MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 217859f8f952a9de8aeb91dc175ef6dad10142327bb6111fafa2b4523161d178. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 217859f8f952a9de8aeb91dc175ef6dad10142327bb6111fafa2b4523161d178
SHA3-384 hash: b07d43b95ff2c296721f18760bd26ab5568ae305b4250220d66e5e33f576dab65d2d9ed3d609087b797967c62c82e1c6
SHA1 hash: b36fb961843a193336218042cecd2c1d7e7e6980
MD5 hash: 5577a97d0c2c1e2930eb1aa36b4d0ebb
humanhash: ceiling-floor-india-batman
File name:5577a97d0c2c1e2930eb1aa36b4d0ebb.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:3'803'136 bytes
First seen:2023-01-23 19:08:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b8388c4af61e6ca4e78048b4b09a8cbe (9 x Smoke Loader, 5 x CoinMiner, 4 x Tofsee)
ssdeep 98304:5lJAVMDiGDPfh7UYmWmw9GArAaIEBNz6CaRl:LJai7XmO5Ja
TLSH T1F30633A36696C037C95284300B32FE94736EB13225B1D4EF5BA0CF2E9F547D54A66B23
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 101070f0c8606444 (1 x Smoke Loader)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
danabot
Create hunting rule
ID:
1
File name:
5577a97d0c2c1e2930eb1aa36b4d0ebb.exe
Verdict:
Malicious activity
Analysis date:
2023-01-23 19:15:25 UTC
Tags:
danabot stealer
Link:
https://app.any.run/tasks/ce380235-aed0-4256-88aa-ae74d85f5cd9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/356084/
Detection(s):
Win.Packed.Stop-9985110-0
Create hunting rule

Win.Packed.Stop-9985116-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Sending an HTTP GET request
Searching for the window
Changing a file
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
75%
Tags:
greyware packed shell32.dll
Link:
https://www.filescan.io/uploads/63cedb5396add6d1cf483a48/reports/3b8c981c-240e-4a7f-9459-57d376a2f7b2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4967c794-5154-4c8f-8a23-bf120a1ae78c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1157326
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/217859f8f952a9de8aeb91dc175ef6dad10142327bb6111fafa2b4523161d178/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ef4ft6hzkku55cxlshoboxxw3liqcqrspo3bch5puk2femlb2f4a._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery spyware stealer
Link:
https://tria.ge/reports/230123-xtvfwsge5v/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Drops desktop.ini file(s)
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
61e838c5d350ccd510b788a1610706f51779e129c643644cca938861e85e090c
MD5 hash:
f924c17eb5c36d11787b7b80842fb47a
SHA1 hash:
db7294940d23552d818344016bc04fd177bb24d1
Link:
https://www.unpac.me/results/568d532d-855e-48c6-b89c-95d450838788/
SH256 hash:
9689497e839eb0adbba239d49f0445bd8c962d08bdfcdcf9656b6dd2b6257bce
MD5 hash:
9de9fedd9e753af6d844bff9556105f2
SHA1 hash:
dffe6a267728b4b5be8d49516bb6be5e47b2ddc5
Link:
https://www.unpac.me/results/568d532d-855e-48c6-b89c-95d450838788/
SH256 hash:
130d949d1e799914fd0ac627da2ff1b8542096a8a9a1a42874f687c32beb7a45
MD5 hash:
e97f6f822c3928e439534985be28ad3a
SHA1 hash:
532f163a75c2b315adda783719e9977e2d095619
Link:
https://www.unpac.me/results/568d532d-855e-48c6-b89c-95d450838788/
SH256 hash:
217859f8f952a9de8aeb91dc175ef6dad10142327bb6111fafa2b4523161d178
MD5 hash:
5577a97d0c2c1e2930eb1aa36b4d0ebb
SHA1 hash:
b36fb961843a193336218042cecd2c1d7e7e6980
Link:
https://www.unpac.me/results/568d532d-855e-48c6-b89c-95d450838788/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/217859f8f952/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/217859f8f952a9de8aeb91dc175ef6dad10142327bb6111fafa2b4523161d178

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 217859f8f952a9de8aeb91dc175ef6dad10142327bb6111fafa2b4523161d178

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2515360/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/356084/

Comments