MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffe21af6accb27ecee7c5fae57211ff9f545e64b680059b4037596288c63920b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ffe21af6accb27ecee7c5fae57211ff9f545e64b680059b4037596288c63920b
SHA3-384 hash: cf76ee295edb86157418eb8cd68ab7267075fe93dfa400855e198f41af7488e1a48a3f212d8de9117c8824ee0591f662
SHA1 hash: 198d41dca224a3010589f2ce0a9cac6686dda963
MD5 hash: 3e9b93cd8a81772cf96b53bca62624b9
humanhash: high-whiskey-neptune-sad
File name:setup_x86_x64_install.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:4'517'747 bytes
First seen:2021-10-23 17:43:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JjzQoMAXPmuTOQVdH/3RLSsKyBlF7AAY4R48OTA2JlwM+CMpgi:JXQoMAf7TzL5mNyJAAYXXwM+Ei
Threatray 643 similar samples on MalwareBazaar
TLSH T158263305644B2563E4215EBC84327FF33F576624289723AF3024C2E6DA5EAC863796F7
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter Anonymous
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
595
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-10-23 16:00:58 UTC
Tags:
trojan rat redline evasion loader stealer vidar opendir
Link:
https://app.any.run/tasks/6ec68ce5-e7ec-4f12-965e-8e7d0352c14a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector03
Create hunting rule
Link:
https://www.capesandbox.com/analysis/199595/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6174f68e9a5a1e91c5d1f46e/reports/16bde3fe-e5e2-4656-a51e-a2b01edc8eab/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1d37490a-ac10-49d7-bd5d-8c529a969533
Result
Threat name:
SmokeLoader Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/875696
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates processes via WMI
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected SmokeLoader
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 508129 Sample: setup_x86_x64_install.exe Startdate: 23/10/2021 Architecture: WINDOWS Score: 100 79 212.192.241.62 RAPMSB-ASRU Russian Federation 2->79 81 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->81 83 5 other IPs or domains 2->83 109 Multi AV Scanner detection for domain / URL 2->109 111 Antivirus detection for dropped file 2->111 113 Multi AV Scanner detection for dropped file 2->113 115 17 other signatures 2->115 11 setup_x86_x64_install.exe 10 2->11         started        14 svchost.exe 2->14         started        17 svchost.exe 2->17         started        19 3 other processes 2->19 signatures3 process4 file5 77 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->77 dropped 21 setup_installer.exe 20 11->21         started        133 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->133 135 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->135 137 Changes security center settings (notifications, updates, antivirus, firewall) 17->137 signatures6 process7 file8 57 C:\Users\user\AppData\...\setup_install.exe, PE32 21->57 dropped 59 C:\Users\user\AppData\...\Sat14febbc433.exe, PE32 21->59 dropped 61 C:\Users\user\...\Sat14d32a38896785b13.exe, PE32 21->61 dropped 63 15 other files (9 malicious) 21->63 dropped 24 setup_install.exe 1 21->24         started        process9 dnsIp10 101 104.21.94.238 CLOUDFLARENETUS United States 24->101 103 127.0.0.1 unknown unknown 24->103 117 Adds a directory exclusion to Windows Defender 24->117 119 Disables Windows Defender (via service or powershell) 24->119 28 cmd.exe 1 24->28         started        30 cmd.exe 24->30         started        32 cmd.exe 24->32         started        34 9 other processes 24->34 signatures11 process12 signatures13 37 Sat14f1396dfcf191bd.exe 28->37         started        41 Sat14d32a38896785b13.exe 30->41         started        44 Sat142ac5249376e895.exe 32->44         started        105 Adds a directory exclusion to Windows Defender 34->105 107 Disables Windows Defender (via service or powershell) 34->107 46 Sat14514904a4b.exe 34->46         started        48 Sat14febbc433.exe 34->48         started        50 Sat1487ca754e680f91.exe 34->50         started        52 3 other processes 34->52 process14 dnsIp15 85 104.21.51.48 CLOUDFLARENETUS United States 37->85 65 C:\Users\user\AppData\Roaming\729102.exe, PE32 37->65 dropped 67 C:\Users\user\AppData\Roaming\4659082.exe, PE32 37->67 dropped 69 C:\Users\user\AppData\Roaming\264451.exe, PE32 37->69 dropped 75 2 other files (1 malicious) 37->75 dropped 87 162.159.129.233 CLOUDFLARENETUS United States 41->87 71 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 41->71 dropped 121 Antivirus detection for dropped file 41->121 123 Machine Learning detection for dropped file 41->123 89 104.21.85.99 CLOUDFLARENETUS United States 44->89 73 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 44->73 dropped 125 Multi AV Scanner detection for dropped file 44->125 127 Creates processes via WMI 44->127 91 208.95.112.1 TUT-ASUS United States 46->91 93 8.8.8.8 GOOGLEUS United States 46->93 95 45.136.151.102 ENZUINC-US Latvia 46->95 129 Tries to harvest and steal browser information (history, passwords, etc) 46->129 97 192.210.222.83 SERVER-MANIACA United States 48->97 131 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 48->131 54 mshta.exe 52->54         started        file16 signatures17 process18 dnsIp19 99 192.168.2.1 unknown unknown 54->99
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ffe21af6accb27ecee7c5fae57211ff9f545e64b680059b4037596288c63920b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-23 17:44:05 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=77rbv5vmzmt6z3t4l6xfoii77h2ulzslnaaftnadowlcrdddsifq._file
Verdict:
unknown
Similar samples:
3cf08993fa4866df41dc37cec849e5a5e9d0bcb6ea6660c30130d9e2fd2f623d
Smoke Loader
3d956bd7b7e1c1e253b997de0d325abeba7be7d75626d751fad5a28ec3c464a5
Smoke Loader
5248d778a816ffaed27e465deec140f4d79478a4aca7c5968d6eb926ac7c94f1
Smoke Loader
56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11
Smoke Loader
7ec88d4baa0a97362a026cf6e0f46422379a99be6d9bfe19034152f3d47cc0ed
Smoke Loader
84b57d3d7fdabaebcd85cf01dbf14b9cb94e08fe081abcb60b218c1298c55995
Smoke Loader
8fe6c86b038ce91a991fe6eb8a9b323bb37b554ff6b4e5c18de3fe52d4aedf6d
Smoke Loader
c05dcc1cf5041eb12034132df4ae105c6abccae45e18a11b102f6d8340f68e6c
Smoke Loader
e6080d51c23ff3825d6dda3280757ba1ce88be4b06d10bf9960a0d79973b43e3
Smoke Loader
+ 633 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:933 aspackv2 backdoor infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/211023-wa58lsdchl/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Malware Config
C2 Extraction:
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
https://mas.to/@xeroxxx
Unpacked files
SH256 hash:
9649cac5d9f65cb5fc7ee748ed45cfd259ac8d75b370515c2c397775f00b4b91
MD5 hash:
45ecc5685035fcc563e6efe219ef0a78
SHA1 hash:
4df63564e27961e2ea39e817ecc2de305300fbed
Link:
https://www.unpac.me/results/fdbbab02-3b18-4211-9201-abce5311e79b/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/fdbbab02-3b18-4211-9201-abce5311e79b/
SH256 hash:
2010b113bce681120cbdbe50fd2c3393587d723b97d13a5777429570621bb339
MD5 hash:
ae22fdfdaf90dc3174ebe91333125e1e
SHA1 hash:
3a62fed1ee6e36ca58c3ec19d0a4ae9f9eb0e2b8
Link:
https://www.unpac.me/results/fdbbab02-3b18-4211-9201-abce5311e79b/
Parent samples :
40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128
MD5 hash:
de1b3c28ea026c0ede620dd78199ddc5
SHA1 hash:
ee402371a36bff44c765323ccd8c7e4a56bc8d12
Link:
https://www.unpac.me/results/fdbbab02-3b18-4211-9201-abce5311e79b/
SH256 hash:
e5609d389cf756d5b3a0371a36d4c473e1746d06128dbdcd8bb192012cfb6f32
MD5 hash:
1465b3317a56f6d121037d8ad12cf6bc
SHA1 hash:
e6bc1b0c123656e555810737854363cb320e5c68
Link:
https://www.unpac.me/results/fdbbab02-3b18-4211-9201-abce5311e79b/
SH256 hash:
5e0a1117d0a70d6e0f3d615d72bbba2662f2125c257c2c2c005677c724599e53
MD5 hash:
6427a6b4c5ac07015390631102e9c605
SHA1 hash:
d1f3e1c40414fd33291801acd569352b1c5a0805
Link:
https://www.unpac.me/results/fdbbab02-3b18-4211-9201-abce5311e79b/
SH256 hash:
41a780cbf232d3ed4912406bdbb084f61c9faf56dcc0a7a81381546689170c64
MD5 hash:
148c3657379750b2fe7237ac1b06f507
SHA1 hash:
c464da9412a32ab71cd62491405296672c7ba3ad
Link:
https://www.unpac.me/results/fdbbab02-3b18-4211-9201-abce5311e79b/
SH256 hash:
82b60a8c25db65bae520e73b7a67d2a6ca1f0fe6926439d0d7f1c0d52aa2f7d4
MD5 hash:
a758705ffd480485776c573bbe7091ca
SHA1 hash:
ae62bd009da6c2bf8e91f06a9a01890f74828d07
Link:
https://www.unpac.me/results/fdbbab02-3b18-4211-9201-abce5311e79b/
SH256 hash:
6bcca33a599532917b446f07952719fa7a70edf6646c14b13e64686ff2c6d44c
MD5 hash:
7af76a6cff6996241b9d85558848e6c8
SHA1 hash:
a8df8a22e003849550c2e6827bf17a5edbec5524
Link:
https://www.unpac.me/results/fdbbab02-3b18-4211-9201-abce5311e79b/
SH256 hash:
9cc278abd4280d41ed3091d4cecb70f7b89daffb8a6fdf2b8bd34f8e9f366219
MD5 hash:
7cbab5481996961189b4fe07a08ef641
SHA1 hash:
a7c9cae8f751bfc2ce6e7c8749fe7057010631ba
Link:
https://www.unpac.me/results/fdbbab02-3b18-4211-9201-abce5311e79b/
SH256 hash:
b8809ec47b54a213be3c954325602359e824010749e8cd52e4ab619b60db2df9
MD5 hash:
43516bf5d8b6454203243e7bbf848775
SHA1 hash:
811f8533f628aea43b1f41b192f2e6243aecad28
Link:
https://www.unpac.me/results/fdbbab02-3b18-4211-9201-abce5311e79b/
SH256 hash:
eca6d5926352a350e3eba916336da24efe967ebab47458d2af92efffcf258db9
MD5 hash:
804d38386f576d895f9daa8cb90ee21c
SHA1 hash:
4b45ad8f6ac9284117da053e54410b1e738568e0
Link:
https://www.unpac.me/results/fdbbab02-3b18-4211-9201-abce5311e79b/
SH256 hash:
8cce53c890821993be85ea5c156f197045f2a4fa435a7750a365270f51a35718
MD5 hash:
0843611e460939b9b2e4e605e9b9b6bf
SHA1 hash:
15aeb2d35a976af2082548161e8db49761acd6b4
Link:
https://www.unpac.me/results/fdbbab02-3b18-4211-9201-abce5311e79b/
SH256 hash:
fb35e940eb07e761704d5c922e77e28d51279088375fef12ed342361e428df66
MD5 hash:
4023b304f7969a24b91be30d76997997
SHA1 hash:
40bf9443df97437df7b695874fefa3e8103d76bc
Link:
https://www.unpac.me/results/fdbbab02-3b18-4211-9201-abce5311e79b/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/fdbbab02-3b18-4211-9201-abce5311e79b/
SH256 hash:
57357e1d304ed1c4db3d22dbbd6a01327237d1fad37437db58f0a7d97a3d7ba3
MD5 hash:
42c09e2ff1923e01e6b465436b1d176f
SHA1 hash:
6fc4b58ff71392865812ba14a6b469ddec5df7d4
Link:
https://www.unpac.me/results/fdbbab02-3b18-4211-9201-abce5311e79b/
Parent samples :
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
9ea314e1eb74c61d06c4c7e0180e9e4a14c935a83c4b49591ad946f9034c2406
MD5 hash:
e1d13c21fbd7ba86dbd2b3e0a88e057d
SHA1 hash:
502e83333db008a2f4abfb5a04db9d2d37391ba1
Link:
https://www.unpac.me/results/fdbbab02-3b18-4211-9201-abce5311e79b/
SH256 hash:
ddac5bc9867876f1d3ae40dbac20dcfea15ae130262ff17ac178fb2edb8ad3b2
MD5 hash:
7ec745fb9e0fe6c16eff2928c78ccd63
SHA1 hash:
401a1c4db872a790d11143dedce7f7cfb720d53a
Link:
https://www.unpac.me/results/fdbbab02-3b18-4211-9201-abce5311e79b/
SH256 hash:
37d07a31a590b276d03182a463e5191394f9f94bdf6b29d13f3552f96f80f7ee
MD5 hash:
3f05ab5e1bc9c3daf8c696fca4201454
SHA1 hash:
760409e51d2cfe7f80de42dc866fe0f3e45c4285
Link:
https://www.unpac.me/results/fdbbab02-3b18-4211-9201-abce5311e79b/
SH256 hash:
ffe21af6accb27ecee7c5fae57211ff9f545e64b680059b4037596288c63920b
MD5 hash:
3e9b93cd8a81772cf96b53bca62624b9
SHA1 hash:
198d41dca224a3010589f2ce0a9cac6686dda963
Link:
https://www.unpac.me/results/fdbbab02-3b18-4211-9201-abce5311e79b/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ffe21af6accb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ffe21af6accb27ecee7c5fae57211ff9f545e64b680059b4037596288c63920b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/199595/

Comments