MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f47560806cc02ef4c609e43a06b3c7230f6f9c6117d9ec7819535f152070df3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f47560806cc02ef4c609e43a06b3c7230f6f9c6117d9ec7819535f152070df3c
SHA3-384 hash: c01e2c1a791e65bde4185ac8c7a4cf5eadbbd062f0898db7d4dfe5d0b5da874486e88f5438f98082338f1cf86b74c582
SHA1 hash: a99ce1f449476181dffa979b49024899ef580607
MD5 hash: 796abd8556244dcf962bccaa1ec4e011
humanhash: blossom-equal-sink-princess
File name:SecuriteInfo.com.Variant.Zusy.394875.8357.20244
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:218'624 bytes
First seen:2021-07-24 03:39:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d09a478840961ad890ac4dc4d59be69d (10 x Smoke Loader, 4 x RaccoonStealer, 2 x RedLineStealer)
ssdeep 3072:W//rQe2dBf2XHwgzS4RkSI0MDib7PBJ6sp70BPuxaWC8C:ODQe2dtWwZxDrQa3BPAn
Threatray 3'646 similar samples on MalwareBazaar
TLSH T11924BE11FAB0C83AD0A50A7088E5C6E0662DBC31BA64DD47775B3B5F2F702C166B625F
dhash icon 48b9b2b4e8c38c90 (6 x RaccoonStealer, 4 x RedLineStealer, 1 x CryptBot)
Reporter SecuriteInfoCom
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Variant.Zusy.394875.8357.20244
Verdict:
Suspicious activity
Analysis date:
2021-07-24 03:43:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ded2f098-6563-4f91-8ad0-e8aa7c6b2f96

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173813/
Detection(s):
SecuriteInfo.com.Variant.Zusy.394875.8357.20244.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c140c447-f336-4e04-a08a-3589b4b9c0e6
Result
Threat name:
Raccoon RedLine SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/821136
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 453547 Sample: SecuriteInfo.com.Variant.Zu... Startdate: 24/07/2021 Architecture: WINDOWS Score: 100 116 Multi AV Scanner detection for domain / URL 2->116 118 Multi AV Scanner detection for submitted file 2->118 120 Yara detected Vidar 2->120 122 13 other signatures 2->122 10 SecuriteInfo.com.Variant.Zusy.394875.8357.exe 2->10         started        13 tfsffrr 2->13         started        process3 signatures4 148 Detected unpacking (changes PE section rights) 10->148 150 Contains functionality to inject code into remote processes 10->150 152 Injects a PE file into a foreign processes 10->152 15 SecuriteInfo.com.Variant.Zusy.394875.8357.exe 10->15         started        18 tfsffrr 13->18         started        process5 signatures6 178 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->178 180 Maps a DLL or memory area into another process 15->180 182 Checks if the current machine is a virtual machine (disk enumeration) 15->182 20 explorer.exe 18 15->20 injected 184 Creates a thread in another existing process (thread injection) 18->184 process7 dnsIp8 88 readinglistforjuly9.xyz 20->88 90 readinglistforjuly8.xyz 20->90 92 11 other IPs or domains 20->92 58 C:\Users\user\AppData\Roaming\tfsffrr, PE32 20->58 dropped 60 C:\Users\user\AppData\Local\Temp\6317.exe, PE32 20->60 dropped 62 C:\Users\user\AppData\Local\Temp\5E92.exe, PE32 20->62 dropped 64 6 other files (4 malicious) 20->64 dropped 138 System process connects to network (likely due to code injection or exploit) 20->138 140 Benign windows process drops PE files 20->140 142 Performs DNS queries to domains with low reputation 20->142 146 4 other signatures 20->146 25 66A2.exe 20->25         started        28 5B45.exe 80 20->28         started        32 57BA.exe 89 20->32         started        34 13 other processes 20->34 file9 144 Tries to resolve many domain names, but no domain seems valid 90->144 signatures10 process11 dnsIp12 66 C:\Users\user\AppData\Local\Temp\Hyphal.exe, PE32 25->66 dropped 68 C:\Users\user\AppData\Local\Temp\555.exe, PE32 25->68 dropped 36 Hyphal.exe 25->36         started        39 555.exe 25->39         started        102 telete.in 28->102 104 185.234.247.50, 49731, 80 INTERKONEKT-ASPL Russian Federation 28->104 106 telete.in 195.201.225.248, 443, 49730 HETZNER-ASDE Germany 28->106 70 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 28->70 dropped 72 C:\Users\user\AppData\...\vcruntime140.dll, PE32 28->72 dropped 80 57 other files (none is malicious) 28->80 dropped 154 Detected unpacking (changes PE section rights) 28->154 156 Detected unpacking (overwrites its own PE header) 28->156 158 Tries to steal Mail credentials (via file access) 28->158 160 Contains functionality to steal Internet Explorer form passwords 28->160 108 116.202.183.50, 49733, 80 HETZNER-ASDE Germany 32->108 110 shpak125.tumblr.com 74.114.154.22, 443, 49732 AUTOMATTICUS Canada 32->110 74 C:\Users\user\AppData\...\softokn3[1].dll, PE32 32->74 dropped 76 C:\Users\user\AppData\...\freebl3[1].dll, PE32 32->76 dropped 78 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 32->78 dropped 82 9 other files (none is malicious) 32->82 dropped 162 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 32->162 164 Tries to harvest and steal browser information (history, passwords, etc) 32->164 166 Tries to steal Crypto Currency Wallets 32->166 42 cmd.exe 32->42         started        112 readinglistforjuly10.xyz 34->112 168 System process connects to network (likely due to code injection or exploit) 34->168 170 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->170 172 Performs DNS queries to domains with low reputation 34->172 176 2 other signatures 34->176 44 51AE.exe 34->44         started        46 conhost.exe 34->46         started        file13 174 Tries to resolve many domain names, but no domain seems valid 102->174 signatures14 process15 dnsIp16 124 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->124 126 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 36->126 128 Injects a PE file into a foreign processes 36->128 48 Hyphal.exe 36->48         started        52 conhost.exe 36->52         started        54 Hyphal.exe 36->54         started        94 xaiandaran.xyz 212.224.105.106, 49743, 80 DE-FIRSTCOLOwwwfirst-colonetDE Germany 39->94 130 Detected unpacking (changes PE section rights) 39->130 132 Detected unpacking (overwrites its own PE header) 39->132 134 Performs DNS queries to domains with low reputation 39->134 56 conhost.exe 39->56         started        96 cdn.discordapp.com 162.159.135.233, 443, 49750 CLOUDFLARENETUS United States 44->96 98 45.32.235.238, 45555, 49742, 49748 AS-CHOOPAUS United States 44->98 100 api.ip.sb 44->100 136 Tries to steal Crypto Currency Wallets 44->136 signatures17 process18 dnsIp19 84 135.148.139.222, 33569, 49745, 49752 AVAYAUS United States 48->84 86 api.ip.sb 48->86 114 Tries to harvest and steal browser information (history, passwords, etc) 48->114 signatures20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f47560806cc02ef4c609e43a06b3c7230f6f9c6117d9ec7819535f152070df3c/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2021-07-23 22:45:06 UTC
AV detection:
20 of 46 (43.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6r2wbadmyaxpjrqj4q5anm6hemhw7hdbc7m6y6azknprkidq346a._file
Verdict:
suspicious
Similar samples:
0e3e6cf4f7fcc5367f2ffa78947973a92b69d8aaca5fdaa5a01ff786003470a8
Smoke Loader
0fe70947f77741fac09da7aa80e82896d92bc08450b4fc029c04c5e803bf3259
Smoke Loader
757881a0ef618e6a350a28bfd9c631995157c53baad93e25c74e3bc6177c679e
Smoke Loader
8567ac320d50d1a5ea18ffe81f2d4e9a7255e3df0ac69fd98df890108586f60f
Smoke Loader
b5f6dd8ed8b59d1928f750db19e5c04d74892c9890eeff8d9805ef2f7152411e
Smoke Loader
d317f4c95d2c1e6a7147538d0a3a343e8bfbfbd175dcfbb3d3b1672dc0aca8d2
Smoke Loader
e6b35d9156c1b830d000926b8dd12fe13185fa2e910692969215bf707686b595
Smoke Loader
efb3c9f650a8178b7a20476b6456707a9c0b3aeead9ef4af7cc12dd0f9d6cee4
Smoke Loader
fa1409fe184c11483708f197504246fb15ae88942e1b18a9266e0d0f4dca8290
Smoke Loader
fa49ec9a6afac3db69d66e560157aee92bfffa30c24d2a7855a4d3bcf2d894e2
Smoke Loader
+ 3'636 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader botnet:555 botnet:newinstallshop backdoor discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/210724-v117z6ep8e/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Raccoon
RedLine
RedLine Payload
SmokeLoader
Malware Config
C2 Extraction:
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
xaiandaran.xyz:80
135.148.139.222:33569
Unpacked files
SH256 hash:
d065c8a41c2287cb3ed4fd55a1a76c13995937723c7b44cf6d4763a15dea89c1
MD5 hash:
3c9f95cbbd5f3e4ee70435e06de00ddf
SHA1 hash:
7dee35214654080e76fc275eedd5c2d7b1e1453d
Link:
https://www.unpac.me/results/1bb14757-7108-41cb-8621-c2cda8dfa7d8/
SH256 hash:
f47560806cc02ef4c609e43a06b3c7230f6f9c6117d9ec7819535f152070df3c
MD5 hash:
796abd8556244dcf962bccaa1ec4e011
SHA1 hash:
a99ce1f449476181dffa979b49024899ef580607
Link:
https://www.unpac.me/results/1bb14757-7108-41cb-8621-c2cda8dfa7d8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f47560806cc02ef4c609e43a06b3c7230f6f9c6117d9ec7819535f152070df3c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe f47560806cc02ef4c609e43a06b3c7230f6f9c6117d9ec7819535f152070df3c

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/173813/
  
URLhaus
https://urlhaus.abuse.ch/url/1476557/
  
Delivery method
Distributed via web download

Comments