MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08fb8bfb5fa63abdc054e16eed945c6b0636744ff34b2c3e1a2d8e80e71cd116. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 2

Intelligence 2 IOCs YARA 21 File information Comments

SHA256 hash:	08fb8bfb5fa63abdc054e16eed945c6b0636744ff34b2c3e1a2d8e80e71cd116
SHA3-384 hash:	94dca0fe79a2f510a13a0d4a523143a32c95bd2a04ba5ff93e3058fe7e3cf85cc48924f0d32600d5999fe499b1183d8c
SHA1 hash:	d92b2f5713dc92862d01389d79f0b3cc20592f22
MD5 hash:	904eab8bf451cc8e13eb60c952e538f8
humanhash:	yellow-golf-october-angel
File name:	source code of carbanak backdoor discovered.7z
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	14'634'003 bytes
First seen:	2026-03-01 12:23:33 UTC
Last seen:	Never
File type:	7z
MIME type:	application/x-7z-compressed
Note:	This file is a password protected archive. The password is: 7567
ssdeep	393216:m3ow7g1YzJyPaOX7vLfdmSfgz+cj9wVBY:X7MyPbzLf0cPfY
TLSH	T191E63358D8DC858F41CE7D0AEB976F366484870C6B1BF960AB44CC3D93D162BDEA90C6
TrID	57.1% (.7Z) 7-Zip compressed archive (v0.4) (8000/1) 42.8% (.7Z) 7-Zip compressed archive (gen) (6000/1)
Magika	sevenzip
Reporter	aachum
Tags:	217-156-122-57 7z file-pumped pw-7567 Smoke Loader SmokeLoader

iamaachum

https://media.megafilehost4.autos/Source+Code+of+CARBANAK+backdoor+discovered.zip

SmokeLoader C2: http://217.156.122.57/

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file is a password protected archive. The password is: 7567

This file archive contains 1 file(s), sorted by their relevance:

File name:	source code of carbanak backdoor discovered.exe
Pumped file	This file is pumped. MalwareBazaar has de-pumped it.
File size:	948'868'825 bytes
SHA256 hash:	67181b1d67336122c8deb538217ef8de8330892d56186e12225ee0c96b41753f
MD5 hash:	fc2b1de06679c0535ba5a01a34ea8887
De-pumped file size:	2'003'456 bytes (Vs. original size of 948'868'825 bytes)
De-pumped SHA256 hash:	46145eb01bb32c28d3550b307891336d531c3e5c4e2b6656f3d19f751cb4408d
De-pumped MD5 hash:	cc8bb60a18ffee2af8fecda49923f803
MIME type:	application/x-dosexec
Signature	Smoke Loader

Vendor Threat Intelligence

No detections

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69a42ff8c950ab5d9ab2ff84

Tags:

n/a

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/08fb8bfb5fa63abdc054e16eed945c6b0636744ff34b2c3e1a2d8e80e71cd116

Result

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/08fb8bfb5fa63abdc054e16eed945c6b0636744ff34b2c3e1a2d8e80e71cd116/

Gathering data

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bd5yx627uy5l3qcu4fxo3fc4nmddm5cp6nfsypq2fwhibzy42ela._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/260301-rtspeadx7f/

Behaviour

Suspicious behavior: EnumeratesProcesses

Browser Information Discovery

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Any_SU_Domain Create hunting rule
Author:	you
Description:	Detect any reference to .su domains or subdomains

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	dependsonpythonailib Create hunting rule
Author:	Tim Brown
Description:	Hunts for dependencies on Python AI libraries

Rule name:	DetectGoMethodSignatures Create hunting rule
Author:	Wyatt Tauber
Description:	Detects Go method signatures in unpacked Go binaries

Rule name:	Detect_Golang_Binary Create hunting rule
Author:	Andrew Morrow
Description:	Detects binaries compiled with Go

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	goLangMatch3 Create hunting rule

Rule name:	goLangMatch4 Create hunting rule

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Golang_Find_CSC846 Create hunting rule
Author:	Ashar Siddiqui
Description:	Find Go Signatuers

Rule name:	Golang_Find_CSC846_Simple Create hunting rule
Author:	Ashar Siddiqui
Description:	Find Go Signatuers

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	ProgramLanguage_Golang Create hunting rule
Author:	albertzsigovits
Description:	Application written in Golang programming language

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Suspicious_Golang_Binary Create hunting rule
Author:	Tim Machac
Description:	Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)