MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 420148025ec21333fa89a72ee35309621aa1e7248d08d51e4384d267aef1518c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 420148025ec21333fa89a72ee35309621aa1e7248d08d51e4384d267aef1518c
SHA3-384 hash: a2bf156814e9ac7c93314916576adb34f53ce2f63b565e5b7be4b7aacf6902435a53e8147a800b4a2deacd97a4c60497
SHA1 hash: d0c4b80aad82b4c13c58ce5d5edeeabb811c90c2
MD5 hash: 6a78a6557842e4631453f6f561ffccd3
humanhash: quebec-carolina-early-virginia
File name:6a78a6557842e4631453f6f561ffccd3
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:3'863'040 bytes
First seen:2023-01-22 18:23:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b8388c4af61e6ca4e78048b4b09a8cbe (9 x Smoke Loader, 5 x CoinMiner, 4 x Tofsee)
ssdeep 98304:8MIBH9Qt8L+jFcbPWiuGWkBAOmnSC9pWviUdHw8:joO5jFoPa9uiUd
TLSH T1C7063321B247C072D409547D2728A672EFFE3A324374A72BBB162C6E0D879E5DEE1354
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 1010608046486800 (1 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
danabot
Create hunting rule
ID:
1
File name:
6a78a6557842e4631453f6f561ffccd3
Verdict:
Malicious activity
Analysis date:
2023-01-22 18:25:09 UTC
Tags:
danabot
Link:
https://app.any.run/tasks/4a66cc2b-5fe7-4587-9f54-7dee7fec6e85

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/355681/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Sending an HTTP GET request
Searching for the window
Changing a file
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
babar greyware packed shell32.dll
Link:
https://www.filescan.io/uploads/63cd7f4489bd67c10fd950ab/reports/7e6d935a-8c90-4652-91ac-969e53990d58/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/58412429-d8a7-4aef-9f04-85f760d6a21a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
63 / 100
Link:
https://www.joesandbox.com/analysis/1156592
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/420148025ec21333fa89a72ee35309621aa1e7248d08d51e4384d267aef1518c/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-01-22 18:24:18 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iiauqas6yijth6uju4xoguyjminkdzzeruenkhsdqtjgplxrkgga._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery spyware stealer
Link:
https://tria.ge/reports/230122-w12ccaaf5z/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Drops desktop.ini file(s)
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
3a7c29fd490703cc30e7474700e1fcb8d9380726c8386ccc14f0219c5e0d3d33
MD5 hash:
7064499eb99e0abf26fa3b472cd52609
SHA1 hash:
6320abff8279e1b419fd61a13aa4715a3c6f346a
Link:
https://www.unpac.me/results/117d5951-5512-4d61-be46-c66e54ec7588/
SH256 hash:
e498a952250627af7084f9d0c87d068f05ae203fd46d292132709704614c9211
MD5 hash:
42a7daddc8a47f25a8a27603e398c34b
SHA1 hash:
8d5a144f0efa1ae72d4c1ec6b67cf9d8f883bde5
Link:
https://www.unpac.me/results/117d5951-5512-4d61-be46-c66e54ec7588/
SH256 hash:
420148025ec21333fa89a72ee35309621aa1e7248d08d51e4384d267aef1518c
MD5 hash:
6a78a6557842e4631453f6f561ffccd3
SHA1 hash:
d0c4b80aad82b4c13c58ce5d5edeeabb811c90c2
Link:
https://www.unpac.me/results/117d5951-5512-4d61-be46-c66e54ec7588/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/420148025ec2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/420148025ec21333fa89a72ee35309621aa1e7248d08d51e4384d267aef1518c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 420148025ec21333fa89a72ee35309621aa1e7248d08d51e4384d267aef1518c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2515360/
Cape
Cape
https://www.capesandbox.com/analysis/355681/

Comments


Avatar
zbet commented on 2023-01-22 18:23:54 UTC

url : hxxp://149.3.170.202/romas.exe