MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9716dbf790a96f3d63bc5e5f012706e7a78f2e58b045f4cfcec6483ffed7dda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9716dbf790a96f3d63bc5e5f012706e7a78f2e58b045f4cfcec6483ffed7dda
SHA3-384 hash: 72d647f2b8d6eee82e2a9ed080fc24ee10881f771be43b82004fa8fd44cd808535adb2e37b4e8e32ce3a434e08b807c1
SHA1 hash: 3a934efbb04ebaa161a116814fd26219c70738a9
MD5 hash: ed7db3b3a1702d194492e83d6d845d6e
humanhash: four-delaware-michigan-fanta
File name:ed7db3b3a1702d194492e83d6d845d6e.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:866'208 bytes
First seen:2022-08-29 10:26:31 UTC
Last seen:2022-08-29 10:58:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 885c07b22374dc1137a9f063282ad390 (7 x RecordBreaker, 4 x RedLineStealer, 2 x Smoke Loader)
ssdeep 24576:WRDp80gcCoyb3K0Nqbj838gy0fGoSs/vr:PcCoyb3K013rfh
Threatray 122 similar samples on MalwareBazaar
TLSH T172059D217DC0C132EDE220BB42ECF971567DE4B00B2647DB56C857EEDA206D16F3299A
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
318
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ed7db3b3a1702d194492e83d6d845d6e.exe
Verdict:
No threats detected
Analysis date:
2022-08-29 10:29:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b8b8268e-4587-481b-bf5b-2f674ff9612e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/302191/
Detection(s):
SecuriteInfo.com.Variant.Lazy.238286.8843.29973.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/30724/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/630c951da7450371f687ec70/reports/4028ed1c-641e-4045-a075-0c6928effb60/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/97ab6d56-3327-4bd3-8e11-82723b5019a4
Result
Threat name:
PrivateLoader, Raccoon Stealer v2, RedLi
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1059744
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected PrivateLoader
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 692268 Sample: HJsbEtFbIt.exe Startdate: 29/08/2022 Architecture: WINDOWS Score: 100 76 ultra-cheat.ru.net 2->76 92 Snort IDS alert for network traffic 2->92 94 Multi AV Scanner detection for domain / URL 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 12 other signatures 2->98 10 HJsbEtFbIt.exe 1 2->10         started        12 vcdwsuu 2->12         started        signatures3 process4 process5 14 AppLaunch.exe 10->14         started        17 WerFault.exe 23 9 10->17         started        file6 126 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 14->126 128 Maps a DLL or memory area into another process 14->128 130 Checks if the current machine is a virtual machine (disk enumeration) 14->130 132 Creates a thread in another existing process (thread injection) 14->132 20 explorer.exe 10 14->20 injected 50 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 17->50 dropped signatures7 process8 dnsIp9 86 belladama.fr 207.174.214.200, 443, 49789, 49792 PUBLIC-DOMAIN-REGISTRYUS United States 20->86 88 ilab8snah5ysh.top 194.87.94.240, 49774, 49775, 49780 MTW-ASRU Russian Federation 20->88 90 8 other IPs or domains 20->90 66 C:\Users\user\AppData\Roaming\vcdwsuu, PE32 20->66 dropped 68 C:\Users\user\AppData\Local\Temp\A963.exe, PE32 20->68 dropped 70 C:\Users\user\AppData\Local\Temp\6BAC.exe, PE32 20->70 dropped 72 2 other files (1 malicious) 20->72 dropped 108 System process connects to network (likely due to code injection or exploit) 20->108 110 Benign windows process drops PE files 20->110 112 Performs DNS queries to domains with low reputation 20->112 114 3 other signatures 20->114 25 6BAC.exe 1 20->25         started        28 A963.exe 20->28         started        30 346E.exe 4 20->30         started        33 7 other processes 20->33 file10 signatures11 process12 file13 116 Machine Learning detection for dropped file 25->116 118 Writes to foreign memory regions 25->118 120 Allocates memory in foreign processes 25->120 35 AppLaunch.exe 18 25->35         started        40 WerFault.exe 25->40         started        122 Injects a PE file into a foreign processes 28->122 42 AppLaunch.exe 28->42         started        74 C:\Users\user\AppData\Local\...\Update.exe, PE32 30->74 dropped 124 Multi AV Scanner detection for dropped file 30->124 44 Update.exe 7 30->44         started        46 AppLaunch.exe 33->46         started        48 WerFault.exe 33->48         started        signatures14 process15 dnsIp16 78 t.me 149.154.167.99, 443, 49793 TELEGRAMRU United Kingdom 35->78 80 transfer.sh 144.76.136.153, 443, 49807 HETZNER-ASDE Germany 35->80 82 49.12.72.35, 49795, 80 HETZNER-ASDE Germany 35->82 52 C:\ProgramData\43563230884615113558.exe, PE32 35->52 dropped 100 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->100 102 Tries to harvest and steal browser information (history, passwords, etc) 35->102 104 Tries to steal Crypto Currency Wallets 35->104 54 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 40->54 dropped 84 46.249.58.152, 49805, 80 SERVERIUS-ASNL Netherlands 42->84 56 C:\Users\user\AppData\...\vcruntime140.dll, PE32 42->56 dropped 58 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 42->58 dropped 60 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 42->60 dropped 64 4 other files (none is malicious) 42->64 dropped 106 DLL side loading technique detected 42->106 62 C:\Users\user\AppData\Local\...\Update.exe, PE32 44->62 dropped file17 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9716dbf790a96f3d63bc5e5f012706e7a78f2e58b045f4cfcec6483ffed7dda/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-08-29 10:27:07 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7fyw3p3zbklphvr3yxs7aetqnz5hr4xfrmcf6th45rsih77npxna._file
Verdict:
malicious
Similar samples:
0929ee2c5824678694b66ad94fc75a6beed79662b2bf131a495b8ff43b817956
Smoke Loader
1c6b2e06ec61636fa0ed64a73c3bd037005bf37a832bf3c2d0be67ef82573443
Smoke Loader
215087805c45ef04ff988ef611130b4626944c99782bfcd61564a251b2b8da66
Smoke Loader
2f780fbe426ec668667aaa54a902cfab80f47cc1e3ef39017ef15845279384db
Smoke Loader
4ab91c72d0d913c2a18a74a2b9ea5bcd8b77bfb68110e56767a552a358fa0687
Smoke Loader
6a56ad7cc45d701696652e3be5275f37f09527ecd7fdacbbf634b2532f97027a
Smoke Loader
8acf3d9eea531ae8c1ab8eabe3f22206f3771c6c25ed577a6c0010b0a43cfcc0
Smoke Loader
9c8c0c8e368d5895d29bb917517bab1bd71e529adfbd6e7c1619774c05bc0594
Smoke Loader
e6173a0a906d3259d4a9006b61901262705e309a6e5bc1cdfc035e3a78e2f225
Smoke Loader
f8fbc50db8de41fbcf7dcf31883c086b50d0cc74fbbd94979893fc26c9898f76
Smoke Loader
+ 112 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220829-mg3xdshac3/
Unpacked files
SH256 hash:
3225bf99864a7d9cd2ed9c997373855d9b453f04ec0f150bba1db2d89466f546
MD5 hash:
fbdfcc2c8cd6c28500c40c791d8759db
SHA1 hash:
8c244ceba76cdc8e5d5946f0e7d0657837e963d4
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/b32f75ba-1ad4-4e29-aa23-f4d9c1807921/
Parent samples :
1224cff781af46afddb80f91b55c4a78d6e452dedddcf54369ed29927586c29a
160fe152cf7fa7ed9fcfff18247c8035916074991c6cb376cb45b515ffe4ef55
7f8bada5abf58a6af13bcfd8a25f260c39003d75c4e946a6c1ddba03e54f2338
91c7ea32b2138f53f659fbcd228f0f26750d6b274bf931ae879a5e10c6c26cc3
f9716dbf790a96f3d63bc5e5f012706e7a78f2e58b045f4cfcec6483ffed7dda
19f3e5cab44c7310b94afb38dbe5d1a55ae69bf95bd69ec6bcb4c339100d7d69
b0a56c3843305f9661b8b64a4f75485c2d107b7d0f7390f959c273a6be74add8
SH256 hash:
f9716dbf790a96f3d63bc5e5f012706e7a78f2e58b045f4cfcec6483ffed7dda
MD5 hash:
ed7db3b3a1702d194492e83d6d845d6e
SHA1 hash:
3a934efbb04ebaa161a116814fd26219c70738a9
Link:
https://www.unpac.me/results/b32f75ba-1ad4-4e29-aa23-f4d9c1807921/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.08
Link:
https://yomi.yoroi.company/submissions/f9716dbf790a96f3d63bc5e5f012706e7a78f2e58b045f4cfcec6483ffed7dda

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe f9716dbf790a96f3d63bc5e5f012706e7a78f2e58b045f4cfcec6483ffed7dda

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2283052/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/302191/

Comments