MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08f3b51c8493c5ed8948ab35c956a465e0043094248d2f27a5d8fa9a696e3cbf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 08f3b51c8493c5ed8948ab35c956a465e0043094248d2f27a5d8fa9a696e3cbf
SHA3-384 hash: 49b376a8fb55354953d138ae6eebbc258d19fd88dd2c1cdc1676d22f46a7c8e137c2d55e1f659d747ba5b3325be6cd99
SHA1 hash: 284afda4ceda3880864bf692f153ab0354ca7359
MD5 hash: fc22d0c3f15c763ccf1a5f56f35b795f
humanhash: july-alabama-triple-network
File name:SecuriteInfo.com.BehavesLike.Win32.Worm.fm.15311
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:387'072 bytes
First seen:2020-04-16 18:38:48 UTC
Last seen:2020-04-22 17:54:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 19a7c4a8ff3b1a509eb4ead40cbffa8d (1 x Smoke Loader)
ssdeep 6144:SBZBPyzyTjqCHIbNwUXLKsHU3xa+ufxIJb:uBPyzyTuCHIbNtKs03M+u
Threatray 1'283 similar samples on MalwareBazaar
TLSH B984084E960244BFE9622570809FFB79011059BC6E62CF77FE08F613F9227EA516362D
Reporter SecuriteInfoCom
Tags:Smoke Loader

Intelligence

File Origin
# of uploads :
3
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Worm.fm.15311.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Ligooc
Create hunting rule
Status:
Malicious
First seen:
2020-04-16 16:13:33 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bdz3kheespc63ckivm24svvemxqaimeuesgs6j5f3d5ju2lohs7q._file
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
278593e60722d691fe1b23b22cab15294662bbd2ef8ca1ba8e80ca78e872a813
Smoke Loader
27c3f84dd3101c302afb523ee2c5b728c1fc34cfb8430c314d1f2df5ed79c28c
Smoke Loader
302b22ef958f04eeef47eaef2fe2d2fd062a17c16683ec8f2cf0b899f19c2acb
Smoke Loader
3700f2c5fe27c80e41984b2a55f236655a09f0781c05b265bccb26165318d78a
Smoke Loader
5bd66c88148005029d20c92e1d793f8d41f47a273a9334f9a85ec31148d0b040
Smoke Loader
8d1b83eff1b3c604365fd29de1bb43204852de842c0bb148975fe7a7485310e4
Smoke Loader
927a8d1445750400db3850d0b2dc3522b0f373098385373efa3d7762120f3689
Smoke Loader
aea1d064fb75706dd261f1097f91574050216410ce840e9c7523c46aca53c5f9
Smoke Loader
e94e31beaf1c2a6c24f0973a621c8715faf91a18e8c7acdab8a832021c7ce5f5
Smoke Loader
f3ba5d0b27ff406dcd1c624aee919f394d231b878f040ec23e36c7f0cf81df99
Smoke Loader
+ 1'273 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 08f3b51c8493c5ed8948ab35c956a465e0043094248d2f27a5d8fa9a696e3cbf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/341409/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetStartupInfoA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments