MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fcf9157232e57a1d1f8bfa47da34f9e223eca28d0ffa114eff7c00c4f1b84f29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fcf9157232e57a1d1f8bfa47da34f9e223eca28d0ffa114eff7c00c4f1b84f29
SHA3-384 hash: 214ad6fe4790b410c0afd74f782ae367a96311e0ded45f6d49eab16dab9b1beecd6ed7d0665ee94fbc32e60cab543314
SHA1 hash: 61e700e84d9763a084d297dec6d4c2e040ece430
MD5 hash: 2fc81aa8455def455e77a0109540400c
humanhash: spring-tennis-florida-item
File name:2fc81aa8455def455e77a0109540400c.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:282'112 bytes
First seen:2021-08-25 12:01:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ddbb3eef631957f988f10b48742f9549 (14 x RaccoonStealer, 2 x Smoke Loader)
ssdeep 6144:R/Vz4Z7isjHly3prBCTZzF3JUb2Yk0BYV6un+UD:bzM7iIFy5YTZzF36b51g
Threatray 196 similar samples on MalwareBazaar
TLSH T1B3548D30AAA1C034F9F611F855BA83B9A53E3AB16B3450CF53E526ED46346E4EC30797
dhash icon ead8a89cc6e68ee0 (43 x RaccoonStealer, 31 x RedLineStealer, 20 x Smoke Loader)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2fc81aa8455def455e77a0109540400c.exe
Verdict:
No threats detected
Analysis date:
2021-08-25 12:13:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/271f5d54-c1cf-4da8-9a1a-a1508e1f2410

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182303/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.64457.3931.8219.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending a UDP request
Connection attempt
Sending an HTTP POST request
Creating a process from a recently created file
Deleting of the original file
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/954a80b7-5cf1-41bb-8113-7f6f0849d960
Result
Threat name:
KPot RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/839023
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to infect the boot sector
Contains VNC / remote desktop functionality (version string found)
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected KPot
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 471455 Sample: vxVsNc85XN.exe Startdate: 25/08/2021 Architecture: WINDOWS Score: 100 46 spinogriz91076299.io 2->46 48 kpotuvorot10.bit 2->48 50 3 other IPs or domains 2->50 76 Found malware configuration 2->76 78 Antivirus detection for URL or domain 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 6 other signatures 2->82 9 vxVsNc85XN.exe 2->9         started        12 rgrrbjb 2->12         started        signatures3 process4 signatures5 98 Detected unpacking (changes PE section rights) 9->98 100 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->100 102 Maps a DLL or memory area into another process 9->102 104 Creates a thread in another existing process (thread injection) 9->104 14 explorer.exe 7 9->14 injected 106 Multi AV Scanner detection for dropped file 12->106 108 Machine Learning detection for dropped file 12->108 110 Checks if the current machine is a virtual machine (disk enumeration) 12->110 process6 dnsIp7 56 193.142.59.123, 49717, 49740, 80 HOSTSLICK-GERMANYNL Netherlands 14->56 58 atvcampingtrips.com 110.14.121.123, 49710, 49712, 49714 SKB-ASSKBroadbandCoLtdKR Korea Republic of 14->58 60 4 other IPs or domains 14->60 38 C:\Users\user\AppData\Roaming\rgrrbjb, PE32 14->38 dropped 40 C:\Users\user\AppData\Local\Temp\D86C.exe, PE32 14->40 dropped 42 C:\Users\user\AppData\Local\Temp\362.exe, PE32 14->42 dropped 44 C:\Users\user\...\rgrrbjb:Zone.Identifier, ASCII 14->44 dropped 68 System process connects to network (likely due to code injection or exploit) 14->68 70 Benign windows process drops PE files 14->70 72 Deletes itself after installation 14->72 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->74 19 2219.exe 2 4 14->19         started        23 362.exe 15 26 14->23         started        26 D86C.exe 14->26         started        28 2 other processes 14->28 file8 signatures9 process10 dnsIp11 36 C:\ProgramData\...\33A2E4F0.exe, PE32 19->36 dropped 84 Detected unpacking (changes PE section rights) 19->84 86 Creates autostart registry keys with suspicious names 19->86 30 33A2E4F0.exe 19->30         started        52 185.215.113.29, 49739, 8678 WHOLESALECONNECTIONSNL Portugal 23->52 54 api.ip.sb 23->54 88 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->88 90 Machine Learning detection for dropped file 23->90 92 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 23->92 96 2 other signatures 23->96 34 conhost.exe 23->34         started        94 Contains functionality to infect the boot sector 26->94 file12 signatures13 process14 dnsIp15 62 45.56.79.23, 49750, 49752, 49754 LINODE-APLinodeLLCUS United States 30->62 64 gorokborotun782699.com 96.126.123.244, 49748, 49755, 49757 LINODE-APLinodeLLCUS United States 30->64 66 4 other IPs or domains 30->66 112 Detected unpacking (changes PE section rights) 30->112 114 Machine Learning detection for dropped file 30->114 116 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 30->116 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fcf9157232e57a1d1f8bfa47da34f9e223eca28d0ffa114eff7c00c4f1b84f29/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-08-25 05:46:54 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1d56c98200907afafa8a54f802c21ed824e1827162fb19d8f73cf8a8bb61b7f2
Smoke Loader
6d69e8561d00ec74735297d21e777a9fe9b858b384292c38cb0239db2e3b73bd
Smoke Loader
6e5318326145c9caf6e20fa4c1861de5e6e137caaf4d61f3f8c4cea0fedd99ef
Smoke Loader
7efe89836b4c06959a1af18891ff07995f8870f566149e8c537c6f76e2a31a89
Smoke Loader
87fc3e042747ec6e69f1c32bb906de41b2a6e4b1fdd6bdfb041c3689002e97cf
Smoke Loader
af416b9b0b8c91937ee895050038b9de17f25735faa984c1d6dcf8d130c9d29b
Smoke Loader
eccd8757ac5a6c34abc69c2251a582a6697d9cbb5af2d8c5f8f8787b3156c3ff
Smoke Loader
+ 186 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader backdoor bootkit infostealer persistence trojan
Link:
https://tria.ge/reports/210825-wh4kqsqh46/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Writes to the Master Boot Record (MBR)
Deletes itself
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
SmokeLoader
Malware Config
C2 Extraction:
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
185.215.113.29:8678
Unpacked files
SH256 hash:
18cd8e90fcd46329480f24d43baa489683b3ee2fcd274bf1714947ef307a6ab2
MD5 hash:
f2fecf6872ad4c61a3a506159fddd4fc
SHA1 hash:
28e039eb96dcf58841992280c66433a2bbab8e84
Link:
https://www.unpac.me/results/8ab8cd35-95d8-4d26-96e2-6aef334e016d/
SH256 hash:
fcf9157232e57a1d1f8bfa47da34f9e223eca28d0ffa114eff7c00c4f1b84f29
MD5 hash:
2fc81aa8455def455e77a0109540400c
SHA1 hash:
61e700e84d9763a084d297dec6d4c2e040ece430
Link:
https://www.unpac.me/results/8ab8cd35-95d8-4d26-96e2-6aef334e016d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fcf9157232e5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fcf9157232e57a1d1f8bfa47da34f9e223eca28d0ffa114eff7c00c4f1b84f29

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe fcf9157232e57a1d1f8bfa47da34f9e223eca28d0ffa114eff7c00c4f1b84f29

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1559349/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1545011/
Cape
Cape
https://www.capesandbox.com/analysis/182303/

Comments