MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e816613a7090688c566359653d7f55fdd6a9b05e147083ab0b1bda1c567f591c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e816613a7090688c566359653d7f55fdd6a9b05e147083ab0b1bda1c567f591c
SHA3-384 hash: 5970f05103320bea4ba67cae57f04ea6afa96534b9cb721e78a37811b94a5a402a60cbcfd87bdcdaafa8d47ae4048c31
SHA1 hash: a1f70bf18eaa5548a8a88d3c2291a32c91bf699a
MD5 hash: 94dfa0143d2c60b06533e35170aa64a1
humanhash: october-twenty-texas-robert
File name:94dfa0143d2c60b06533e35170aa64a1.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:205'312 bytes
First seen:2021-08-05 15:11:04 UTC
Last seen:2021-08-05 16:25:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e905b204d022a4a3f9803ba3895bcbd4 (3 x RaccoonStealer, 3 x Smoke Loader, 2 x RedLineStealer)
ssdeep 3072:0OAEYXEh3z7gu2NJ1wY8IQtU1j553DkGD0lcMuFPybz7byVUI:FB7gu2NJ+Y8Rts3PZMx/bBI
Threatray 820 similar samples on MalwareBazaar
TLSH T15F14BE013580CC73F4513AB18896CAB56A2AFCF4CB219A4B7F85D6DE1F352D29E3534A
dhash icon 10367c7c72767636 (2 x Smoke Loader, 1 x DanaBot)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
514
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
94dfa0143d2c60b06533e35170aa64a1.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-05 15:17:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/995e5aea-5afa-4b38-8148-c276afed8380

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176696/
Detection(s):
SecuriteInfo.com.Heur.Mint.Titirez.mm0@@CRlwRi.6610.18996.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending an HTTP POST request
Deleting of the original file
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d1f24e38-ed22-4148-b3ab-e883ce1269c6
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/827446
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains VNC / remote desktop functionality (version string found)
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Renames NTDLL to bypass HIPS
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 459876 Sample: Lte3odNpHc.exe Startdate: 05/08/2021 Architecture: WINDOWS Score: 100 76 Antivirus detection for URL or domain 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 Yara detected SmokeLoader 2->80 82 9 other signatures 2->82 10 Lte3odNpHc.exe 1 2->10         started        13 tetsjrh 1 2->13         started        process3 file4 102 DLL reload attack detected 10->102 104 Detected unpacking (changes PE section rights) 10->104 106 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 10->106 114 3 other signatures 10->114 16 explorer.exe 7 10->16 injected 56 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 13->56 dropped 108 Multi AV Scanner detection for dropped file 13->108 110 Machine Learning detection for dropped file 13->110 112 Renames NTDLL to bypass HIPS 13->112 signatures5 process6 dnsIp7 58 152.89.247.174, 49746, 49751, 80 COMBAHTONcombahtonGmbHDE Germany 16->58 60 110.14.121.125, 49745, 49747, 49748 SKB-ASSKBroadbandCoLtdKR Korea Republic of 16->60 62 2 other IPs or domains 16->62 46 C:\Users\user\AppData\Roaming\tetsjrh, PE32 16->46 dropped 48 C:\Users\user\AppData\Local\Temp\F264.exe, PE32 16->48 dropped 50 C:\Users\user\AppData\Local\Temp\27A7.exe, PE32 16->50 dropped 52 C:\Users\user\...\tetsjrh:Zone.Identifier, ASCII 16->52 dropped 84 System process connects to network (likely due to code injection or exploit) 16->84 86 Benign windows process drops PE files 16->86 88 Deletes itself after installation 16->88 90 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->90 21 27A7.exe 2 4 16->21         started        25 F264.exe 15 2 16->25         started        28 33A2E4F0.exe 16->28         started        30 33A2E4F0.exe 16->30         started        file8 signatures9 process10 dnsIp11 54 C:\ProgramData\...\33A2E4F0.exe, PE32 21->54 dropped 92 Multi AV Scanner detection for dropped file 21->92 94 Detected unpacking (changes PE section rights) 21->94 96 Detected unpacking (overwrites its own PE header) 21->96 98 Creates autostart registry keys with suspicious names 21->98 32 33A2E4F0.exe 21->32         started        66 185.215.113.114, 49770, 8887 WHOLESALECONNECTIONSNL Portugal 25->66 100 Machine Learning detection for dropped file 25->100 file12 signatures13 process14 dnsIp15 64 ebanat6977769.com 8.209.79.46, 49761, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 32->64 68 Multi AV Scanner detection for dropped file 32->68 70 Detected unpacking (changes PE section rights) 32->70 72 Detected unpacking (overwrites its own PE header) 32->72 74 4 other signatures 32->74 36 svchost.exe 32->36 injected 38 lsass.exe 32->38 injected 40 svchost.exe 32->40 injected 42 svchost.exe 32->42 injected signatures16 process17 process18 44 backgroundTaskHost.exe 3 17 36->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e816613a7090688c566359653d7f55fdd6a9b05e147083ab0b1bda1c567f591c/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-08-05 11:24:54 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5algcotqsbuiyvtdlfst272v7xlktmc6cryihkyldpnbyvt7leoa._file
Verdict:
suspicious
Similar samples:
3221c7c857b80fab3818cf1ea9435cef9626d84bd308d7a365e4e5089e5ef413
Smoke Loader
3557b514f9eada3659219bc4c1401d074f814ba82bf137ba0671fec66078d534
Smoke Loader
364bcd3b0a74ff15848f1e2c286922fb84ac88a85785e7821544b0539f4e1ff9
Smoke Loader
3da2f2d51fb93515503a3f617cdc72159ddd1d44115edfd129ab4c8ebb38c1ed
Smoke Loader
4df50c6d6d188c3413bdba53851cbeea7b281b92b0d5341c021a65912395fa5b
Smoke Loader
76b87f4f61c849a8af46ebdcb899a0bea036b18f6b473bed34562212eab16b93
Smoke Loader
91949edb9145bda3b1336a5513c44707a86300ca5a378411c9bf8800b8127db9
Smoke Loader
c49db28c90989f14866faa6781fc5e6531c8a63d3c3f3d245b4c4d752ce5ebf0
Smoke Loader
d72dd5663947fc7e1bd8903030b3e2fd551d8d938fdc6417d8513a1c4cc49702
Smoke Loader
+ 810 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:xmrig botnet:sewpalpadin backdoor discovery infostealer miner persistence suricata trojan
Link:
https://tria.ge/reports/210805-3pcnfmz75n/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Modifies file permissions
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
SmokeLoader
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
xmrig
Malware Config
C2 Extraction:
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
185.215.113.114:8887
Unpacked files
SH256 hash:
c457a6d6435bd5042baa663f1acf85e8efb2bec86e8dea52aac877755a1b334a
MD5 hash:
4bc270bc5cdc2e7f3a23f54b86579d79
SHA1 hash:
b72403fd55dae9cf4f634beeef6d86e64488d649
Link:
https://www.unpac.me/results/066c21ea-d75b-4174-a098-d82a1df0204c/
SH256 hash:
e816613a7090688c566359653d7f55fdd6a9b05e147083ab0b1bda1c567f591c
MD5 hash:
94dfa0143d2c60b06533e35170aa64a1
SHA1 hash:
a1f70bf18eaa5548a8a88d3c2291a32c91bf699a
Link:
https://www.unpac.me/results/066c21ea-d75b-4174-a098-d82a1df0204c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e816613a7090688c566359653d7f55fdd6a9b05e147083ab0b1bda1c567f591c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe e816613a7090688c566359653d7f55fdd6a9b05e147083ab0b1bda1c567f591c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1504929/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/176696/

Comments