to network (likely due to code injection or exploit) 28->145 147 Benign windows process drops PE files 28->147 149 Performs DNS queries to domains with low reputation 28->149 153 2 other signatures 28->153 35 AF6B.exe 28->35         started        40 6ED3.exe 1 28->40         started        42 8089.exe 2 5 28->42         started        44 3 other processes 28->44 file12 151 Tries to resolve many domain names, but no domain seems valid 89->151 signatures13 process14 dnsIp15 83 telete.in 195.201.225.248, 443, 49727 HETZNER-ASDE Germany 35->83 85 34.89.184.90, 49728, 80 GOOGLEUS United States 35->85 51 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 35->51 dropped 53 C:\Users\user\AppData\...\vcruntime140.dll, PE32 35->53 dropped 55 C:\Users\user\AppData\...\ucrtbase.dll, PE32 35->55 dropped 63 56 other files (none is malicious) 35->63 dropped 113 Detected unpacking (changes PE section rights) 35->113 115 Detected unpacking (overwrites its own PE header) 35->115 117 Tries to steal Mail credentials (via file access) 35->117 119 Tries to harvest and steal browser information (history, passwords, etc) 35->119 57 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 40->57 dropped 121 DLL reload attack detected 40->121 123 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 40->123 125 Renames NTDLL to bypass HIPS 40->125 131 3 other signatures 40->131 59 C:\Users\user\AppData\...\MicrosoftApi.exe, PE32+ 42->59 dropped 61 C:\Users\user\...\ICSharpCode.SharpZipLib.dll, PE32 42->61 dropped 127 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 42->127 46 MicrosoftApi.exe 1 5 42->46         started        129 Injects a PE file into a foreign processes 44->129 49 conhost.exe 44->49         started        file16 signatures17 process18 signatures19 155 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 46->155
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5748b9c18c3e264c771b8abe50805fe070719b459493d37eec86f972fd1d5ac/
Threat name:
Win32.Trojan.Variadic
Create hunting rule
Status:
Malicious
First seen:
2021-07-15 09:35:06 UTC
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4v2ixhayyprgjr3rxcv6kcaf7ydqognulfet2n7ozbxzol6r2wwa._file
Verdict:
malicious
Similar samples:
13cb7156b54db1b9d8ff5c405e9324899cd7ef801bdff04b1155dd9b104f7cdc
Smoke Loader
1b7769f85c3874451b85f83ab1ddc08b0d07fe76f354e0c7b397308894095673
Smoke Loader
2b4e74f6d31e2ce71fa3de3caba5fbf6b070885d43c956aa57deced79e79826b
Smoke Loader
4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6
Smoke Loader
5506b7fcbd13ae3049f461b3527242502e4c3f9e1f684cfe5b03ebb3af64366a
Smoke Loader
63761462358e1f880dafe51b3de8036f10bc60354b981cddc8075aed22e1251d
Smoke Loader
6ba57cb21a12212bb988ccfc64bfadb07bc25b332905f3db1b84665c3a5ca5ce
Smoke Loader
ae7ae9ea7fd0100b620704d462083caaedda2c5c5618ceeca54c1d7673b6be4a
Smoke Loader
b45b46943761b574b53d2938b6e6c331d778f77bf1690d3b09a07450867118b5
Smoke Loader
+ 117 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike family:raccoon family:redline family:smokeloader family:vidar family:xmrig botnet:0 botnet:824 botnet:bibi botnet:q backdoor discovery evasion infostealer miner spyware stealer themida trojan
Link:
https://tria.ge/reports/210715-n5vcjbfaa6/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
XMRig Miner Payload
Cobaltstrike
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
xmrig
Malware Config
C2 Extraction:
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
45.32.235.238:45555
https://sslamlssa1.tumblr.com/
https://olegf9844.tumblr.com/
45.147.230.79:12632
http://136.244.111.22:80/__utm.gif
Unpacked files
SH256 hash:
40f733e06f7bcb4bd915fbd0c3fbb05ee571094c0999c0104b661e9de72b8ec2
MD5 hash:
cda6ff3c17a09d22225df0ae90c705dc
SHA1 hash:
d822189153fb12866cb798cbfbe198a7b40e62ca
Link:
https://www.unpac.me/results/06f201da-cd0c-481b-a5c4-2681e464e042/
SH256 hash:
e5748b9c18c3e264c771b8abe50805fe070719b459493d37eec86f972fd1d5ac
MD5 hash:
92d5edc6e361638054987dd3b69d29a4
SHA1 hash:
4e6b68d0e7d08a38505a27b11cceedd49db3b32d
Link:
https://www.unpac.me/results/06f201da-cd0c-481b-a5c4-2681e464e042/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e5748b9c18c3e264c771b8abe50805fe070719b459493d37eec86f972fd1d5ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_DLInjector01
Create hunting rule
Author:ditekSHen
Description:Detects specific downloader injector shellcode

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe e5748b9c18c3e264c771b8abe50805fe070719b459493d37eec86f972fd1d5ac

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1453973/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/171918/

Comments