MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec9abd41cb8dc44222977d171e58a8f2f74ca3499a2b552aee0aa963ee553d77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	ec9abd41cb8dc44222977d171e58a8f2f74ca3499a2b552aee0aa963ee553d77
SHA3-384 hash:	ec5a1585312bdaf8bc2e6a72e8e4a00f8361eac5bcc969285546d74a664509adbe65f70e5e5585662ec703d1426b3f0b
SHA1 hash:	25ba5fd7bc80335bad6b68667091ae04057cc4fa
MD5 hash:	48e19802f91f27e12638631ff2fd877a
humanhash:	florida-seventeen-november-three
File name:	48e19802f91f27e12638631ff2fd877a.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	303'104 bytes
First seen:	2021-10-16 14:29:59 UTC
Last seen:	2021-10-16 15:59:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a555e45e65025d1329998e0444346913 (1 x Smoke Loader)
ssdeep	6144:I5JXGsnLAKwctA7DgzvuOsKrjzF+HX4GuIH2DVThH/:Itz1A7DlOs8zhGuIH2D1hH
TLSH	T1B1548E10B7A0C034F5B752F845BA9369F93EBDA0AB3494CF52D526EA56346E0EC3131B
File icon (PE):
dhash icon	e8f8c8e8aa62a499 (1 x Smoke Loader, 1 x RaccoonStealer)
Reporter	abuse_ch
Tags:	Dofoil exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

570

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

48e19802f91f27e12638631ff2fd877a.exe

Verdict:

Suspicious activity

Analysis date:

2021-10-16 14:32:00 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d219a768-7ff2-4907-8588-040c5fe4ce7a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/197889/

Detection(s):

SecuriteInfo.com.Trojan.Siggen15.25106.32731.9679.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/616ae1fbdb358dd15ebd394d/reports/df152fb1-b4ed-4926-9c44-dba5c34c7c76/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1346fec4-adce-4dc3-b355-99690d0e933a

Result

Threat name:

Raccoon RedLine SmokeLoader Tofsee Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/871609

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Antivirus detection for URL or domain

Benign windows process drops PE files

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the windows firewall

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Sigma detected: Copying Sensitive Files with Credential Data

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspect Svchost Activity

Sigma detected: Suspicious Script Execution From Temp Folder

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses netsh to modify the Windows network and firewall settings

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Raccoon Stealer

Yara detected RedLine Stealer

Yara detected SmokeLoader

Yara detected Tofsee

Yara detected Vidar

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/ec9abd41cb8dc44222977d171e58a8f2f74ca3499a2b552aee0aa963ee553d77/

Threat name:

Win32.Trojan.BotX

Status:

Malicious

First seen:

2021-10-16 01:00:50 UTC

AV detection:

20 of 45 (44.44%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5snl2qolrxceeiuxpulr4wfi6l3uzi2jtivvkkxobkuwh3svhv3q._file

Verdict:

malicious

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:raccoon family:redline family:smokeloader family:tofsee family:vidar family:xmrig botnet:2e56d61c5f4b4a46cd452a288b45013a8ce55afa botnet:3dde9cf1ea25ec8623cf240fe8d23e8d3fe465f0 botnet:7ebf9b416b72a203df65383eec899dc689d2c3d7 botnet:936 botnet:bot botnet:office365log and wallet botnet:testmixnew backdoor collection discovery evasion infostealer miner persistence spyware stealer suricata themida trojan

Link:

https://tria.ge/reports/211016-rt9ypacggr/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Delays execution with timeout.exe

Kills process with taskkill

Modifies data under HKEY_USERS

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Program crash

Drops file in Windows directory

Launches sc.exe

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Enumerates connected drives

Checks BIOS information in registry

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

Creates new service(s)

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall

Sets service image path in registry

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vidar Stealer

XMRig Miner Payload

Raccoon

RedLine

RedLine Payload

SmokeLoader

Suspicious use of NtCreateProcessExOtherParentProcess

Tofsee

Vidar

Windows security bypass

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

xmrig

Malware Config

C2 Extraction:

http://honawey7.top/
http://wijibui0.top/
http://hefahei6.top/
http://pipevai4.top/
http://nalirou7.top/
http://gfdjgdfjgdhfbg.space/
http://gfhjdsghdfjg23.space/
http://gdfjgdfh4543nf.space/
http://fgdjgsdfghj4fds.space/
http://fgdgdjfgfdgdf.space/
http://fsdhjfsdhfsd.space/
http://fgdsjghdfghjdfhgd.space/
http://ryuesrseyth3.space/
http://fdsjkuhreyu4.space/
http://fdgjdfgehr4.space/
http://fgdgjhdfgdfjgd.space/
quadoil.ru
lakeflex.ru
https://mas.to/@sslam
185.215.113.17:9054
91.211.251.200:52562
185.215.113.102:10007