MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16328212055d6aa79c45b6624607f74b732b159db4c6cdf7d8e6835ebdc6e392. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16328212055d6aa79c45b6624607f74b732b159db4c6cdf7d8e6835ebdc6e392
SHA3-384 hash: 56e930e4df1f4071ac1fad1943880b17d8a26ad8edeed2e5a994a637d6e055c4ae8c6e9475636ad8845f0859dfa29ef6
SHA1 hash: 6171c7dd4f67a67fff0ca151c7e9a06104e00def
MD5 hash: 8ccd875893cd23b67d7c61ea735f5c52
humanhash: carolina-virginia-neptune-utah
File name:sweetnessgoodforgreatnessthingswithgood.tIF
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:224'763 bytes
First seen:2025-01-09 06:43:09 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:A8gVmI3b0mgfmWu+ke9VOv5iG5sVhQ30Wk+70wgA1A:A8gVxe9VOvM
Threatray 82 similar samples on MalwareBazaar
TLSH T19C2402311C8A82326E1E58095820F110DA8DE47368BFD4D177BEDFE95B122D588AFF67
Magika vba
Reporter lontze7
Tags:Smoke Loader SmokeLoader vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
TwinWave.EvilHTA.DridexEsqCigarettesNAlcohol.M1.20211202.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=677f74ebffdcee13ec885261
Tags:
obfuscate xtreme shell
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/677f7034bc4dbaccf2659446/reports/a727d47f-41c8-4cb3-8d82-ff9e73805cac/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/16328212055d6aa79c45b6624607f74b732b159db4c6cdf7d8e6835ebdc6e392
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1586466
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (suspicious strings)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell download and load assembly
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1586466 Sample: sweetnessgoodforgreatnessth... Startdate: 09/01/2025 Architecture: WINDOWS Score: 100 47 prolinice.ga 2->47 49 res.cloudinary.com 2->49 67 Suricata IDS alerts for network traffic 2->67 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 11 other signatures 2->73 11 wscript.exe 2 2->11         started        14 uahuajd 2 2->14         started        signatures3 process4 signatures5 83 VBScript performs obfuscated calls to suspicious functions 11->83 85 Suspicious powershell command line found 11->85 87 Wscript starts Powershell (via cmd or directly) 11->87 89 2 other signatures 11->89 16 powershell.exe 14 16 11->16         started        20 conhost.exe 14->20         started        process6 dnsIp7 45 192.3.27.144, 49763, 80 AS-COLOCROSSINGUS United States 16->45 63 Writes to foreign memory regions 16->63 65 Injects a PE file into a foreign processes 16->65 22 aspnet_compiler.exe 16->22         started        25 conhost.exe 16->25         started        signatures8 process9 signatures10 75 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 22->75 77 Maps a DLL or memory area into another process 22->77 79 Checks if the current machine is a virtual machine (disk enumeration) 22->79 81 2 other signatures 22->81 27 explorer.exe 25 3 22->27 injected process11 dnsIp12 51 prolinice.ga 46.173.214.14, 49913, 49942, 49987 GARANT-PARK-INTERNETRU Russian Federation 27->51 43 C:\Users\user\AppData\Roaming\uahuajd, PE32 27->43 dropped 91 Benign windows process drops PE files 27->91 93 Injects code into the Windows Explorer (explorer.exe) 27->93 95 Writes to foreign memory regions 27->95 97 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->97 32 explorer.exe 20 27->32         started        35 explorer.exe 27->35         started        37 explorer.exe 27->37         started        39 6 other processes 27->39 file13 signatures14 process15 signatures16 53 System process connects to network (likely due to code injection or exploit) 32->53 55 Found evasive API chain (may stop execution after checking mutex) 32->55 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 32->57 61 3 other signatures 32->61 59 Tries to harvest and steal browser information (history, passwords, etc) 35->59 41 WerFault.exe 21 39->41         started        process17
Score:
8%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/16328212055d6aa79c45b6624607f74b732b159db4c6cdf7d8e6835ebdc6e392
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/16328212055d6aa79c45b6624607f74b732b159db4c6cdf7d8e6835ebdc6e392/
Threat name:
Script-Macro.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2025-01-08 04:52:11 UTC
File Type:
Text (VBS)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cyzieeqflvvkphcfwzremb7xjnzswfm5wtdm356y42bv5pog4oja._file
Verdict:
malicious
Label(s):
smokeloader
Create hunting rule
Similar samples:
32f32787e8bbc5276d6f9d1d1d8b0f5f762b33df9abf8a820f34d6e702603b99
Smoke Loader
35717c891450767af251ec90a7c05ffd407d7b2d2897d96c176c51b5b8a156b5
Smoke Loader
4b27fd5c70588d922a25f658f35d5c5d3e0085ba88d9bb9b25746c52b2b58e59
Smoke Loader
4d919faa895db3832df86d7ef8509c11140718904f7957d0e6d44b830827f073
Smoke Loader
7910bb1786288ed1cc204913f0785c32a1bd0b1ee3476d2ef260df564be3b2a5
Smoke Loader
9af40d7dbe70e708bc2fc5cdf500f7f5389210ed8813f006ac342d6983dcd2ac
Smoke Loader
error
Smoke Loader
f7544f07b4468e38e36607b5ac5b3835eac1487e7d16dd52ca882b3d021c19b6
Smoke Loader
fb5116f93365182f235b12d780e03bb8a2a98f389f81cf0d5832dbdc722b346d
Smoke Loader
+ 72 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor execution trojan
Link:
https://tria.ge/reports/250109-hs7x9ssmhx/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Blocklisted process makes network request
SmokeLoader
Smokeloader family
Malware Config
Dropper Extraction:
https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg%20
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/16328212055d6aa79c45b6624607f74b732b159db4c6cdf7d8e6835ebdc6e392

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique
Rule name:html_auto_download_b64
Create hunting rule
Author:Tdawg
Description:html auto download
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Visual Basic Script (vbs) vbs 16328212055d6aa79c45b6624607f74b732b159db4c6cdf7d8e6835ebdc6e392

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3393586/

Comments