MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7cd9a8b33624a7462d7a8c73558b337bd35fb29c40b68b58cbb0743ff4f8154. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7cd9a8b33624a7462d7a8c73558b337bd35fb29c40b68b58cbb0743ff4f8154
SHA3-384 hash: 7a7f5ce807cbee0031ae782ad117d1f0662bbeace8d755de1cef0dffc786d3db9d7a9673488f23b2db40a9ff9cff2832
SHA1 hash: b02ad8e06b733a92cd88b8f24782d9c706e2dcc3
MD5 hash: 97bb71acfb45ae2172b995e1395ad1e9
humanhash: glucose-diet-fix-black
File name:97bb71acfb45ae2172b995e1395ad1e9.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:166'912 bytes
First seen:2021-08-18 14:16:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c07c5f8b51cfbe666b5660939365cb2b (5 x RedLineStealer, 2 x ArkeiStealer, 1 x Smoke Loader)
ssdeep 3072:K+JWzKR0KdYifTCTllR9GDoBNGkRxAQbaKT0yB3N:K+EK3/fcjGMf7
Threatray 5'052 similar samples on MalwareBazaar
TLSH T1E7F3CF317580D572C4A2053580A6FAA45EB9FD312A64094B7FE83A6F6F303D1953F39E
dhash icon 1072c092b0381802 (7 x RedLineStealer, 2 x Smoke Loader, 1 x ArkeiStealer)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
97bb71acfb45ae2172b995e1395ad1e9.exe
Verdict:
No threats detected
Analysis date:
2021-08-18 14:18:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/78900ec4-5133-4f02-9118-67e8a7cd572b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180348/
Detection(s):
Win.Malware.Generic-9886621-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c29284e6-c8ab-4d59-821f-c92a30dd8d88
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/835192
Signature
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 467622 Sample: GrS9NVdO4c.exe Startdate: 18/08/2021 Architecture: WINDOWS Score: 100 29 atvcampingtrips.com 2->29 49 Multi AV Scanner detection for domain / URL 2->49 51 Found malware configuration 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 6 other signatures 2->55 9 GrS9NVdO4c.exe 2->9         started        12 jfgdswa 2->12         started        signatures3 process4 signatures5 65 Detected unpacking (changes PE section rights) 9->65 67 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->67 69 Maps a DLL or memory area into another process 9->69 71 Creates a thread in another existing process (thread injection) 9->71 14 explorer.exe 2 9->14 injected 73 Multi AV Scanner detection for dropped file 12->73 75 Machine Learning detection for dropped file 12->75 77 Checks if the current machine is a virtual machine (disk enumeration) 12->77 process6 dnsIp7 35 88.80.145.9, 80 GWHOSTRO Bulgaria 14->35 37 atvcampingtrips.com 148.255.2.213, 49713, 49717, 49742 CompaniaDominicanadeTelefonosSADO Dominican Republic 14->37 39 5 other IPs or domains 14->39 25 C:\Users\user\AppData\Roaming\jfgdswa, PE32 14->25 dropped 27 C:\Users\user\...\jfgdswa:Zone.Identifier, ASCII 14->27 dropped 41 System process connects to network (likely due to code injection or exploit) 14->41 43 Benign windows process drops PE files 14->43 45 Deletes itself after installation 14->45 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->47 19 36B3.exe 15 3 14->19         started        file8 signatures9 process10 dnsIp11 31 api.ip.sb 19->31 33 188.124.36.242, 25802, 49761, 49763 SELECTELRU Russian Federation 19->33 57 Detected unpacking (changes PE section rights) 19->57 59 Query firmware table information (likely to detect VMs) 19->59 61 Tries to detect sandboxes and other dynamic analysis tools (window names) 19->61 63 2 other signatures 19->63 23 conhost.exe 19->23         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7cd9a8b33624a7462d7a8c73558b337bd35fb29c40b68b58cbb0743ff4f8154/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-18 10:14:18 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
3f511c7b45036ebc633cfc2d8ddd0f4fd97114f87bb1ea4228d880b9bcaafee9
Smoke Loader
423563995910af04cb2c4136bf50607fc26977dfa043a84433e8bd64b3315110
Smoke Loader
5e1a4b9ced78b15872e2723b231e3934c4874c6ea28ebf6c983a61f5040b5f96
Smoke Loader
637a0494e576015bdbc53a9a3d5efd6ed2cac129facef169a06ed4f2d07188d2
Smoke Loader
9da4d8126ac0c4c0b68066407e24cf1a36e06f0fc22ef87b0a464f90c1374095
Smoke Loader
a579df463934b191934477803f2045e998e3acca5932492eb4a090cc8857182a
Smoke Loader
a81accafde181c4afdc35a0c9221f12aafaf2b6b3351dde1f4cb4d7ef25355fc
Smoke Loader
dc99c52dc9e81adde22cc958053e11bd63605cb90953d86d75a9896d585a17a0
Smoke Loader
df0fb9e7bd0899c3d92f8b150a6e38f00940c2246f3d4591902af4fc28f9a569
Smoke Loader
fb412e008d09b7ccfd249e3dcbdd7dcc44407775fdb2a8d001ca80890e232a9e
Smoke Loader
+ 5'042 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader backdoor infostealer trojan
Link:
https://tria.ge/reports/210818-ft4z5ndlcs/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Deletes itself
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
SmokeLoader
Malware Config
C2 Extraction:
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
185.215.113.29:8889
Unpacked files
SH256 hash:
18cd8e90fcd46329480f24d43baa489683b3ee2fcd274bf1714947ef307a6ab2
MD5 hash:
f2fecf6872ad4c61a3a506159fddd4fc
SHA1 hash:
28e039eb96dcf58841992280c66433a2bbab8e84
Link:
https://www.unpac.me/results/2653270c-bf26-4fa4-8e88-611bd6f82c00/
SH256 hash:
e7cd9a8b33624a7462d7a8c73558b337bd35fb29c40b68b58cbb0743ff4f8154
MD5 hash:
97bb71acfb45ae2172b995e1395ad1e9
SHA1 hash:
b02ad8e06b733a92cd88b8f24782d9c706e2dcc3
Link:
https://www.unpac.me/results/2653270c-bf26-4fa4-8e88-611bd6f82c00/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7cd9a8b33624a7462d7a8c73558b337bd35fb29c40b68b58cbb0743ff4f8154

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe e7cd9a8b33624a7462d7a8c73558b337bd35fb29c40b68b58cbb0743ff4f8154

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1533747/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/180348/

Comments