MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eaa3d526090fadeb2dfadcf06c2e3dc4d7c5964a3d2173e3b0d6f9fefb623914. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eaa3d526090fadeb2dfadcf06c2e3dc4d7c5964a3d2173e3b0d6f9fefb623914
SHA3-384 hash: 023fda50c2ce746f53ff07ce5cd9adddafc3ca142051acb5c09765ac7331f972f2b522ef551dff2d3fe57fe334914d6a
SHA1 hash: 8f572ece7b4885127df2e4ab38fabe5d1d48ee0f
MD5 hash: 08e81dd76c16f26fc26875ed6e9c5dfc
humanhash: wyoming-equal-fanta-stream
File name:08e81dd76c16f26fc26875ed6e9c5dfc.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:345'088 bytes
First seen:2021-10-30 06:49:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 518d84bc9a231f5bb2827b0550b9f86c (8 x RaccoonStealer, 2 x RedLineStealer, 1 x 1xxbot)
ssdeep 6144:a5W75M5n97NXZ3kuJATgEY2LcSsFJfkoB2Uy:as2n9JJ3kuCkEY2LcSKfkoBRy
Threatray 5'316 similar samples on MalwareBazaar
TLSH T19A747C10B6A1C435F5B212F849BA93A9B93F7EB16B3450CB12D516EE8634AE0EC31357
File icon (PE):PE icon
dhash icon badacabecee6baa6 (95 x Stop, 87 x RedLineStealer, 62 x Smoke Loader)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
274
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
08e81dd76c16f26fc26875ed6e9c5dfc.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-30 07:04:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/75f12f68-5385-4e60-bb3e-599811f69602

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b1a5b70-861a-4e8d-b59c-552468098db0
Result
Threat name:
Raccoon RedLine SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/879727
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download HTTP data from a sinkholed server
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Yara detected Vidar
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 512173 Sample: YQ5e4ClF2H.exe Startdate: 30/10/2021 Architecture: WINDOWS Score: 100 93 www.google.com 2->93 95 mas.to 2->95 97 cdn.discordapp.com 2->97 127 Tries to download HTTP data from a sinkholed server 2->127 129 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->129 131 Multi AV Scanner detection for domain / URL 2->131 133 15 other signatures 2->133 12 YQ5e4ClF2H.exe 2->12         started        15 vaiwctj 2->15         started        signatures3 process4 signatures5 145 Contains functionality to inject code into remote processes 12->145 147 Injects a PE file into a foreign processes 12->147 17 YQ5e4ClF2H.exe 12->17         started        20 vaiwctj 15->20         started        process6 signatures7 119 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 17->119 121 Maps a DLL or memory area into another process 17->121 123 Checks if the current machine is a virtual machine (disk enumeration) 17->123 125 Creates a thread in another existing process (thread injection) 17->125 22 explorer.exe 14 17->22 injected process8 dnsIp9 99 escalivrouter.net 22->99 101 216.128.137.31, 80 AS-CHOOPAUS United States 22->101 103 13 other IPs or domains 22->103 69 C:\Users\user\AppData\Roaming\vaiwctj, PE32 22->69 dropped 71 C:\Users\user\AppData\Local\Temp\FB7E.exe, PE32 22->71 dropped 73 C:\Users\user\AppData\Local\Temp\CD9A.exe, PE32 22->73 dropped 75 13 other files (7 malicious) 22->75 dropped 135 System process connects to network (likely due to code injection or exploit) 22->135 137 Benign windows process drops PE files 22->137 139 Deletes itself after installation 22->139 141 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->141 27 1031.exe 1 22->27         started        31 92AB.exe 22->31         started        34 FB7E.exe 21 7 22->34         started        36 8 other processes 22->36 file10 signatures11 process12 dnsIp13 79 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 27->79 dropped 149 DLL reload attack detected 27->149 151 Detected unpacking (changes PE section rights) 27->151 171 5 other signatures 27->171 105 91.219.236.97, 49856, 80 SERVERASTRA-ASHU Hungary 31->105 107 toptelete.top 172.67.160.46, 49855, 80 CLOUDFLARENETUS United States 31->107 109 telegalive.top 31->109 81 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 31->81 dropped 83 C:\Users\user\AppData\...\vcruntime140.dll, PE32 31->83 dropped 85 C:\Users\user\AppData\...\ucrtbase.dll, PE32 31->85 dropped 91 56 other files (none is malicious) 31->91 dropped 153 Detected unpacking (overwrites its own PE header) 31->153 155 Tries to steal Mail credentials (via file access) 31->155 157 Tries to harvest and steal browser information (history, passwords, etc) 31->157 111 cdn.discordapp.com 162.159.129.233, 443, 49787, 49795 CLOUDFLARENETUS United States 34->111 87 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 34->87 dropped 159 Writes to foreign memory regions 34->159 161 Allocates memory in foreign processes 34->161 173 3 other signatures 34->173 38 AdvancedRun.exe 34->38         started        40 powershell.exe 34->40         started        42 SMSvcHost.exe 34->42         started        113 93.115.20.139, 28978, 49848 MVPShttpswwwmvpsnetEU Romania 36->113 115 162.159.133.233, 443, 49815, 49822 CLOUDFLARENETUS United States 36->115 117 162.159.134.233, 443, 49804, 49858 CLOUDFLARENETUS United States 36->117 89 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 36->89 dropped 163 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->163 165 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 36->165 167 Uses schtasks.exe or at.exe to add and modify task schedules 36->167 169 Tries to steal Crypto Currency Wallets 36->169 44 9384.exe 36->44         started        47 cmd.exe 36->47         started        49 at.exe 36->49         started        51 AdvancedRun.exe 36->51         started        file14 signatures15 process16 signatures17 53 AdvancedRun.exe 38->53         started        55 conhost.exe 40->55         started        175 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 44->175 177 Maps a DLL or memory area into another process 44->177 179 Checks if the current machine is a virtual machine (disk enumeration) 44->179 181 Creates a thread in another existing process (thread injection) 44->181 183 Obfuscated command line found 47->183 185 Drops PE files with a suspicious file extension 47->185 57 cmd.exe 47->57         started        61 conhost.exe 47->61         started        63 conhost.exe 49->63         started        process18 file19 77 C:\Users\user\AppData\Local\...\Hai.exe.com, PE32 57->77 dropped 143 Obfuscated command line found 57->143 65 findstr.exe 57->65         started        67 Hai.exe.com 57->67         started        signatures20 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eaa3d526090fadeb2dfadcf06c2e3dc4d7c5964a3d2173e3b0d6f9fefb623914/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2021-10-29 20:47:13 UTC
AV detection:
23 of 44 (52.27%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5kr5kjqjb6w6wlp23tygylr5ytl4lfskhuqxhy5q2347563cheka._file
Verdict:
malicious
Similar samples:
033247a6ba1cd0543f27857fb6743e16fdd2990cea1df3dce93e4031c8046d1a
Smoke Loader
555fd11933a1bb3a71714e1c234cdeaf7ea3c614f24eebec3786fb61cb3b5b5e
Smoke Loader
5d5314ec5e467c3875f072915f95a4f1c143b1b7996e60d4c81c5ede11e604bd
Smoke Loader
8245ad87eea6a1f19f658adef8a30b9a512760d866b7075bbf205d7a54296234
Smoke Loader
9f1f637f5746983960594883af8120a45b73eef2bfc7750a502ee47ec97ed34b
Smoke Loader
+ 5'306 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:vidar botnet:68e2d75238f7c69859792d206401b6bde2b2515c botnet:936 botnet:999888988 botnet:9b47742e621d3b0f1b0b79db6ed26e2c33328c05 botnet:superstar agilenet backdoor collection discovery evasion infostealer spyware stealer themida trojan vmprotect
Link:
https://tria.ge/reports/211030-hlye9aefa4/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Themida packer
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Nirsoft
Vidar Stealer
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Turns off Windows Defender SpyNet reporting
Vidar
Windows security bypass
Malware Config
C2 Extraction:
http://xacokuo8.top/
http://hajezey1.top/
http://honawey70.top/
http://wijibui00.top/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
http://193.56.146.214/
https://193.56.146.214/
93.115.20.139:28978
185.215.113.29:36224
https://mas.to/@lilocc
Unpacked files
SH256 hash:
7504bf3fa2768578ecf547d7ad5ee704bb32a345726f4d6007e4905db82c873c
MD5 hash:
67832761c9fb6dcaa2caaa433aeef1e9
SHA1 hash:
1f40855c5efb001c8dff2d10e10b8c68d573d68f
Link:
https://www.unpac.me/results/f430b085-8e18-441e-aaa7-ade8df131b89/
SH256 hash:
eaa3d526090fadeb2dfadcf06c2e3dc4d7c5964a3d2173e3b0d6f9fefb623914
MD5 hash:
08e81dd76c16f26fc26875ed6e9c5dfc
SHA1 hash:
8f572ece7b4885127df2e4ab38fabe5d1d48ee0f
Link:
https://www.unpac.me/results/f430b085-8e18-441e-aaa7-ade8df131b89/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/eaa3d526090f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eaa3d526090fadeb2dfadcf06c2e3dc4d7c5964a3d2173e3b0d6f9fefb623914

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe eaa3d526090fadeb2dfadcf06c2e3dc4d7c5964a3d2173e3b0d6f9fefb623914

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1719493/
  
Delivery method
Distributed via web download

Comments