MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0af99b94ca63947eeffe16eb87dbc8aa0837176d209e49015fe2e3fc64ef10b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SmartLoader


Vendor detections: 5


Intelligence 5 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0af99b94ca63947eeffe16eb87dbc8aa0837176d209e49015fe2e3fc64ef10b7
SHA3-384 hash: 8e3dd6de8870e097c8587905883cf92b001177ef2ae46595bb2e31846a0876fee04f13cca26a2e0e5bde64721f74e0e9
SHA1 hash: 0adb21f0c2b1228dd92868bd9d0c7ff7dd9f4d67
MD5 hash: 1e5ad284567b83ea0b4fc871874625ad
humanhash: salami-spring-princess-missouri
File name:Release.3.9.6.zip
Download: download sample
Signature SmartLoader
Create hunting rule
File size:1'320'700 bytes
First seen:2025-03-22 16:09:38 UTC
Last seen:2025-04-10 00:14:31 UTC
File type: zip
MIME type:application/zip
ssdeep 24576:DUj+0plCZf7e3Q6OQ/QxTJ7ILzYlsRhjw6LCvavtxU6bJOt3ztV3lGv/:DU1LeRxTN+ke3eSvFJujzlGv/
TLSH T1775533411364D4EFD1EF9580FAB79CC9252F35BABBD91A4A400833709A2F116BDEA3C5
Magika zip
Reporter tcains1
Tags:SmartLoader zip

Intelligence

File Origin
# of uploads :
2
# of downloads :
78
Origin country :
US US
File Archive Information

This file archive contains 4 file(s), sorted by their relevance:

File name:Launch.bat
File size:47 bytes
SHA256 hash: 1f60f53068049e7fe64a0c785071d5b57a5788746bf6f62076bd4974750e7a9a
MD5 hash: 3322e369701284caeeff9b5abfbea38f
MIME type:text/plain
Signature SmartLoader
File name:lua51.dll
File size:3'531'914 bytes
SHA256 hash: c7a657af5455812fb215a8888b7e3fd8fa1ba27672a3ed9021eb6004eff271ac
MD5 hash: 4ebd617a3ad9a9619172bd14a902a400
MIME type:application/x-dosexec
Signature SmartLoader
File name:luajit.exe
File size:100'900 bytes
SHA256 hash: 5343326fb0b4f79c32276f08ffcc36bd88cde23aa19962bd1e8d8b80f5d33953
MD5 hash: 00f60ee3ff2dee681b5d7d442009b2c2
MIME type:application/x-dosexec
Signature SmartLoader
File name:config.txt
File size:243'194 bytes
SHA256 hash: 919cd09f89463d01f4de23db3dad45ed65990bd2d6fde85c58410732922fb179
MD5 hash: d704bc724dc29237463b9bd805eea65f
MIME type:text/plain
Signature SmartLoader
Vendor Threat Intelligence
Verdict:
Clean
Score:
84.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67dee0f1518d210202e7f23b
Tags:
n/a
Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/0af99b94ca63947eeffe16eb87dbc8aa0837176d209e49015fe2e3fc64ef10b7/results/dashboard
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
anti-debug mingw overlay
Link:
https://www.filescan.io/uploads/67dee0e6a175d3177344fa6c/reports/adcd1266-cef7-417c-97a9-ad201eac541d/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/0af99b94ca63947eeffe16eb87dbc8aa0837176d209e49015fe2e3fc64ef10b7
Score:
99%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/0af99b94ca63947eeffe16eb87dbc8aa0837176d209e49015fe2e3fc64ef10b7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0af99b94ca63947eeffe16eb87dbc8aa0837176d209e49015fe2e3fc64ef10b7/
Threat name:
Android.Trojan.ZkarletFlash
Create hunting rule
Status:
Malicious
First seen:
2025-03-22 16:10:12 UTC
File Type:
Binary (Archive)
Extracted files:
4
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bl4zxfgkmokh5376c3vypw6iviedof3necpesak74lr7yzhpcc3q._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0af99b94ca63947eeffe16eb87dbc8aa0837176d209e49015fe2e3fc64ef10b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Capability_Embedded_Lua
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects embedded Lua engines by looking for multiple Lua API symbols or env-var hooks
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HUNTING_SUSP_TLS_SECTION
Create hunting rule
Author:chaosphere
Description:Detect PE files with .tls section that can be used for anti-debugging
Reference:Practical Malware Analysis - Chapter 16
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Suspicious_Latam_MSI_and_ZIP_Files
Create hunting rule
Author:eremit4, P4nd3m1cb0y
Description:Detects suspicious .msi and .zip files used in Latam banking trojan campaigns.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SmartLoader

zip 0af99b94ca63947eeffe16eb87dbc8aa0837176d209e49015fe2e3fc64ef10b7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3487087/
  
URLhaus
https://urlhaus.abuse.ch/url/3487088/
  
URLhaus
https://urlhaus.abuse.ch/url/3487362/
  
URLhaus
https://urlhaus.abuse.ch/url/3487356/
  
URLhaus
https://urlhaus.abuse.ch/url/3487365/

Comments