MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 269d2ae2661789f8929d934a7f7e44b6d6fa2e2fc3799fd53b44988aed906b1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 19


Intelligence 19 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 269d2ae2661789f8929d934a7f7e44b6d6fa2e2fc3799fd53b44988aed906b1f
SHA3-384 hash: c3ffed2a774867688f815375319631bd4a2d47b464d5240c417cc1ecc8c3251c262c83dc8e6e5bc66040bdf3b5f51007
SHA1 hash: 70b0f49da4fca69165d379c379e0796e471922d1
MD5 hash: fda3cbb7ca00beee2e96fa7120dc440e
humanhash: kitten-charlie-texas-indigo
File name:njb79h.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:5'216'864 bytes
First seen:2025-12-07 06:24:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ef24e2f166ae9439e57f7d9921c9b1aa (3 x Smoke Loader, 1 x RedLineStealer)
ssdeep 6144:4KQkJN6XyWNv5DDPgIbJJToLIz1OVLxYsipw:XJkXyWR5DD4+oLhVLxTipw
Threatray 15 similar samples on MalwareBazaar
TLSH T15E367C31AA90C035E4BF01B459B9C37C65397EB09B2450CBB2D52AEE5B343E89D3179B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter amznemu
Tags:exe Smoke Loader SmokeLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
ID ID
Vendor Threat Intelligence
Malware configuration found for:
AceCryptor SmokeLoader
Details
AceCryptor
an extracted shellcode loader component and the ms_c_rand-XOR seed
AceCryptor
an extracted payload
AceCryptor
an extracted shellcode loader component and a TEA decryption key
SmokeLoader
an extracted component
SmokeLoader
c2 urls and a version number
Link:
https://research.acce.ciphertechsolutions.com/results/d77a581d-0339-4d9b-98ea-71946b404998/
Malware family:
smoke
Create hunting rule
ID:
1
File name:
njb79h.exe
Verdict:
Malicious activity
Analysis date:
2025-12-07 06:25:11 UTC
Tags:
smoke loader
Link:
https://app.any.run/tasks/f054bd75-8e6b-40fe-b609-89e26e2ce400

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/42883/
Detection(s):
Win.Malware.Generic-9886641-0
Create hunting rule

Win.Dropper.Azorult-9886824-0
Create hunting rule

Win.Malware.Raccoon-9886737-1
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69351dd0920336450abc102b
Tags:
chapak trojan virus mint
Verdict:
Malicious
Labled as:
Mint.Titirez.Generic
Link:
https://www.hybrid-analysis.com/sample/269d2ae2661789f8929d934a7f7e44b6d6fa2e2fc3799fd53b44988aed906b1f
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-25T18:56:00Z UTC
Last seen:
2025-12-07T05:38:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Win32.Chapak.gen PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/269d2ae2661789f8929d934a7f7e44b6d6fa2e2fc3799fd53b44988aed906b1f/results?tab=lookup
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d41e7834-76fd-41c6-85e2-01b7635258d4
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/269d2ae2661789f8929d934a7f7e44b6d6fa2e2fc3799fd53b44988aed906b1f
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/fda3cbb7ca00beee2e96fa7120dc440e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/269d2ae2661789f8929d934a7f7e44b6d6fa2e2fc3799fd53b44988aed906b1f/
Verdict:
Malicious
Threat:
Family.SMOKELOADER
Link:
https://tip.neiki.dev/file/269d2ae2661789f8929d934a7f7e44b6d6fa2e2fc3799fd53b44988aed906b1f
Threat name:
Win32.Trojan.MintTitirez
Create hunting rule
Status:
Malicious
First seen:
2025-11-26 00:38:30 UTC
AV detection:
33 of 38 (86.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e2osvytgc6e7reu5snfh67sew3lpulrpyn4z7vj3ismiv3mqnmpq._file
Verdict:
malicious
Label(s):
shellcode_loader_002
Create hunting rule
smokeloader
Create hunting rule
Similar samples:
269d2ae2661789f8929d934a7f7e44b6d6fa2e2fc3799fd53b44988aed906b1f
Smoke Loader
50419b6ae38000b3d639e462f69bb35ff167650ca8eff6eb35dcfbd38b08c393
Smoke Loader
60acc48765bbe492e56f8e1665bf041973f23501422a73fd87dd2b79922246b6
Smoke Loader
66cee30a999770e51c8a80b6aa279607cbbb27bb581bf8763421777559869281
Smoke Loader
8f20020d5b0669c889435750b00452672cb17fc2a87225a5341040bc05afc008
Smoke Loader
aad0a60cb86e3a56bcd356c6559b92c4dc4a1a960f409fb499cf76c9b5409fdb
Smoke Loader
bca26771b9c277eb8babfaf06af7dae3f8b063b1b91b090691bf69d265dc0ff8
Smoke Loader
error
Smoke Loader
+ 5 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:pub5 backdoor discovery persistence trojan
Link:
https://tria.ge/reports/251207-g6q18sxrgz/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Program crash
System Location Discovery: System Language Discovery
Deletes itself
SmokeLoader
Smokeloader family
Malware Config
C2 Extraction:
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Verdict:
Malicious
Tags:
Win.Malware.Generic-9886641-0
YARA:
n/a
Link:
https://app.threat.zone/submission/c3488b9c-bc65-458e-a12a-1538dba5e815
Unpacked files
SH256 hash:
269d2ae2661789f8929d934a7f7e44b6d6fa2e2fc3799fd53b44988aed906b1f
MD5 hash:
fda3cbb7ca00beee2e96fa7120dc440e
SHA1 hash:
70b0f49da4fca69165d379c379e0796e471922d1
Link:
https://www.unpac.me/results/3424fbe0-6dff-424c-ac01-15c1abcf9b9a/
SH256 hash:
207056003b4b6e55dfe2557a2d1ca119c7785cfe626328a4a8c74323238933e9
MD5 hash:
4955a27a03f35933fdbd801f425b6c58
SHA1 hash:
97f3b8f33fd1a49cf9db5a246d996047beef3c12
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/3424fbe0-6dff-424c-ac01-15c1abcf9b9a/
Parent samples :
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
269d2ae2661789f8929d934a7f7e44b6d6fa2e2fc3799fd53b44988aed906b1f
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/269d2ae26617/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/269d2ae2661789f8929d934a7f7e44b6d6fa2e2fc3799fd53b44988aed906b1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/42883/

Comments