MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa49ec9a6afac3db69d66e560157aee92bfffa30c24d2a7855a4d3bcf2d894e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa49ec9a6afac3db69d66e560157aee92bfffa30c24d2a7855a4d3bcf2d894e2
SHA3-384 hash: 152161a931005da38a12a72ff97723be529032005352b14af9e25b1d7d3cdb396e888597411fd71b59ef6e82ffd9a8d9
SHA1 hash: 282d6575d1d038bfb8a3cf2001193bcf69f7928f
MD5 hash: ab6d798ea215fc018443d3d86c0fcba9
humanhash: fourteen-music-seventeen-seven
File name:ab6d798ea215fc018443d3d86c0fcba9
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:219'136 bytes
First seen:2021-07-23 18:29:02 UTC
Last seen:2021-07-23 20:00:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 77ea83f3db2bce57a4cf8f786a999acd (10 x RaccoonStealer, 6 x RedLineStealer, 4 x Smoke Loader)
ssdeep 3072:kzsaB791DAm0c3L2UjRjJyI0WuRp70BPuxaWC8C:qB7bAm0yaU1ldbBPAn
Threatray 2'262 similar samples on MalwareBazaar
TLSH T1D624BF11FAB0D832C4A5093058EAC6A42A2DFC31BE64CD47779B3B5F6E311D266B521F
dhash icon 4839b2b0e8c38890 (105 x RaccoonStealer, 38 x Smoke Loader, 33 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ab6d798ea215fc018443d3d86c0fcba9
Verdict:
Suspicious activity
Analysis date:
2021-07-23 18:29:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a6a94ba0-3d44-4aba-966a-9f7da2ec376a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173761/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.14520.30532.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b3ac75ad-b07f-488a-8749-aa895c0f80cf
Result
Threat name:
Raccoon RedLine SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/821003
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
.NET source code references suspicious native API functions
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 453414 Sample: RePvcN5uYW Startdate: 23/07/2021 Architecture: WINDOWS Score: 100 64 xaiandaran.xyz 2->64 66 sanctam.net 2->66 68 6 other IPs or domains 2->68 86 System process connects to network (likely due to code injection or exploit) 2->86 88 Multi AV Scanner detection for submitted file 2->88 90 Yara detected SmokeLoader 2->90 92 14 other signatures 2->92 10 RePvcN5uYW.exe 2->10         started        13 cdidacr 2->13         started        15 svchost.exe 1 2->15         started        17 3 other processes 2->17 signatures3 process4 signatures5 112 Detected unpacking (changes PE section rights) 10->112 19 RePvcN5uYW.exe 10->19         started        114 Contains functionality to inject code into remote processes 13->114 116 Injects a PE file into a foreign processes 13->116 process6 signatures7 94 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 19->94 96 Maps a DLL or memory area into another process 19->96 98 Checks if the current machine is a virtual machine (disk enumeration) 19->98 100 Creates a thread in another existing process (thread injection) 19->100 22 explorer.exe 23 19->22 injected process8 dnsIp9 70 readinglistforjuly9.xyz 22->70 72 readinglistforjuly8.xyz 22->72 74 11 other IPs or domains 22->74 40 C:\Users\user\AppData\Roaming\cdidacr, PE32 22->40 dropped 42 C:\Users\user\AppData\Local\Temp\5ADB.exe, PE32 22->42 dropped 44 C:\Users\user\AppData\Local\Temp\5116.exe, PE32 22->44 dropped 46 9 other files (3 malicious) 22->46 dropped 102 System process connects to network (likely due to code injection or exploit) 22->102 104 Benign windows process drops PE files 22->104 106 Performs DNS queries to domains with low reputation 22->106 110 4 other signatures 22->110 27 5ADB.exe 80 22->27         started        32 4DCA.exe 88 22->32         started        34 4656.exe 2 22->34         started        36 2 other processes 22->36 file10 108 Tries to resolve many domain names, but no domain seems valid 72->108 signatures11 process12 dnsIp13 76 185.234.247.50, 49757, 80 INTERKONEKT-ASPL Russian Federation 27->76 78 telete.in 195.201.225.248, 443, 49755 HETZNER-ASDE Germany 27->78 48 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 27->48 dropped 50 C:\Users\user\AppData\...\vcruntime140.dll, PE32 27->50 dropped 52 C:\Users\user\AppData\...\ucrtbase.dll, PE32 27->52 dropped 60 56 other files (none is malicious) 27->60 dropped 118 Detected unpacking (changes PE section rights) 27->118 120 Detected unpacking (overwrites its own PE header) 27->120 122 Tries to steal Mail credentials (via file access) 27->122 124 Contains functionality to steal Internet Explorer form passwords 27->124 80 shpak125.tumblr.com 32->80 82 116.202.183.50, 49756, 80 HETZNER-ASDE Germany 32->82 84 shpak125.tumblr.com 74.114.154.22, 443, 49754 AUTOMATTICUS Canada 32->84 54 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 32->54 dropped 56 C:\Users\user\AppData\...\mozglue[1].dll, PE32 32->56 dropped 58 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 32->58 dropped 62 9 other files (none is malicious) 32->62 dropped 126 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 32->126 128 Tries to harvest and steal browser information (history, passwords, etc) 32->128 130 Tries to steal Crypto Currency Wallets 32->130 132 Injects a PE file into a foreign processes 34->132 38 conhost.exe 34->38         started        file14 134 Tries to resolve many domain names, but no domain seems valid 80->134 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fa49ec9a6afac3db69d66e560157aee92bfffa30c24d2a7855a4d3bcf2d894e2/
Threat name:
Win32.Dropper.Scrop
Create hunting rule
Status:
Malicious
First seen:
2021-07-23 18:29:07 UTC
AV detection:
22 of 46 (47.83%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7je6zgtk7lb5w2ownzlacv5o5ev776rqyjgsu6cvutj3z4wystra._file
Verdict:
suspicious
Similar samples:
29ccf6b2c0b229845df6086bd26c33cb3da426d34344aaaedde7f5d7703c1598
Smoke Loader
2b4e74f6d31e2ce71fa3de3caba5fbf6b070885d43c956aa57deced79e79826b
Smoke Loader
42409087896ad827ca16b713215988bed28560c5fe0c929f7c30294854b5bfc2
Smoke Loader
4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6
Smoke Loader
5506b7fcbd13ae3049f461b3527242502e4c3f9e1f684cfe5b03ebb3af64366a
Smoke Loader
8876443ca226bd35c82f3e50163007b03b39f61efdb751568f2cef7d71a7b954
Smoke Loader
b45b46943761b574b53d2938b6e6c331d778f77bf1690d3b09a07450867118b5
Smoke Loader
ce1a457a5bd8763fde41a27081d5a885b66aca31b123ee42885e29bc8cfdbda5
Smoke Loader
e43b4c22c80cef8222b4c80656a6ba5df323742d23cc4845de27de2866b84d28
Smoke Loader
e5748b9c18c3e264c771b8abe50805fe070719b459493d37eec86f972fd1d5ac
Smoke Loader
+ 2'252 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:vidar family:xmrig botnet:123123123 botnet:408 botnet:444 backdoor discovery infostealer miner spyware stealer suricata trojan
Link:
https://tria.ge/reports/210723-telvftwyre/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
XMRig Miner Payload
Raccoon
RedLine
RedLine Payload
SmokeLoader
Vidar
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
xmrig
Malware Config
C2 Extraction:
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
https://shpak125.tumblr.com/
45.32.235.238:45555
xaiandaran.xyz:80
Unpacked files
SH256 hash:
d065c8a41c2287cb3ed4fd55a1a76c13995937723c7b44cf6d4763a15dea89c1
MD5 hash:
3c9f95cbbd5f3e4ee70435e06de00ddf
SHA1 hash:
7dee35214654080e76fc275eedd5c2d7b1e1453d
Link:
https://www.unpac.me/results/3c7046b5-41dd-476f-a029-4e0e6bd64fe6/
SH256 hash:
fa49ec9a6afac3db69d66e560157aee92bfffa30c24d2a7855a4d3bcf2d894e2
MD5 hash:
ab6d798ea215fc018443d3d86c0fcba9
SHA1 hash:
282d6575d1d038bfb8a3cf2001193bcf69f7928f
Link:
https://www.unpac.me/results/3c7046b5-41dd-476f-a029-4e0e6bd64fe6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fa49ec9a6afac3db69d66e560157aee92bfffa30c24d2a7855a4d3bcf2d894e2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe fa49ec9a6afac3db69d66e560157aee92bfffa30c24d2a7855a4d3bcf2d894e2

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/173761/

Comments


Avatar
zbet commented on 2021-07-23 18:29:03 UTC

url : hxxp://1freeprivacytoolsforyou.xyz/downloads/toolspab2.exe